njrat | 049e3ab43c29a82fc17b415fb88df0b0c238efea6be76a25da1f2bb88ee22a6b

Analysis

max time kernel
1048s
max time network
1050s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-11-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom V5.exe
Size

289KB
MD5

121a7190a24ba74a4c49c951dd56ad72
SHA1

fb5b1adf74cda03d5a77096b866942a6fbd5aa89
SHA256

049e3ab43c29a82fc17b415fb88df0b0c238efea6be76a25da1f2bb88ee22a6b
SHA512

b1a983027932897e97c4e3ac9865e6fe987c3b772c5847db3f3cc5b8e2b4c845e7040bf8a7e7d546b77c3f78e39c32eaeb7321f1c6f99dd28554c80fec603bb3
SSDEEP

6144:6/E7c5W+sPgJJUuCm2pad2AO51SLPml16S6M6supNDdPstxChZ:UEeggJauClpjL5sar6M6supXPstw

Score

10^/10

njrat victim discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Victim

audio-ham.gl.at.ply.gg:52424

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3944	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Venom V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	paylod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Payload.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 9 IoCs

pid	Process
4440	paylod.exe
4296	main.exe
2364	Payload.exe
764	Install.exe
4908	winvnc.exe
1100	winvnc.exe
4656	winvnc.exe
432	ngrok.exe
4772	ngrok.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	paylod.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0002000000040d9b-817.dat	upx
behavioral1/memory/764-824-0x0000000000400000-0x000000000063C000-memory.dmp	upx
behavioral1/memory/764-929-0x0000000000400000-0x000000000063C000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vnc\Install.bat	cmd.exe
File created	C:\Windows\vnc\UltraVNC.ini	cmd.exe
File opened for modification	C:\Windows\vnc\UltraVNC.ini	cmd.exe
File created	C:\Windows\vnc\vnchooks.dll	cmd.exe
File opened for modification	C:\Windows\vnc\vnchooks.dll	cmd.exe
File created	C:\Windows\vnc\winvnc.exe	cmd.exe
File opened for modification	C:\Windows\vnc\winvnc.exe	cmd.exe
File created	C:\Windows\vnc\Install.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom V5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngrok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngrok.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ngrok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ngrok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ngrok.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	winvnc.exe
1100	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	Payload.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: SeDebugPrivilege	2460	firefox.exe
Token: SeDebugPrivilege	2460	firefox.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: SeTcbPrivilege	1100	winvnc.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe
Token: 33	2364	Payload.exe
Token: SeIncBasePriorityPrivilege	2364	Payload.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe
4656	winvnc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	firefox.exe
4376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4440	3788	Venom V5.exe	82
PID 3788 wrote to memory of 4440	3788	Venom V5.exe	82
PID 3788 wrote to memory of 4440	3788	Venom V5.exe	82
PID 3788 wrote to memory of 4296	3788	Venom V5.exe	83
PID 3788 wrote to memory of 4296	3788	Venom V5.exe	83
PID 4296 wrote to memory of 960	4296	main.exe	85
PID 4296 wrote to memory of 960	4296	main.exe	85
PID 960 wrote to memory of 1508	960	cmd.exe	86
PID 960 wrote to memory of 1508	960	cmd.exe	86
PID 4440 wrote to memory of 2364	4440	paylod.exe	92
PID 4440 wrote to memory of 2364	4440	paylod.exe	92
PID 4440 wrote to memory of 2364	4440	paylod.exe	92
PID 4440 wrote to memory of 2412	4440	paylod.exe	93
PID 4440 wrote to memory of 2412	4440	paylod.exe	93
PID 4440 wrote to memory of 2412	4440	paylod.exe	93
PID 2364 wrote to memory of 3160	2364	Payload.exe	98
PID 2364 wrote to memory of 3160	2364	Payload.exe	98
PID 2364 wrote to memory of 3160	2364	Payload.exe	98
PID 2364 wrote to memory of 880	2364	Payload.exe	99
PID 2364 wrote to memory of 880	2364	Payload.exe	99
PID 2364 wrote to memory of 880	2364	Payload.exe	99
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2764 wrote to memory of 2460	2764	firefox.exe	105
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106
PID 2460 wrote to memory of 4768	2460	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2412	attrib.exe
3160	attrib.exe
880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Venom V5.exe
"C:\Users\Admin\AppData\Local\Temp\Venom V5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\paylod.exe
  "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\Payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3160
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:880
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ShellExperienceRemotVNC\Install.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ShellExperienceRemotVNC\Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\Install.bat" C:\Users\Admin\AppData\Local\Temp\"
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1700
      - C:\Windows\vnc\winvnc.exe
        
        C:\Windows\vnc\winvnc -install
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\net.exe
        
        net start "uvnc_service"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "uvnc_service"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5901
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vnc.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
        
        C:\Users\Admin\AppData\Local\Temp\ngrok.exe authtoken
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
    - - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
        
