a89d42269c5af23f0a9de9f2a73898893b3a2cd50db7852d8ed12f2f32dabe75

Resubmissions

03-12-2024 13:32

241203-qtcshsxnas 10

03-12-2024 13:31

241203-qsc2wssqer 10

03-12-2024 13:23

241203-qmwxtasnfl 10

Analysis

max time kernel
221s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passwords_grabber.pyc
Size

8KB
MD5

704dced7f7530b19a34a5f7a71c26b10
SHA1

608d9647488cfa2b5f84a891028168a973bfcfa9
SHA256

1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac
SHA512

e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f
SSDEEP

192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000f9e9b8759918db018aeaf86a8845db01a814006b8845db0114000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4824	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeRestorePrivilege	1968	7zG.exe
Token: 35	1968	7zG.exe
Token: SeSecurityPrivilege	1968	7zG.exe
Token: SeSecurityPrivilege	1968	7zG.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeRestorePrivilege	1400	7zG.exe
Token: 35	1400	7zG.exe
Token: SeSecurityPrivilege	1400	7zG.exe
Token: SeSecurityPrivilege	1400	7zG.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe
Token: SeDebugPrivilege	4824	firefox.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
1968	7zG.exe
1400	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
2224	OpenWith.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe
4824	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2524	2224	OpenWith.exe	94
PID 2224 wrote to memory of 2524	2224	OpenWith.exe	94
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 2524 wrote to memory of 4824	2524	firefox.exe	96
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 4484	4824	firefox.exe	97
PID 4824 wrote to memory of 2468	4824	firefox.exe	98
PID 4824 wrote to memory of 2468	4824	firefox.exe	98
PID 4824 wrote to memory of 2468	4824	firefox.exe	98
PID 4824 wrote to memory of 2468	4824	firefox.exe	98
PID 4824 wrote to memory of 2468	4824	firefox.exe	98
PID 4824 wrote to memory of 2468	4824	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
1⤵
- Modifies registry class
PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {000f6559-0aa7-4faa-923a-193288897f6a} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" gpu
      4⤵
      PID:4484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df331a78-7d4b-4c2a-a14f-9300334e78e4} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" socket
      4⤵
      PID:2468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 1572 -prefMapHandle 2952 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2152f1fb-e5d0-4df2-9f85-22e6f99430ed} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:3480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3796 -prefMapHandle 3792 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c7dd8c-deba-4206-9ff9-98a88bf78409} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:1372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 5052 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a572c3cf-5f82-48dd-8afe-aca9b752269a} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" utility
      4⤵
      Checks processor information in registry
      PID:2084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 3 -isForBrowser -prefsHandle 2784 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3c073b-4bc4-4fec-a527-f3993ed39512} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ec0bf8-b081-4034-b100-46beb1fca0a0} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:1012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ed67998-8842-41dc-9ddc-eb99f1e1454d} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:2716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1588 -childID 6 -isForBrowser -prefsHandle 3240 -prefMapHandle 3344 -prefsLen 27251 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0af1ebb-9b82-4c79-8d76-24b1e62691ed} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:1840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8160 -childID 7 -isForBrowser -prefsHandle 3244 -prefMapHandle 5188 -prefsLen 30628 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a77b6c-7456-412b-8c39-cbd5b2be9d9a} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" tab
      4⤵
      PID:1120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10490:96:7zEvent2932 -ad -saa -- "C:\Users\Admin\Downloads\passwords_grabber"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap979:96:7zEvent17056 -ad -saa -- "C:\Users\Admin\Downloads\passwords_grabber"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
828ad19a3338c40f761b9348d0df8233

SHA1
26b992e5bca1fc9fa4bed415f2af5a943c027d08

SHA256
498935cad040d758682a907a1d9e01459e1b6445f843728c796d35edbbd620e7

SHA512
5ee90712c3579e919e91805a79ee98f5b9fdfbb68372af330acbf09b213d91deff7bb4c4a974b337f6473eb164e322ea6a832a5aa4fc5ad1b96f68d6ccfb500d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
6KB

MD5
b4f828b91c97aadb982e38b9f68eac2f

SHA1
88726c116498f274831f95f7c79c3ebe3cb78c4c

SHA256
0837923bacb199324e9e40e600ae2c7f237a98efacd1e9564a3452810cdd0847

SHA512
5df6ca1b4371d1cddd9da5b99e0ec1306f83d56f0e966ef484e4c7bba1ce27b538c7a6fff25ed5df315a01d05c8317d7551a92102e0137f9b4209b8f24de89d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
13KB

