snakekeylogger | ad24b345eac9876a65fb6b0d2eda0da669c3b23aaa969db9ce913f8a63c0a5f1

Resubmissions

14-12-2024 15:43

241214-s6a6kawqhv 10

14-12-2024 15:39

241214-s3nmgsylal 10

Analysis

max time kernel
76s
max time network
69s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pago 4094.exe
Size

528KB
MD5

1a0f4cc0513f1b56fef01c815410c6ea
SHA1

a663c9ecf8f488d6e07b892165ae0a3712b0e91f
SHA256

d483d48c15f797c92c89d2eafcc9fc7cbe0c02cabe1d9130bb9069e8c897c94c
SHA512

4251fd4738f6b47a327b1f1d7609aa5af623669734a1fc9ebf5786337d0fbc5142c8176e51f9f2f5869e47bdbbb2f46090f66fb3cea30189d57917b58049f84b
SSDEEP

12288:PXPZDbCo/k+n70P4uR87fD0iBTJj1ijFDTw:hOz+IPz6/PF1ihDTw

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
UWzDeXWsD8

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/3792-353-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pago 4094.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pago 4094.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pago 4094.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 3792	4296	pago 4094.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pago 4094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pago 4094.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4296	pago 4094.exe
4296	pago 4094.exe
4296	pago 4094.exe
3792	pago 4094.exe
3792	pago 4094.exe
3792	pago 4094.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3792	pago 4094.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4296	pago 4094.exe
Token: SeDebugPrivilege	3792	pago 4094.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1396	MiniSearchHost.exe
4872	firefox.exe
3720	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 3340 wrote to memory of 4872	3340	firefox.exe	82
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 1640	4872	firefox.exe	83
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84
PID 4872 wrote to memory of 2932	4872	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pago 4094.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pago 4094.exe

C:\Users\Admin\AppData\Local\Temp\pago 4094.exe
"C:\Users\Admin\AppData\Local\Temp\pago 4094.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
- C:\Users\Admin\AppData\Local\Temp\pago 4094.exe
  "C:\Users\Admin\AppData\Local\Temp\pago 4094.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3792

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1836 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e214e65a-f9fd-4c13-ac18-2f10eee928c0} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" gpu
    3⤵
    PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5645efb2-b40e-47f4-be50-cd5e6bb55214} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" socket
    3⤵
    PID:2932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2868 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3268b08c-cd3d-4ea5-9809-32024f823409} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2880 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {485add9c-7557-45a9-9d1e-72f0cd4d62ec} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" tab
    3⤵
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3592 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee06fd7b-6bfc-4bcb-a162-1a10667340d1} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" utility
    3⤵
    - Checks processor information in registry
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f62d8459-4c46-4112-96a1-cb43067e7c7b} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" tab
    3⤵
    PID:3392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b34ffb69-61e5-4bfd-8ba4-dfba6663c77c} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5912 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c9b31f7-37f4-4015-b621-12c2866279d4} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" tab
    3⤵
    PID:4020

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 27594 -prefMapSize 244757 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b74213a-8f25-4163-b129-f36dd894c869} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" gpu
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 27630 -prefMapSize 244757 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccc49ca7-8fa4-4851-8387-a06f8be14fac} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" socket
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3048 -prefsLen 27771 -prefMapSize 244757 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31929fd8-4f56-4ddb-860d-9f44160f6edf} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4152 -childID 2 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 32117 -prefMapSize 244757 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e3b3cd8-73e3-4890-a2f2-e952277c0871} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4744 -prefsLen 33001 -prefMapSize 244757 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {576d2483-0a39-4a97-80e8-aa3b82906734} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" utility
    3⤵
    - Checks processor information in registry
    PID:5268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5160 -prefsLen 27044 -prefMapSize 244757 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1308fc6e-36ea-40c8-82a1-d291fa22fddb} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27044 -prefMapSize 244757 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87fbf279-8b16-46f6-ab1a-996f094103f5} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27044 -prefMapSize 244757 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ac59461-6c5e-48ee-b5e1-24c108ec9069} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pago 4094.exe.log