        C:\Users\Admin\AppData\Local\Temp\ngrok.exe tcp 5900
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7CD1.tmp\7CD2.tmp\7CD3.bat C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b4c0b80-985e-4e97-96b0-a0efd48fd673} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" gpu
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef8d565e-b6bb-4d2b-8bfe-e5784d8b0fd0} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" socket
    3⤵
    - Checks processor information in registry
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3208 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {544ba015-7532-4329-b03b-264d60db94c4} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab
    3⤵
    PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 2740 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53903539-3167-4c19-9305-43ee961ad69a} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4320 -prefMapHandle 4300 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ef9b389-a850-482c-9a86-63d37be3c570} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" utility
    3⤵
    - Checks processor information in registry
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e32b765-c360-45f9-968c-4928c8d29180} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab
    3⤵
    PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcff56be-f18f-4fc1-a4d6-492cc5d0b329} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0805b95-98a9-4dc3-bf34-982d71dabcfc} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab
    3⤵
    PID:2360

C:\Windows\vnc\winvnc.exe
"C:\Windows\vnc\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
- C:\Windows\vnc\winvnc.exe
  C:\Windows\vnc\winvnc.exe -service_run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4656

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 27679 -prefMapSize 245250 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce902263-4061-4ce5-a744-81b67491931c} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" gpu
    3⤵
    PID:1736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2280 -prefsLen 27679 -prefMapSize 245250 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eecaa57-a12c-4ad9-a1af-978ae9c7a0cd} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" socket
    3⤵
    - Checks processor information in registry
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3004 -prefsLen 28178 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f075cd28-9e03-4315-8601-17a41b771170} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab
    3⤵
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -childID 2 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 33411 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a28c44e0-41b4-4860-a3f7-7e629ba427c7} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab
    3⤵
    PID:4560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4688 -prefsLen 33411 -prefMapSize 245250 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c84be1-b6fb-46b7-a18f-e98fb8c48fb3} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" utility
    3⤵
    - Checks processor information in registry
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 4956 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f43cec3-3cbf-4700-9bbc-0682ccef57b8} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab
    3⤵
    PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0755649-cfe5-4bc6-82c9-c2bfdfca56f8} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab
    3⤵
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc72701-9395-4a44-b27c-f29b62bc4cec} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab
    3⤵
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
cd258d77ff30645a3ef9033cf002ee28

SHA1
19af1eb6bdb7f91a42eead992d8a6d3c54a799c6

SHA256
ee7f1e7646fbb6ac5893f8565ef349c0e615e649fa6a4c0e2506c7e0f75d3a6a

SHA512
9df916ce714713227431b255373951d63266912b90a690ba4ca9b0d7e8d9492ecb4ae3caec0a11e956c224dee10fb13b3e1e288eecc7b87c5cac6103495e3b2b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

Filesize
480KB

MD5
e2c64508770704c98cbfc9316f844b56

SHA1
ff2a68cb9f14af7039c8ec7d949720588e917e61

SHA256
b49ab046f2b28c17dc087bc64a5f98405a50ccd641b1a0a417055c9d6c4f4c30

SHA512
8b73729aff4c536e30913808b0e97e4f3fd99cd8152aa7b99f0202b9112dded04b3239081f40ad45a7d14d14008436b32ca4e07df7935a18a6ae7a93df9c3d8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
af0e60d61ecc8efc870490debea2d0c4

SHA1
e96a89d68eedfe91198b6d03def9e23e697995ec

SHA256
a94ddee810b41cecddfd86d778c4b40eee4bd69bd37efc7267250e1c62770ba9

SHA512
bfdadfc6a3d28ef43232a9ff0489cf9b7253e80a6860186794ede9f8c733fac9860090d5dd7a55a2dfab24b3fa016d77a77048657bd882dd3990053345ff9085

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
e910a5f37db996be6445252c9b6b97c7

SHA1
d3602d3265ad7d74759e95d64e478013ca5c0075

SHA256
6846d85d12fbfecd1b16d3358c3f6a169e591f0afb6e188a8a106bfd2ba161fc

SHA512
5412131487c805342f56483b7a9ede77c738da64e5a751d4bd486192c7f1b423ab798657d5a784a2c42565d6c9361e7952836be89222ebbcef043e132a100f71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
a028a88e7939edb36623a078b1986cd1

SHA1
cc65bf857ccd7e5eb8c9d663fb8c327ac07a25c1

SHA256
c038c94b6a11eda8ce21efbbc4c821cddf6b1dc2bff8a78a5b65f85b27c9210e

SHA512
2b07154f1a6163ea11a39e8e5e4503dd092bac1e402aa9e54d6488ac512f86ac98f796b36d4428f94c8b32c22eddf77d6b49633206a9dad2c389ffe43f133fad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
594042a15f2680420141079daf0d305e

SHA1
30ff983f6b06085d3911bedc0a45c761f1c58fc2

SHA256
ae120e890d74dccf17c19215b2d644e7603650be85c95a79f3279097922d1fe9

SHA512
817ea56f529a28b00971e4573503feac82ccb543b2e6f8f1c89becdf6e0cfd13f4be48465668227838dd528563243b59be8d9955f5f19f544b36539c9d9fd57b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
42d6742ce929fbbae1b05160b4845614

