lumma | 0f0dcfe29d973d636c6f321c37221fadc5ad8fa0d8c35f6ca82172a823184217

Analysis

max time kernel
299s
max time network
305s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
Size

867.0MB
MD5

de044663ff36794737636cfb31587747
SHA1

80c85d3d4757bc7e45f9b6f7ab8e5c035912f307
SHA256

0f0dcfe29d973d636c6f321c37221fadc5ad8fa0d8c35f6ca82172a823184217
SHA512

c7967247886699da493b3480e9f8bf9c8ed85a94c71b3452b6379a7ddbf1108cd6172f6a176edeac3d0aa4cb90325fd9b750f448c440ef6d6d798ee7e9bcf84a
SSDEEP

24576:oAeGulPbyN7o8yjfiytX58PjDbZXU2mhf/zkk15rijl5KvGTLm:Fjc4olfie2DBmJB2zK5

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1220 created 3304	1220	Nigeria.com	52

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHawk.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHawk.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	Nigeria.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1528	tasklist.exe
3468	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PrayAcceptance	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
File opened for modification	C:\Windows\KbG	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
File opened for modification	C:\Windows\CameraHayes	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
File opened for modification	C:\Windows\YetRounds	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigeria.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1220	Nigeria.com
1220	Nigeria.com
1220	Nigeria.com
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	MiniSearchHost.exe
2368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2084	3908	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe	79
PID 3908 wrote to memory of 2084	3908	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe	79
PID 3908 wrote to memory of 2084	3908	Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe	79
PID 2084 wrote to memory of 3468	2084	cmd.exe	81
PID 2084 wrote to memory of 3468	2084	cmd.exe	81
PID 2084 wrote to memory of 3468	2084	cmd.exe	81
PID 2084 wrote to memory of 2248	2084	cmd.exe	82
PID 2084 wrote to memory of 2248	2084	cmd.exe	82
PID 2084 wrote to memory of 2248	2084	cmd.exe	82
PID 2084 wrote to memory of 1528	2084	cmd.exe	84
PID 2084 wrote to memory of 1528	2084	cmd.exe	84
PID 2084 wrote to memory of 1528	2084	cmd.exe	84
PID 2084 wrote to memory of 3192	2084	cmd.exe	85
PID 2084 wrote to memory of 3192	2084	cmd.exe	85
PID 2084 wrote to memory of 3192	2084	cmd.exe	85
PID 2084 wrote to memory of 5032	2084	cmd.exe	86
PID 2084 wrote to memory of 5032	2084	cmd.exe	86
PID 2084 wrote to memory of 5032	2084	cmd.exe	86
PID 2084 wrote to memory of 3244	2084	cmd.exe	87
PID 2084 wrote to memory of 3244	2084	cmd.exe	87
PID 2084 wrote to memory of 3244	2084	cmd.exe	87
PID 2084 wrote to memory of 3272	2084	cmd.exe	88
PID 2084 wrote to memory of 3272	2084	cmd.exe	88
PID 2084 wrote to memory of 3272	2084	cmd.exe	88
PID 2084 wrote to memory of 3636	2084	cmd.exe	89
PID 2084 wrote to memory of 3636	2084	cmd.exe	89
PID 2084 wrote to memory of 3636	2084	cmd.exe	89
PID 2084 wrote to memory of 2416	2084	cmd.exe	90
PID 2084 wrote to memory of 2416	2084	cmd.exe	90
PID 2084 wrote to memory of 2416	2084	cmd.exe	90
PID 2084 wrote to memory of 1220	2084	cmd.exe	91
PID 2084 wrote to memory of 1220	2084	cmd.exe	91
PID 2084 wrote to memory of 1220	2084	cmd.exe	91
PID 2084 wrote to memory of 1232	2084	cmd.exe	92
PID 2084 wrote to memory of 1232	2084	cmd.exe	92
PID 2084 wrote to memory of 1232	2084	cmd.exe	92
PID 1220 wrote to memory of 4440	1220	Nigeria.com	93
PID 1220 wrote to memory of 4440	1220	Nigeria.com	93
PID 1220 wrote to memory of 4440	1220	Nigeria.com	93
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 1924 wrote to memory of 2368	1924	firefox.exe	114