Filesize
1KB

MD5
7e1ed0055c3eaa0bbc4a29ec1ef15a6a

SHA1
765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

SHA256
4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

SHA512
de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
f1f5c836878ee62ade71f3f64b4ddba4

SHA1
5cbd891dddf094d840c45191f317000e659f8153

SHA256
311e7fa79eb03899871fbf1836d44a9c6d1568f2de4b3571388ff30edb52dcf6

SHA512
43de63b35e8058cb2f0cd712ecd6febc800e82dbcf86082a4d2ee93bfbd3fb680ff0f41a9f2972bd5c551be7cebe7e233ca8ffa3de6726eec3eeec6b199d7419

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
3829e3bd5d7cc47ab064e41713152428

SHA1
f19c62451b8791564e33d662d388dc9724094b29

SHA256
cdc6750ff9ec401c872552a3715c0997847612243fd8d9e38f65f3641150da6e

SHA512
f8869a365a9ca04cdb0ff2e48dcd6b5638d954e16de0fb7a18808c4b387893da35ca935b8886380027fa99c266dcb665f8cd58f87c9ca7d5fe5ba45fbd1bd04d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460

Filesize
24KB

MD5
7fe0b009728cad6c5d1eee6e95fee886

SHA1
1dc15ca8384fad5cd79dccc38524739482bfa3ee

SHA256
9030b5091438cd2dd6a55ffb1a8d38a0450f65a56a4609db8d16a4db38fa14ee

SHA512
b72f1eb9d3cf24e0ca5a3e48d70bef641ffe59a789755733b1345e4122a7b5da080845db385950e3f5ab8f15a4b547354f9c3b75194b64accdf5f7ea82dd7635

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
9f890f65a07db3bc01ce24f3fe891d1f

SHA1
dda35bf94e150d6e27e55dc3bab602732518b20b

SHA256
160b9b5aaa919f6372c6f11029fe2f580efe573795a354924435e85b8dc82a92

SHA512
95c540e30d14ff8e128b0f7fbf42ff0a3b4e8e8a4554e27e9077adbabe3b3b58359e63d406c22ec4a11ef8327e988335945a83a6b7b06b038d281942648aed2a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
131KB

MD5
780c55fd26dbc23db0f20083075623e0

SHA1
cfa7f35249f53023f9fbbff4ad0106304f376aba

SHA256
5458a899385d77dc5089cf7aa3ca676ed0f51d2fe9749c5be50ef95b6849f76f

SHA512
546dbc9e6b16eda336dcaea466f3e9d3e489de60cb23a4a268bf3c02c0f082ad4d1647cfd83264696b2823ef7a87335b96dd22466b031bdfd49bdbd61957aa82

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\scriptCache.bin

Filesize
8.8MB

MD5
5a864031e1c764f4fa1705e234d79ab8

SHA1
984c049b8c2c87ff77fa32199181571c8b04087c

SHA256
b6db91ceb21791d35f4711ebe16199601b2a7b8da99a493364d1524eed0fef2a

SHA512
febcd1aec68d4e144b3cc52bccec54b19a3699fc5650b3bc6482d82be80429c1baf19bf55791af1e2d1c9e3457f9707bc5b11d9a792bdcc0c9ca13e8abfbe316

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
8396dc75e86df3f2733361bbf75aee58

SHA1
0ee6c4d84206217713ba126bfd47c2d33fbc57d5

SHA256
5f5b45fe62f7a897bd4d14a60db15c67df75865235f730806a1b959925e8175b

SHA512
87ed8998b8906bce32e5718022d338d35903ff8371e5efff1851fc423194c48167aaabeddd59469e0172b4665cd08dfe6abea07f6956c8e2ea526c92fc0a25d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
5a76bb7ca33ab8ee1ef9582ec06cf748

SHA1
f8f15975cbae2212aa6e60f6ca0996ce081a6ac4

SHA256
1d0db5fa30ccf7a702269c47a2ae808df845d1dadfa1603dca19a18749583229

SHA512
95f7e58293eac42b3364bc475967ad66af7d84465249b9dc4b8e5fffdf2fb311998685534eaf794364f2890814e9791ba74f49f3a48fe7c3394c24a9673ca7d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\05fd0bbc-fab2-47ac-a256-06eebd2ab046.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
327975ba2c226434c0009085b3702a06