SHA1
e7816d4619b6286815c9bfaf53bb257c24be4ee2

SHA256
08a7f92e520ef68f3ac6ae79f05d630f1ef648122f8773df7a4b4c7226efe6f8

SHA512
7ed63650cc707d87d3271e06bf3dc43879ee836f53407dd83ef004b0b0ca664cb25db7a138b3332bc7d06f35ff7667211fa8530f3a528a6f1cbcc7e0af232b68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
136KB

MD5
4bc388cbc1fca3fa888c196704976029

SHA1
deefda35c575e76b974e21fe949b25190447cdd8

SHA256
3860aef41d9bef873decf95f7ce6136d8620da7cb2ca4aee569fabe16b469077

SHA512
41051df748480caccb1c1014db307b7107a1890d2194b722b00baa1ffb26d2615e39a57726a22fa0c858e7b62378e7db170ce79af51f477f05d5e8979fc3e774

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\index

Filesize
54KB

MD5
f99899071fb25e252dc2dbcc47e76b6b

SHA1
8deab8e77a22a3a8842952a7bf5f2df2906b5eef

SHA256
04ae47dc7a4e5a5968cd0668a14870ee8c3c813d408d1d72488ed8a37f1a8bac

SHA512
798a241275c51753dce33b92b114241a29db6b3a96c90606297720aca09dd105e4269dde7715bd663eda2cef4c0724aeb45a91c970304eaa38ccaf6d160c5e91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\index.log

Filesize
16KB

MD5
9417a3dbaa2c5a3bac6ca06a9cbfb2a6

SHA1
3646fa481dd17dbce4d61720daf97656c955032b

SHA256
e026e0df8c593d1765e29636187e0828c60d1ef14b8d2216200f69c7538131e8

SHA512
ef6c8cc3c2c4daa3ddbbbf15317a344211befab0d597a5a853d833035203a9f4aab6e89387ae0606c45dc37420355a5b038b29e673a5b5bbd6a1362d572efca9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\scriptCache.bin

Filesize
8.6MB

MD5
51e2b60b435eb60f5ffd1134e4066e6f

SHA1
a289984f92fa293f5f8ea3dd6137390469055dd0

SHA256
8c5bbf7ab0d3abbc7b3eb7856e887450aa8c966cc03c986a1b015fc6e68f6320

SHA512
ae88ba80ec0f78f74790597a2e7db2b2efedc9fa238be8e655599de1adf90fe40f11aafe80a83f26387295fd078e72eb400c64d998441569122944cf9afc8bf8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\urlCache.bin

Filesize
3KB

MD5
2bb3cc3d2e289a54c2caae0fe324bf6e

SHA1
f94aba241d17b8560b7a9d9e9dfe3f10b7a60218

SHA256
d7a1b54856a1675ea5e22ce63231ead2fa0fab67f8bedfccff8f6af86ec65b65

SHA512
e1279766c64b9ce6ca24db3a4a8d93d8f490a263b96dc3e8f9de11c04653393f76d1e570a4513c87e49f1881263c61dafd9bdf374e7289f3f48ff784130e2e03

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
3880d283d4d12f218a96acc96397ae96

SHA1
9ef4db6356135e22fa020b15bf42c254c0fb4faf

SHA256
df8ff7934d91fd318c9772339bae5bf7f1ce72bcbb1b3371d5b49b9a328ac9c7

SHA512
068b9d55f4967bbc9e5f7e21e892ecb063d623ae103715ce437db0d6fe6efb0caa826f112ab7777da4d08ec31283ec572363a94e3cedb169f47d43713f09fe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CD1.tmp\7CD2.tmp\7CD3.bat

Filesize
3KB

MD5
ed10dc8c536ee4a022b94514936658e1

SHA1
006378f2c2837b196ecd17db6f1d6db862b8454e

SHA256
6851924794377b148813fd77ffe990aeb8abd363e9086b73bf76db117feedc59

SHA512
245a2bef61c75090b9108a5c5b81a77d1091b5a4abe8f561d5658e9c708907fe2ada359a9931dfa6decf0a06e5a0fdb08dab6ed7165a78f559512cbedf37634f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\Install.bat

Filesize
182B

MD5
c9280e704c9ce932310ef90dbd50ea07

SHA1
008a5a09212208ab104bffc95ddb5bfa9ce746b0

SHA256
d716335bf2d70d602bb2823e266eb4b2da101306a1d21a11a2aca15f87aa2dba

SHA512
f348dcedebb9ca4e00779711fe0111a18b987c4a58e67df36de5e3d05b94594714b6e0d62e9e54bffe57e961c9991f2b43198e78ff13c86f6d3a4d6f73becf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\UltraVNC.ini