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115
PID 2368 wrote to memory of 5020	2368	firefox.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe
  "C:\Users\Admin\AppData\Local\Temp\Sonic the Hedgehog 3 2024.HD.1080p.x264.Dual.YG.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Twin Twin.cmd & Twin.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 351877
      4⤵
      System Location Discovery: System Language Discovery
      PID:5032
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Pipe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Varies" Migration
      4⤵
      System Location Discovery: System Language Discovery
      PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 351877\Nigeria.com + Desktop + Gage + Italy + Pens + Synthetic + Southeast + Beatles + Richards + Queue + Optical 351877\Nigeria.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Extensive + ..\Tonight + ..\Producer + ..\Ottawa + ..\Considering + ..\Patrol + ..\Refine U
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\351877\Nigeria.com
      Nigeria.com U
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1220
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHawk.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Dynamics\TradeHawk.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHawk.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4440
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35671460-f9c8-4c92-a461-edb0d35e6de1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" gpu
      4⤵
      PID:5020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd9fba55-6a5e-4295-8ccc-f77a3274ef56} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" socket
      4⤵
      PID:2544
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1488 -childID 1 -isForBrowser -prefsHandle 2580 -prefMapHandle 2668 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cb5d320-fc6a-4ebf-927d-599c4d226b80} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3564 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b6e86c-7d17-49d7-9fdf-46d8698774b8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:1028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4652 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90cf2e2f-7cd7-4b11-b6b6-9d2e5465220d} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" utility
      4⤵
      Checks processor information in registry
      PID:3940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5284 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4aa6df2-6a28-4dd8-a5ae-c3345ff517a1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5316 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e9acdb-153a-4714-a6b4-21b7bba82499} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfdc00d-394b-4525-ad92-8257736ae81d} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5856
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4472 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6020 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a487f60f-ccb7-4de9-a0d5-aba503abc779} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 7 -isForBrowser -prefsHandle 6412 -prefMapHandle 6440 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6140b2-3900-484d-a601-dcadccb5144b} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 8 -isForBrowser -prefsHandle 5832 -prefMapHandle 5712 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6d9921b-881a-436b-99d1-02d381c9eae1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6772 -childID 9 -isForBrowser -prefsHandle 5696 -prefMapHandle 5520 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {117e39e1-f98a-4029-9dd7-344cd96151b8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
      4⤵
      PID:5748