MD5
2ade7bcdba90ef2f78f516f99d210a7a

SHA1
20700db268ce89323df19977912351ad7ed744cf

SHA256
82d5c050c62d6471e431bb08a4288a9c05bb633234efd682b37a342ec9eb4e42

SHA512
c2268de65facf93064cacff3dda492fec0dcc02ef0cde74685e9e01b25f55bd84cba7ba988592608f355d2457f212e3c7d59e94b3da945062684111db955b1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
83fb1d13178315035bbe1834e42b5687

SHA1
30a0885d216aab3a373f92efdf3a13c7dade5c1b

SHA256
d735d730e5731c8defb0df16b0c704dec81db6206167998307610d319085fcdc

SHA512
4336686827f0f5f75e959dc1890cbe535811c106df234f0493670421a1f969e725d7e11519eb99ec94f799538b982617a17a0ed69c5721a98c638cd1a58e1c37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1bd5b7f04e66edd8e8017d800d610733

SHA1
6d3149516c2342b5e1cc6468ab33f261ee386814

SHA256
adab4b9a4ce1579a13bc019705e724fa1c94fdb3863fa5f9d9bafe40604f20c8

SHA512
69155132044bb0cd03e497f9e907d2473d7932435411f2d78785c9a43079114bf471e7398ab6a5c3ca98d5ac66b23f51f85ca59c0db9e3bd641184f09a240790

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\40d24015-cf2e-4cf0-b84a-45a5c3dbfa90

Filesize
671B

MD5
87098025575b28da224bb8995a959a6d

SHA1
deeebe35977a45d15146be85f64323d5df85ecee

SHA256
fa5e0aa4164abb0399362607d371a9826c2454ed188e6a76256a263ad16436fe

SHA512
2bd45e47471acff4aa1bb4347479c3ea85ea06b950856cfe03d924d7554f1f0062e5f3e40cd2d632244e272d9f04b90c6380987b5ea58441dad603f6d53b1871

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\81515944-7d47-45fc-b49e-b7bffe3211dc

Filesize
25KB

MD5
32a483deca52d43d2f97706b46f96aae

SHA1
7b718291f665e53c96038638bd15e34f898b53b2

SHA256
2a020f0e19ab9f825277afe1802efeb50898b66d9ecd10c2a0561dbd4341da12

SHA512
a922e032ba0fda76dd1e7a5154bac15a4da12b6bd14aafc5638fed474f3d8b025faa1d68aa81600bde62f520250bd4ba0409e0f413ad65f3032fa54582cf3c04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\9a5486e5-8ad4-4490-9b8c-c60a83f30b85

Filesize
982B

MD5
be0b8b1282935ca287e017d6533a873e

SHA1
eae004461d4789312f72f15b8a4fb04a704fe81a

SHA256
548d369c424dd1c49e4028f92c45dac4a9acaeaf97f00f013479af3cb62645d2

SHA512
c9f61dff17b7ae258280e56312f3e087bc773dfae9199f6ced7b9b62d660a3043272ae2b34ef1d87ca1e9d2676826dc7237564e2cfe8b8dd99dd5b9e55be1849

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
10KB

MD5
ec3668ee233b06a87b7c595a3fb7069c

SHA1
67cc6e04e71d1ab88d144f40561ef34c7c1f809b

SHA256
f468c505dca58a246d485f99096f09ed1a4930a94950a5f8d71d50156d8148a1

SHA512
aa5ce95da49b47dffcea775511860ba8071fec5d356c6d9d303b77f82dc3855feec3dcc434b256f54f6baf8314e0994ff39cd154834e625b76d2134cc152d35c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
11KB

MD5
033534305bd9e9f297ad7e6404be7d29

SHA1
ef29a31cca112fc2c08271a8f65f5b6c6cb1b4ce

SHA256
a953bc673d06a5ddb937a5b946c3239db101f6b3e97ef41580add267150d714a

SHA512
7daa4dfd9048c4be25096e94cc338c7997e4625485d94fab685a706048e0f488bac228c353a6b02ed924331d35e619c2f6ac67c7fb37e7c03748c3a934afdb08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
10KB