Filesize
1KB

MD5
741de7cfb77c0d2b06e4294cb849a41b

SHA1
6756cf9428e25bd5c295d7d59b14885a61eaf39d

SHA256
f4097fa9ef3432212e066d69a54c43d211c4cc08e1b2ab0b3bbe6e3af66f6ecc

SHA512
da12ae35860168d6691d8c2e977486605a493942b2c23fee05d8d6c4d61309e68c51d6e50522c6a8d9f5bc3cc8c22a9c2f73409cfa393cda1966d561de87e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\vnchooks.dll

Filesize
52KB

MD5
e12e07ee3f1088632635731d4cc61fe4

SHA1
1a6d7e6df5164f4433d9794ac9b7852b4b4a099a

SHA256
c8164ccc0cf04df0f111d56d7fb717e6110f8dee77cfc3ef37507f18485af04d

SHA512
3f4b7d2d79fa7abdb1627a0978d2a57dbf7fb6f28e8fbae20e2453da8ae6a10f95265f2e0b3b2a76665ea864ffad51cde33eda41693ebbef979b7d46b6612ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\winvnc.exe

Filesize
2.1MB

MD5
92035b71d115335360749bc8b5755750

SHA1
0ab85b6492fa4c0b891413deddaf4f4974ca408b

SHA256
5ace41b53aff2a334c6c4972c77e6d54be9c7aa8dfef7c63632c594d36bd95e3

SHA512
9015fffd82bb8e16f0fac41bd0d750b0386e9e2d0221318e4c9c85bf5d1a4ef98feaf1fedebac10a6fcc40303c1ce896cd48298431cb080e65ac73efd6d52fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
126KB

MD5
fb32165caff9614efbc6311fe75da2f2

SHA1
674e7a93ed4b9cb097d846463a249bd68c4ab7a6

SHA256
41018b0dcfb3adf0ddcda481a276d98cbcee94698ac9c7dbd3644a86687e76e8

SHA512
65356ddd14df07f2153e740a8ac9f4d722e604a85663254f5e444850cbb66c15c35e7cedc6fece72df63677ffbbeb094122b05c11e01bf0cded917c3c4608a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
10.8MB

MD5
dcf9700c43af9e588bef407729d34161

SHA1
258b313531fc59545911b653c4aa6d82a2fedd21

SHA256
99d6917a4a78829b494c50b59088f74dc9f5e1bb8d78a92f0e27b5be7cfc429b

SHA512
0c7952646788e411c1acfc5c26c084bde45f308e7778f55ae9ff2562454f9a57a271932966d17b3fab2f279568b442e22b2ed57e368016d80a74d7365f216e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
1f5545281784c48b113dde61778a4697

SHA1
46aee2f749bbee1fb7e4f5d8609b798bd5077673

SHA256
e31e3e11ce40c048eed1a0f68b0e47a15369b9289b30dcce9fe70b7f7ea26c20

SHA512
e262e58f15bbbee488a8423cbd5f03b2e9ab12b7af267d3278b48cb86373ff180b992d126694d3e224a8b97bff5edbaeb9c0d3493528b0d6b49e236339a1ab37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.bat

Filesize
151B

MD5
e5d07d56ec0f669b477bb7c598c6fd10

SHA1
0145d8e87c5ca32654879fce086dfd4db8682fa9

SHA256
f395de87ef433b77793019a4b2a6e54646f5c5e50d04dc3c4bf0e9e31ebf3150

SHA512
183a7d22ae6f7ca28026940638e210dba63b14a8d16cb6903c969c716adf225e587b46e02a14810265c06ef950618c36f28815378816546c381a6ccce58292d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
45553c9f5b5be8590f4cf6b9807141db

SHA1
d830703c83753d9d34554939b500989c6094d0d5

SHA256
b82108c64f7acea33e9273d191f76deb9eab7c59471380c91874527c6b8788a5

SHA512
8b662ddaf4e8886b7224fbe59f164a44398dcd3d70dccc5cbec5c8ea4009a617fb577297427fd663086f68cb5295c5d4cef66d6c0f874476207c8a9dccb8d7df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ShellExperienceRemotVNC\Install.exe

Filesize
648KB

MD5
23e3963e5323c50dc93f51b7e0f01a93

SHA1
2de308b5131d78fae37cd42125f681464bd9a564

SHA256
c77bce9c430ee51023438e8b46cd4ddf54835e6a8953f80b923f9c888f7dc39b

SHA512
e4fe0b563f901e2557559ecf85e6bccd6c51517913fcc70bb07ad55048311ddff7ebf1d24441d190e082c3d4ca6b7fb57ab79d0fe4eccb49234a83be5915246b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
21eaf37b395f05f15f3e138ecf593548

SHA1
1da480a35399a2d377b0fd2f0a6a09d619fcf15c

SHA256
341a111b2a2b7b3e69a1bf867476d222ef423a3128afaaadfa1bbe091196c524

SHA512
ac34ab428d5971afe19aca423df8c361350ee1a455f2c1a4760a65a0f08566b2a166c3f3f72c194cdd19e572dd7ffa2a6314d31c3946973e055e63672f9dbf63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\AlternateServices.bin