SHA1
b7b8b25656b3caefad9c5a657f101f06e2024bbd

SHA256
6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

SHA512
150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
6KB

MD5
33dcd49baf0d580b772b0afe3999293b

SHA1
58bc906e82f18bac304eb34a232df1647f5acec4

SHA256
bf8aede9ceb8c037f771f62aef4ed657c0824cc1c0546348529440378c1db0f8

SHA512
aaf693980dfc17abf0256a7978c0df0ba6373351523343e8e8b23506b7c9a71150c62a840b48c8578801245ec009af428f2da8895d2542da3d45184d8b921737

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
6KB

MD5
1e8d4494113bf82b3da6b434e82c5238

SHA1
0515674b526a5fa29cd8f22dd1f921a0dd618fa8

SHA256
14b051eb7a8737d6a9ea73d22ff69bccf53dd54336b203fb760242e0b411955e

SHA512
a33b38fd0def9b3f92e35bbf26e1b6224bc80ef12d83f8be251b14911a517c784689568274290e800ecc7f8282c8bff14d8e6680320b8c082f0aeb3b5142d44c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\SiteSecurityServiceState.bin

Filesize
858B

MD5
77e5cf1a478cc9538ab17e6ba05f1aa4

SHA1
3ec96fd6e3d61b8f035ae61ef5f89fcd952b9f9e

SHA256
687b163ebddb399e4c8b5044f96d2dab878687a2dc3b30070c490a69cd400ab5

SHA512
396306ce2310fcb4cf564407b75fb35e675c3b8b5538dec940613c074f73dd3e715a3e675fc56dfed65c4ba2cfef82d362c420fd25a71d8ab0c1dd1b422ae3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b5acd9cf58ba89e643e7b2e839e0707e

SHA1
82c2b9cbea4acb50b446b786818287be7b0b8b61

SHA256
4d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e

SHA512
1fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
5146cbee5bccf838acded09415bec347

SHA1
eabe9670ce8ad72727ac075956b1c4df874ae323

SHA256
cb5bf138d33ab2bd14398993920b212b85f098999eef52a7598a4505865cc48a

SHA512
f62732b373f5b4fce76755e3b034bd75c402feb6d0b33a1115cfb558bd3219fa1576f5d645525d24f0626f473ce8c0782fe9ceef65f766288d8f65ff537bbf51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
500c5eec678a0fe2b210c48ca72ed445

SHA1
0e4c179ca7936fc9fd9052d82f0802c77a5d10c4

SHA256
6e260b24f94e7e5b15f88073b351e5bbcc9864f42bf4e3ed61407fff425555bd

SHA512
bf33c0760c9c5a2f31aeab68d18dfc523410497368936cb9883a8de31dad3a7144b7205c524590a9624ee44bc04337cde259343ed0bf1094bcd540bebc77c582

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3e99664c50f93daf8fb2b8cb35012080

SHA1
ca5b53b34b20f7f09c64900c70e0ef109deb3a80

SHA256
0bb0ae61d42e4965bfdd111c22eb9fc4798018edaa7d3be52177e10a97de2086

SHA512
17eeeaa1f28ea3f09b5d5d3a547a2af06acccca2648741c3831fe0a7ec97cc7b3e41afb7b0eb26172895e07ed755d3099315ccd53c6ab680071db60aa354d112

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9db2d048673c39058e63c38fb809f448

SHA1
f743794cf4769c5b41eff6c948e75e454518adc7

SHA256
f3d744d9b77923f5f591795a4747b01a61a8ef4096004c87bf0791ef249eb5ac

SHA512
9d7a04f7c6e2c42663aa05efd11f0447e5c85b65708163eb6939857a7513e80b3d1e0738a1e1288ac3b3c918d0e7862624a335e12cd64b7822962443ea7ad832

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\events\events

Filesize
366B

MD5
42bbc67975345dbd5982fa53695e5889

SHA1
451a068fee9e16ce9a1462d47d37cc0b886be46e

SHA256
02177d80b702e7e33246fbd111cac0e5bf4b18600c87786709a44fe9bbb0f166

SHA512
5fa181e25b0218dd00c1db2710ff95de899c627509ec803f3cd17780c4818230ab9b1d29c939005c3e5e8d0287cfe08b73407f1ddfa3bdfb606712acdec810a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\20301295-2c9f-434e-8188-82adae261799