MD5
ae81b255a56c5e071fe6e1a283288603

SHA1
2fb44ad60b55e66f10b7e916fd911f362e1701d8

SHA256
16976e26e252296a500ad146ea14938f7e917c4d88da402a5be0089a367c463e

SHA512
989cf460b077a26193b29c75225f31d1f0b81ea24c77f0096409d33a4afc56b75d72c609e32746193aeabdad09a6c8db8d6a3a444b47602e84b028742c8c57e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e37af2b12d4abd88e28d52c152a68f20

SHA1
6bc745735fcd171d11504cdee3f8196ec797e463

SHA256
c9930eddcb4a55d5f5fe7f94c552a406562f09b7e2f3e72468a510d6709435de

SHA512
085ccd2b5fb7a2da530a4feec6bf90edc03229167c41f88c500d206859ec5a7fc205ebad8e403e56c6a330a353c3ce00b57a7085a309d8e6fdfdeafdb1335a21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
26f042b605c4cec8d57741f465e8d4e1

SHA1
faafa056c3e2640eb65d24fcf109257f7e9fb7c3

SHA256
ff961aab7285899d4b7118991278c38161655af4f6b7bfe0f50e1c64a204fcfc

SHA512
c2cb482a7f749196f9c6f9d8883a0c2f641c480af42e99d2d7411355b1e30bd28ff810cace6553a0d47116a7ba361c6406768ec32a89cadf659de49bcb494c92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
04220da45a659ef60eed1291f68d9cfb

SHA1
7cc4cc11c5c7ac349e4d377816f883ce8052840c

SHA256
9db0e51497190eedbffc09f47b08eb406788870cac4de47fef01894a817ea1be

SHA512
fd8878968e8ad9f924136ebd6dddde2cfe4ff30ea6afc3c3554892fc3999c07bbb7c2bdc23ce0f9677c77181446be072d63bf1d2208fcc27f19a1e870fb19a13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ba3a999546889fa849532cf650016066

SHA1
26d9e0eaa4b06f23d63c3902657bad0e1a970522

SHA256
c5cc11642723f63ef2eec94f34b85577599e27e8725c17d34c973cda3e592ecb

SHA512
6b9d1599262690ea1c999c81d0918565c25618641fd746aa7551d9e1f44305f6611bdaa30d9732ba83dd909e2d64a44cdf7d262ef18105930ab7f2fefd230b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
552KB

MD5
531d519dc210588dd2366e73347cdd71

SHA1
6487519f9503311103ba44b3958ae6ea89339dd6

SHA256
87a71556ca706bb6236456a3d6ae9b56102ab073e9e303f352c2c377b281f024

SHA512
9f4782825c494da50f9a10df3dc434273784c27857307e14e1a93259174d1f21af96bae32e70977f759ea7802821ab23393ecf0f59fd99fc1927e21013c456ac

Download Submit
C:\Users\Admin\Downloads\jxj0Zlaq.pyc.part

Filesize
8KB

MD5
704dced7f7530b19a34a5f7a71c26b10

SHA1
608d9647488cfa2b5f84a891028168a973bfcfa9

SHA256
1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac

SHA512
e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f

Download Submit
C:\Users\Admin\Downloads\passwords_grabber.7z

Filesize
3KB

MD5
78e782896af0de645ee7d72fe2718087

SHA1
46ec5787b86767da7a3b0503e526dd8e73c77a33

SHA256
6166d455e824420b59ba6b93650a94113e5b37f104b9fa83c1f131c834bb5e33

SHA512
52353ab0abb08301a237409783cc81b13d149207a90a6f6cb37bfc169c5c82cead4814013e275041b7b79511a8d5156ffcb5332c9d1e78cdebf7928efcb1678c

Download Submit
C:\Users\Admin\Downloads\passwords_grabber.zip

Filesize
4KB

MD5
2662bacb7f2aa5815ccc127a3923641d

SHA1
e4bcb5a287bf263b31f5da9eb8d9d262c5c3e34f

SHA256
4898934d3356df00de9f3552b043e14f2ca7952104783cec3a8cdacd8e91b122

SHA512
3b9147741c64f7bbc475e0e79d9b39608b2b0f78762f41aadb213ee468c4d696b2b28dc88e907cd162cb8dde95ede1650cf8fa5ca3f96e63f841d6a1460ded6c

Download Submit