Filesize
8KB

MD5
605ebf7eed86ea8b51af15f3b9c3df9d

SHA1
34c4c9d1f11a8e02b0360d66deb8270fa8315646

SHA256
0aab8f6b1f6f6586469c018c2ad349652d8c3b83fabea71f4b80bc44cf0dadcf

SHA512
60bf7f532340627a845e20676cf056f161a82e0b1f351c2effd36a5bd2dd2b0fc7a35fe46ba28337f0730e90a7accb6241f7087c89a8648f30bdcd5391515ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\AlternateServices.bin

Filesize
8KB

MD5
9b64b831850d5da1565e15534700ec76

SHA1
e95516f2e7fa0b9415c1994e16a8e87020061357

SHA256
76805aa208620ed91bd470ba33cd59c6ca7418ac83fcb1989a7da545ff0c555c

SHA512
3361210bb81b2971f5dc8a6a26c3416d47f29d50d5a4d4157d1963094b36668104bbeeae329b279b7b06cd34870cb79ff10ab5834562255c0d8f42a67709a75a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
86b06a70620a11852d065eafe408073f

SHA1
bc36723c21e5c9b8146bea497125eb6f8b535bee

SHA256
83455ffe3f3e915ad1a6fa5e0a97a8aebd77093eea672373b22a65bf8269a011

SHA512
ded97de97360dc74e0076e100be9c18e411639efb9cf62bd6bded341449e083efd2f5588ff3c11083ef262f439bec93197ae805eb445cffe1dce1af54fb87a37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\broadcast-listeners.json

Filesize
221B

MD5
70010e502eb4c232f138f3bea29bffcb

SHA1
bc70dfaf8d57d2cc87b4a37fcde52b88c0b53bd6

SHA256
1e2736149d0356bdf2e0efb09133782b685c9808b4890dc39f8fad6110e302cb

SHA512
e3fde36c4979e8e58edf3983786cfd7effbc7a49bfbae29c5c4d5cc587a3a481698fb07f90603feeb9f63fdb0527d0595b6016aace564544bda48de074c52ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\cert9.db

Filesize
224KB

MD5
333862fd43314eab0921c3ea2e727706

SHA1
e9d18e9efb518784ab167a91f43161eb84c20589

SHA256
02fff87c5b7f9bf940ae5f3918c12fb8451673fef85dfa39ac30824cea3c06b2

SHA512
c5a1168a499885be48167fee167052ef008af8fe2471983b5a5f726ab8c6079f52a9905aadfe49dbfce3d4f9cea15ad9d79bff74c3bf6088120ce115c48dd3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b41ed219e2c8dac47f2701562d092621

SHA1
90d507eae3ec943a121dbe5a080412e40470b54f

SHA256
cfed019635a1e14f74ae78f2c03fb96b40ac3da37b67489bd98c144afc200f1f

SHA512
5c6027ec701055efb3b6c055727af5ed261e8f1d5ba954e64e8a34e5c791679b1e4a6ef49896ab8089ec151fd758ba41efc7333611af42b851606a0544a9b947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2db068fa2fb2f4afd99e779b54888f4f

SHA1
36c88f2b53f63b20ef0684e300e8f4eb75caf8fd

SHA256
7644183f3472f8dea114aa55d74781bb12f26be6e90b47d506b3149b11bf4105

SHA512
04e914eb920a012bab42603969a3799e6212c12973e7a0e055a69d839207cca06edb5b869069ead3639060dbfe295eb738f94cbbb248563f3f8f3830e823031e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
657aa3338963ebff6913dec692130aeb

SHA1
9189db85edcb3c15992b99046ec933f934bd1b5f

SHA256
388145ec759364ee875ea3e1b66fe5efe151dd05e78352f24131a7c2645fb32d

SHA512
3d5284a958471a93421e96621140aa263bf551899ddfba24ba87bc81a5784eb59e9ba46b885ff161912ce481118faad49203174442921008e5d8f567935d8d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
15e1409642f41c8442226c4fe2055c70

SHA1
b05dbe889fc67ce40e20d3cc76f8bf420b96b3fd

SHA256
d0d90a005e6999a2fca59eabf2fcb49aa182ea9b27db752141e3d2ccad76d960

SHA512
d771bd1f6cea3f6a3e0f7613d0b2d2ad33404e03504922c0a7b3099534e87af5bbcb8d6b021f3528bd93a85285869de3e6d11bf0680f715d0053647627d96431

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
97abba90aacb051ba305ab7e2f71e37d

SHA1
dcc60f86652475ab76572746cfc849e76d6d2c05

SHA256
771852c4adc209cb522f2bd869cac5abc3637caf3c028c1fa079f533fe7b9af8

SHA512
160a510f5e756213bfc8e4c8d1cdd396cd69caedabfe596910e0ebe61951f7ada5f86f6663db45ef6601bd8f7e204be23dfdaa58bfd15e5ae1e3b600a82ee632

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
f93ffa61e1c1b0dd18a8e3248a84887e