Filesize
671B

MD5
a4d1c989a97499a819965e917d6922ea

SHA1
39e8e656e421bc2bff79b3314ddeac03aae24abe

SHA256
afc9c63d95e39cb4adfe6b0dfed0143ebd58aef8c70da9c7247bec203e6316d4

SHA512
307983579ca064942d920fb59b28e437039f63f2c52aeaf65c623e4247f46254ad53c386c5ff3d85fbeb78e9fe1ac11fa1ecbdc0504bb29623fdd32d40c33a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\56cd5108-ef33-40cd-aae5-d0c630360df7

Filesize
653B

MD5
eb02e035aeb937ced7f9ab15e0a72864

SHA1
ddd7e507b10259c3d703e6916956ca335f3f81dc

SHA256
3f0440f2d84e9f523ef96d440487e610224e1d3428d9ac269d6f6bc5498f5b7b

SHA512
65bbd3614fe5f428c17f34fd6c53228f59cfae1fbbacd2b57c247b0062eab95696e3decb9410461a721be3c52842b0d44f8f6993c13c45099fe6db740c0fe39d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\5743aaae-872c-4c7e-9371-09881fa25048

Filesize
648B

MD5
e8086001431f91374f481d9f3d9f258c

SHA1
5598b146594f38814dc45e600cdb988ae726806b

SHA256
2832ca24d43f81054d6283ffa2c88c705a24d40f566a82dce7a400a9154e8959

SHA512
d9b3adf6ac065385cfe75625bb96a29677ed1e1d20c4ecd7603c3a2d654f4dfc9de76eb9eb23a8fd8bcc63bc5622d3f16b2045952d8749d667f201cfb2a59028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\c26a5b5a-79b8-4010-a5b5-18494b3f6533

Filesize
1KB

MD5
ebc7ebe74e40048fc731ee612d0f1358

SHA1
7289bcc08ed39ac5b29ba190048d21eabcad0006

SHA256
da12a24e882c8f499c8dcfeb0831984ad9c7fe8ad6e1d1c7abf8866d16bca234

SHA512
88998827729ac0e292f4a0fcc9afda8ea9f782e22944ef63c189e19978fd305ce73b5449f7ee99d197169dad9854f2cc21f75c1964f21a3cb227abf7628c4fcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\f445d3b0-13d4-4a42-9299-6007cd0495bf

Filesize
25KB

MD5
670a525dd6e984b6adfc9b674be60501

SHA1
b5edc2deb64bb46513856ff7006b3e89785955d6

SHA256
28e8a8b6f931f6eec94495b9b3f6dafffee690184e3389a473cf60040b2aee4f

SHA512
8e96495777277f2746f96416643f3b12cf1c297906d640c3c41169b7723b9be04baa20312271547b695defdf4867f834475987b7fc888e2cbd6e1cc47262c7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\fbd5e377-05c9-478e-b99b-2dd716b023e5

Filesize
982B

MD5
7b8e175eb80e09a20a5f151445a7a5cb

SHA1
c12fd1529e6309ed109b9af0e3f7462a08a56c8f

SHA256
59646af7ea8d1e6f36da7441186e4313df40c9bef18f8c893291044021f9813b

SHA512
9f9b341d399828a48332c95c64e8b5df2ec983edf9f7d932ff892a2896426b723d96e5b3ea4ce074f968b0e65131c3322fa0976fa2f14d9a18af5dfef7ff27a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
10KB

MD5
8b2fa000710d24c8e766557a54925ab5

SHA1
91766e2bcd1148760701aac8e7ae1d9d06af2f86

SHA256
06d3a9db2eca241e5663ac62906fa04bb9e19e10928bf20bb61df10bdca3c6dc

SHA512
26c5dbd956f26bb753b2fc48da1fe6236431a1679cd864f073fa7b1a0fcc8b0424f9588dc687bba09085ca0043831b895f0a215a7c3554d3f9a21b252374dcf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
a0eb7118bc8d6bfaf04a5454341f5649