SHA1
8143fdeaaa54a56ed2e096a317aa05c909747db1

SHA256
4d03bff6461216cd27883164e4a99afcfe42fb78c462f50d8909c61fdc70910c

SHA512
5d99d545350c552339006b0bc850d87629fd14380a6152dcb6d439dabb385b7ae7e27471bbedfdfd786bbb3d05370124944e6c4a7c8773ffb74537060bd3d8f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
b3a74f93ba8b2382a8c87acf2fc12b0e

SHA1
7949fac11b248245f790f1df4f15988194f3cad3

SHA256
864b8bd3c936386e3f35b2d5ad4fdb3801352505bd55aaf66c1acc6c2d2e8b83

SHA512
7f695b4fce4cfe28a76d4521f706536cd9da7dae9bbb1caa9b725a9df178910a9e319aff7119212df7d89b03bbdd0ed8ad0e69cf8c894e043adfb0be3b2a7487

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8193a499981ebfc2a0a508efe0379b68

SHA1
7ffa965c1f9fa0ae8618470396b78234146070bc

SHA256
0ab5b1170f3593fbe725f15b2deaef3827ff7de896cb64d56ef99a1002e9d00e

SHA512
2c3c00e543a3ec4e6c58272df3abd54fccd2432c44416437aa7d3f49b0456d1fcf24607ec6f1dded5353e5d365ddb49b0b707e41dbad91e1a3f2405841fa6d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
5a301613b0a7572b322eca75ae1dba66

SHA1
7b372dd4b7cf9f819a7e207916b073f50e9c2ecf

SHA256
fe32f94a00159c4868ec35a4401502be53c7ad96675f0b5ee5901833232dbd9e

SHA512
3c7e8484f63e2db3e45fd21ce52d761a3e26bad16bd41f0a7ebe20a19afecb14f42c0905a497feee502feb2680434bbaefde0842ecb461ca868e9c19c33b3766

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\events\events

Filesize
701B

MD5
cd0f631efdd92ac5e66ba7f1f3e42b55

SHA1
25a96156cab742f3e60b561b67cd4eb39b3cef75

SHA256
8809d1bfcafe97844845d91de8a38b2c312c8713b2869fa191a56b086d025398

SHA512
8e90ae1c640797ac33bc24769e8a4c43305bb04365f40a0bdc5952356b5e4599462feba77256009d254f002675515e2a58b5d619690d30585faf3d1c069e0eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\0ce25701-d6cd-46ed-ba3f-9555445ae040

Filesize
797B

MD5
8128a943e868cf5f154b2ee9562e0af2

SHA1
f18e58312c86ad93a8ce3043f446c960b58e68fb

SHA256
a0fbb3c883600b1c66cec3df992959fb81eeab65a66d75207435d093ddb08ebf

SHA512
a2d8f3e6db4661ea25f7dd7d970dc2b09ed31d512659f60c5989230e10ad6f7359824c76271ffbf0db7386e11c4f5594186b98e4d73783d5b2bb7c46f86acab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\2c4a573b-63dd-447a-a115-28573fc04f65

Filesize
1KB

MD5
0e7a58eeb01633dcce126074df68b65c

SHA1
add533dc7fed694ca60730c86610cbb4697d1d63

SHA256
a9d1fe6d55b3d6496e73dcdb0941acc2b3f6b2171b80615ced0cbab74471b6ac

SHA512
dc659bda0659b6440654b92f698d71b3e5a58d8c6a53aabe44875e8828dd3c3a516b0cc42ad05b9fa3d91a4575ce76aeef4453aaf388005d3916060eedf2a9e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\59d0b8b2-3b10-4bd1-ae3d-0be9f2ba581d

Filesize
671B

MD5
e10a22d781b16b67a2d9e68f83790c52

SHA1
6686ddc2af93da0d33b0e2aef9f1d9056c574700

SHA256
0a3809afa3895bc0dc003214a9c27ade20d9067964f66d041f49e16460ea5add

SHA512
02873f5e6495402d6b25eaa9c07636d3e0f5a3009c10f2872835c625b9fea8772c18aa1a01c434f64cb9cd7f9dd9f22369c5747abb757ff4b1abd287bc93019b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\874eb8d2-a4b5-4a60-80b2-aceaf0441fb2

Filesize
25KB

MD5
15d1f5528ffcc6b08bf999280219bb68

SHA1
5c6e31afd8e493e0b8a7449968acdbe4f43b99e5

SHA256
1dd789d63990342618e514788905ecf5529f4a315eaf119727f14f67dedae16e

SHA512
db3c071ebdee7deca962e0072c7ddd324559c2f50d3ef35bb5dca5b1cf33cabb8096a46a9b39704e1600a83746b77f72dafdf5077db5e0caa99e34cc6ac2a130

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\8e827ea9-5152-484f-93fa-22d169fea6f0

Filesize
756B

MD5
b6b447bfdc45f6e5780b5a5c1f109bea

SHA1
56cc6f4ea18477e20bd0ad6ddcc08f66535fd988

SHA256
4b234435495dcd9b35254f76931c4180d8be924338f8d5f80d3c8eadabdd8d89

SHA512
ef75ab33bbf6d961b8c2a7d404ecd0b67487c031b2ba533d7aa63aa139dfa9cfc45e109e3084d2c3612457722f37f7ad5f9de1b8ebc93185fb2a1100bc14b942

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\928c7b97-1ff5-4594-bd99-58f7e86be1d2

Filesize
676B

MD5
b29e8a57ee10e92a46694d3a20e74e9e

SHA1
033a2cd4a8d60187d0365b10c9113c8edaf535d0

SHA256
6ae68901e57686de28179b9d7374dfddb1ee1e1918a79e60f2e5d6fa0436ce0a

SHA512
178c4136b38a39c2f2730ed570f98c9191ef59087bc6ae8de52ced71d981468d8066aca30c9d86a6254fa2f2e925134134e3e0ffb6fb195556de48f66a9c07a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\f29077f6-a268-4402-8d54-6a41db16e694

Filesize
982B

MD5
e20bce3b844d4deae09cc2a2ef1cbc6c

SHA1
b10229a4f90f971e3815e39118fa11162bf032ac

SHA256
7dc01bf37f0e620b8db1d1e15e1f83fc3518d8b94095518098dfb656271c8319

SHA512
75dd4db1cf145ea93c68e2672ef536a2560e419ad5087f8a8fffdb042cd960e0a05111a79bc1936d9e16ce0c5b4d00bd050c918086f02cb6529a61fa047f7e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\extensions.json

Filesize
37KB

MD5
ec1f08c03a98e5b376abbf43e707d5fb

SHA1
55f3c934a1537aec7e6508ee6318c5ac82e4035b

SHA256
13e4af3b246805c49351ad879dd98a02b7e9f09894073df1319b3dee236e7231

SHA512
8426c3556d6a5592eb198e82e392f50b6eba0121afdfd4922bbabcae8f31e8face0259e4b9b53fd00c4bb50c8737d2f8d017c04a0aaf7955141f2a822b311aa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs-1.js

Filesize
15KB

MD5
8dee956780324b0cf2040f844e394f5c

SHA1
cad5ef2e3f23ee79dbf1bb62a3b7e0b0fdbba095

SHA256
0c25258cc6d5199587d935b00bb48c99ab54032b0c8a7683a18399216c44d30b

SHA512
e8d1432b12c1582a6d6b2308219cab0bf344ddd7f33afedaf3ce72bffeb7740d8d0b71ec79424695f0c75402c511c8f5938252d021201e17603ef91397a31387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs-1.js

Filesize
11KB

MD5
78836a2d949f19d961e99cca377972e2

SHA1
c8355af3a673a5b1c25dbd5fb1d30ab072d1a16f

SHA256
95f3b16c347ea67763677fa3afd41471efa6be5cf229b55827762a7d60e447c4

SHA512
6d2d61272580b6eea582ea4bf9da7d710a5c8322db8dbb34d219b508fa890312fd049fbf74b577bfd5615e57c4682f62c1f465f426899bca9592ec3ab5f2a509

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs.js

Filesize
10KB

MD5
74f486ea3d81594bae44455de18f9c88

SHA1
e5cb36186db7dbde62775f0178d58acbef5328e7

SHA256
535dcf601256d03a3e71e413841447459b6ae57ce40ed953025994c739eac90a

SHA512
fdceae09941b195b1b7cb7d461d100b6ef52460a2776378c8a1f802ca5e8680af4c82af3e0ddbd66c18886cb5e3b959ca63146e2fd5f22afdf4bd54015b6394d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs.js

Filesize
15KB

MD5
c4737a63386224366f9dfeb3e72fc696

SHA1
d76ed650c9bcd5b215ffbb3e07067a5b85993c48

SHA256
877bf330b6d35383f29a8d947e4e73eaf101900c2591fbebb25f7c5a8112b1bb

SHA512
06cb0f1eef1922cda59648e56e62e23fd428645b3815fbf2207963a197aae5ff5788a6551071da86cd668e6f0b8fa00f3024d1781bda579a2be42bf748b50ca3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\security_state\data.safe.bin

Filesize
2.9MB

MD5
7a902730d00c26e80adc802a03a10734

SHA1
b22c1a9e69e615ba0bfee39b4824613887bb8789

SHA256
b2b63dd6d881800bf7141fac25d7c31857e9a86d8c12dd3ddb40350fd0e4b9c2

SHA512
ac583a12e75e428a1bbb33f092ad1b266e23a8bd2341023e2d7ec16f40812e1ad12709751e284110184d675c942f87c9b14b016e0b33bc49872f9c7df03afbe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
1930705464a62c141d57c2d056b2947a

SHA1
e47650d694e6678254a8a302a918967c96e8130e

SHA256
9b97c2f6bda333e355f4cbc9d1d757ea3dc767912de5524c4aa917ff551f46c4

SHA512
7651ca1d8ff9ca667dd89ab9604bcea05b2a7d47e644cc7ca27742dab47454ea0774ad3af45932bb404eb9a411bf4a37e7fe6acce37d2ad5e51fd336cdb4c629