SHA1
b912706b38e7b721cfd9c86121e431b9e7280a36

SHA256
b23c955fae30d3e4ab8b7dbc3464dec4394973bcc5c09f9dad782ef734800c2a

SHA512
1e31bf6a5f240c4e78273b90b745c2754e49ca0bbaae4adcc1e3e28d01e62fb4cc843b670c21e43ddd5c4ceb72eb223b3dfbe3eea2a9ce0c175a23ef2147cb60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
b8a6674b0b6990a360d6a4d1962a8a18

SHA1
4d37b4c8d9a45955ddeefed7f01a0e8db96e7965

SHA256
b2b5466b6ae022b9700c3df2f630775545f15e5ca32b220aa71ca861b8a91ab8

SHA512
2334c0574a741760ef6ebbca7df2a9dd43b8cc1ac12a4236e19e57bba636b57958c05de63789c4961ac9687251e316f29f75da341cc15fd60887946c79ee4a2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
952db2799861efe759836375fda50da9

SHA1
bf2f56c665d37f172b7d9186de485e8841436c15

SHA256
1ea0a8a080f44b74030e33e1bef9dfbd3be23159609d2e7a9a1b51b250a57f22

SHA512
699449ab5a11dba6689afc0ea7d51f247f5ca42ef8adde9f774079e2291a08ccfce50fc67df4f53732c2320afe425609c75d792f9e7180900c6c1711094acfa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
b65be5138f8a07690af885c19566f157

SHA1
13e93829ed09b1c9eec8d8f6f0547b8851542364

SHA256
11a8a3016e62edcb54e8c9bc51515e2e3469b5542ab411a8825acbf4b47482d0

SHA512
eefb33d15bf9208e2281847ff25dcb584e7dbe0d238a919985906de5174ef45bdf662fbeb8e4adda26f5ae3c3ef1dc245565cb32f1141921356b39ee1998bed7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e25ae218cc7638e65649ef9d4c241840

SHA1
1655f08945622daaa54e61deef3494fbc002488b

SHA256
bc67d200e53872baacd786a668be53c864633516936b085074926a283746bc8d

SHA512
748e65f815ca820593e37d41b6432c93250cef1be56e0cc1687f6486cb7008e202d9a95002b09452737907eb0db3550249a4abe9bb5cf5e81cee5956c0ea557a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
5c3931caa12fd2b0692e0232e506dd97

SHA1
f4b04b1c9906dd16ce38207cda85fc4f139870a7

SHA256
5192c42da9d57d8051f72cef35f3cb277b850e1c25063609a195a7dadc5e9bb1

SHA512
3e3ccbda47c06c39778b5a09cde53612adc4ad7dfffd5c4e80d606ee7550ff9cbb0b5ac9661555f8d23d4fba1d4dec5c7e80cf9bcf400e028e3580d54a15e1ec

Download Submit
memory/3792-357-0x0000000006D00000-0x0000000006EC2000-memory.dmp

Filesize
1.8MB

Download
memory/3792-353-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4296-22-0x0000000074650000-0x0000000074E01000-memory.dmp

Filesize
7.7MB

Download
memory/4296-4-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/4296-7-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4296-6-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/4296-356-0x0000000074650000-0x0000000074E01000-memory.dmp

Filesize
7.7MB

Download
memory/4296-5-0x0000000074650000-0x0000000074E01000-memory.dmp

Filesize
7.7MB

Download
memory/4296-350-0x0000000006C80000-0x0000000006C8A000-memory.dmp

Filesize
40KB

Download
memory/4296-349-0x0000000005A30000-0x0000000005A38000-memory.dmp

Filesize
32KB

Download
memory/4296-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4296-351-0x0000000006F70000-0x0000000006FD0000-memory.dmp

Filesize
384KB

Download
memory/4296-3-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/4296-2-0x0000000005E90000-0x0000000006436000-memory.dmp

Filesize
5.6MB

Download
memory/4296-1-0x0000000000C70000-0x0000000000CFA000-memory.dmp

Filesize
552KB

Download
memory/4296-352-0x0000000009580000-0x000000000961C000-memory.dmp

Filesize
624KB

Download