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
e56f3a6397593fdb119a4bd0ea5312b5

SHA1
f3419fc1eca02fe1fb19bae7cfcc129cd3fa4717

SHA256
3bda63b5af08e8ee200f45cb092957a5d7d07b559ea240617d0bf1364a1d82eb

SHA512
43c7390de01f348948f1b42215045d6f79aa1fc6ac9ea2ae3161dd8d895409a789b8eddd73a23ac12ba113db0b2e5148d32f3862b2771d6e01293845f08e3d49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
11.0MB

MD5
69eff33cbc11b5ec85f30fe13265daec

SHA1
09fbefa3c5462dacf248fffabf6e3dc0cc6d07e7

SHA256
8dcffcc87c97b1824415f2e8d827ad55044d6e19183ea74f4927d0d9b94ba6db

SHA512
f06d04ec159db4d0604810ba2eb8840129b8263a8fc6cea01efe031dd6ce3c1fa67098344086a1ab663ac7e2d8dbf811037be2086f12b39f25ac5028b414ce2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
bc32eb2314153d5d078da1e6e515523b

SHA1
c793b923b5b9906850ca7a0e9331209a0d69fd4a

SHA256
2a87b3afba539ae800ccd6317a12a14b4ba9722a2fc69b5e06946e96c92c3cf2

SHA512
ac39245fe8d9b3a0bcd0c514a4a9e67aaa4274d6d37e6155b9d0fe36ba41b43ef1284974c9e7c866715bb80e94d99a6a89312d66277ba17185f3c769d4fdfcf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
e1ba3781c7c5f98380bba451b9c3b0c1

SHA1
64355cbdb364971d7d71bf75130cb8fc14ebadd6

SHA256
235df99956126069a63903ed89f854e24d880535be3e3df991f93a74f7b7ee11

SHA512
9545e69dd050af48c2519c1b188a0d7b3227cd1513a11db08054226482d6acbc18a987656f10e0e3e24892b75b063124d6a83186849ff4edfb6c0914543a4d09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.7MB

MD5
507667c3a3ee76d4e2365aa9ef8e6fb4

SHA1
b801c8254637605d5d14b08ae715232e455c9670

SHA256
1a5900c670d9885304f2ef25c486bae6eaa8881718d8ffd656a39260a8be1f34

SHA512
98fe6128d6617cbdb27cf8d4307baaa2c52c338bfd20631b7d26b2cbeff0c507869ed9b4eac9020525435b2c5f99ca45a24b9297e1ab012d04f6cbef85bb94c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\xulstore.json

Filesize
141B

MD5
d7a9c29a5421078a9135ccf1cade552a

SHA1
e1b43108778d359d8d9287cf59225617e1769463

SHA256
bade20948c677d1d458e39a4cf6d8c4d8237263d55e63370d6272fa3243ffe28

SHA512
49553b13fa1cc8d257f2ca9056742e6e11fbdce21633edeb5af6f863294f97ccf3cabe851d94bcedba03e2716311a48dcf8064eb1500f8a7c400b049bf48296f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\xulstore.json

Filesize
217B

MD5
3c7edbdeecdb47fba617e3d03c36b0d3

SHA1
53628ce8c5170810fabafab8e001bfd971d47825

SHA256
c3db6f2519b071b7441022f9ed508b0da5ba40295be0ee449a27bd6146595d04

SHA512
bbf56ea374114173f7de198cd71ac6e75276b0f30926c6690db512f45ac2e54d099d990c285578f702696494d2884d8550e5dddadeee01077933034ac3817842

Download Submit
memory/432-3379-0x0000000000400000-0x0000000001B32000-memory.dmp

Filesize
23.2MB

Download
memory/432-3377-0x0000000000400000-0x0000000001B32000-memory.dmp

Filesize
23.2MB

Download
memory/764-929-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/764-824-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2364-53-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/2364-2992-0x00000000058E0000-0x0000000005A7C000-memory.dmp

Filesize
1.6MB

Download
memory/2364-368-0x0000000007A60000-0x0000000007B0C000-memory.dmp

Filesize
688KB

Download
memory/2364-54-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/2364-51-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/2364-52-0x00000000060E0000-0x00000000060EA000-memory.dmp

Filesize
40KB

Download
memory/2364-2990-0x000000000F870000-0x000000001033A000-memory.dmp

Filesize
10.8MB

Download
memory/3788-0-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download
memory/3788-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3788-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3788-26-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-28-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/4440-25-0x0000000071A1E000-0x0000000071A1F000-memory.dmp

Filesize
4KB

Download
memory/4440-34-0x0000000005CB0000-0x0000000006256000-memory.dmp

Filesize
5.6MB

Download
memory/4440-27-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/4608-2989-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2979-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2978-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2977-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2988-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2987-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2986-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2985-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2984-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4608-2983-0x000001BCF8F90000-0x000001BCF8F91000-memory.dmp

Filesize
4KB

Download
memory/4772-3382-0x0000000000400000-0x0000000001B32000-memory.dmp

Filesize
23.2MB

Download