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\351877\Nigeria.com

Filesize
791B

MD5
196cc8813f73286fc231f4daa4a65b1f

SHA1
f11fcb436b7b4d4b6296e143cbe6f0ff3da73382

SHA256
c2775ee194b218c1f5b1b0c69ecf2230ec5f3d7d92b6d2896ef9cdd301e5a924

SHA512
315651121e2e495d13e858b8f2ff5126d4cd5eb81600c2019dd54366abdc9654249d2d11a78a639f63f8f39f4b7102f380efbbeed05c465fb87f70ae1ad42e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\351877\Nigeria.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\351877\U

Filesize
455KB

MD5
6a7d7e40a2b849edd8eb80586860cf03

SHA1
573e1f088af8136150fe75aeb2ec5bbee24980f6

SHA256
fb41ab5f1ff33af24941e782f7be1d057f021c8fc7c866d7d7b833e664ebe272

SHA512
9302b87bd5b484cb6e14f89902acd177a3bed0dcd440a2f2db4f8882db9306d4e4b97abfcb69cad19335f5d8680b4b5d4c4c3bb320bd44482e9fb5f4f5f7101f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beatles

Filesize
140KB

MD5
880e4fcc51a20c9507a7bebab82a4882

SHA1
cd3ca95c961949b52be8eebad43e3a4391e4b8bf

SHA256
258c609ad28112012a23cf5ea2936aa573294c845c811cbb167a2d278fe619d2

SHA512
25b24a1c484aad29195c318df3e2307231719cdd901d21ad5973a74ae040f565125aead00a3ec657b91492e274fb806315bc36453d37f34b0ce8aa0a553acd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Considering

Filesize
71KB

MD5
5b1d9441bcf6eb9e7abaa69a9ab8be56

SHA1
41eff81e442234c26fd1303d916d07dbc5d855f2

SHA256
d68b175cb97e4b32a801b27dc96ccecf39f8d0c5be1c8418a5ea87d7a8c2f81b

SHA512
69cf8fc783510f5501be95fddcf7b27a386b92d7318cef5942ec7d4e9f74e63ad348a430414745bc55d754885c21b6685cd3b89e86a66bc6e0ebb1dbccbe0cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Desktop

Filesize
62KB

MD5
890df32b2014cf0d027da473dd059cfd

SHA1
4b704c698ca7cee8ece4faf6b6653eb2cf2f7a8a

SHA256
6ff79fe6525a92be24353cfcc605d8aa866e6db9dceb01e7d225f5242dd8ee9f

SHA512
1c10faebefbde0aa09b931cba67a3b3e10c93f528cc97d89b024292b30a50aa069a5cf0e836587bcbcb11dcdc44e591978b30fc35303ca47de12f73f3618b83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extensive

Filesize
50KB

MD5
05ddb944b741d7b19bd1f8a5ae95b77a

SHA1
62e82e0be7283ee934e6d1a4c7657f4f23a8397b

SHA256
6646da7155301ee7d8bf637a2e2e0d8b34865d92b0185d4fcefd7d788118f1a2

SHA512
4dd406680fd98a6bc2c627c222f1a282b48da74df2b8e78d8e95f48e1e51eefd030a770347920f966f7022deb8448682b9944b15ba01275ad4aee20cf6b3f52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gage

Filesize
127KB

MD5
56ccdde02d2aa34924e3bc6f7dfe7ff2

SHA1
952894628ea78224669a6d5aa0800941a82ee2ab

SHA256
c55674906bb665e5616a465c426a233532dc0785bf435f445b29223e2a304ab7

SHA512
ff0c0dfb0602271b316e6e30ec51a87890d91212232832844b0d16117ac4a4a0589db603cfb5ab9e2ed2ff6d3259ae4d89d91988f9fff5730b20e2f92fb253fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Italy

Filesize
133KB

MD5
3924b7b4aa5b94ae6926e46c95d425ad

SHA1
c8ea3449f313dc7b313f126c718060118f8ab877

SHA256
53fc2a41b5f2db7b969514b0f9c257f0acad18ea34a5b51b6d06d6f83479728a

SHA512
46530471d3a82609a04837a5f68539375a1a385db5afe168233636f092fb84f6cc15b0faa083345dec56e906cdd3e86fd16513c1aa27518b740720d6f82758b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Migration

Filesize
797B

MD5
c00dfc50883964df09759b95fe1b8160

SHA1
bc80caa5a4d86316b7a2226a283a2e3f59f46414

SHA256
5a7c92dfd236e162c52076bd6cc3ebe984d3e1b8d807b0ccf4d4bdd44b5ebdc9

SHA512
1b2cf5816f929f34ebe5c25851cf838c97e909f1366fb6801a4dae3a50410692736afc354a9c5d5e9c7736acc36b97b770eef1ab4f1b1e93a632a88e19ea2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optical

Filesize
8KB

MD5
6bda1c68dccfb4b4c16126c986ea3003

SHA1
60b7353d2c9f6617debabeb010a772e05755f902

SHA256
237c0ee7ee8b4a2926ede8be2d5607b2783db28d4a0a97891ef966e421f24854

SHA512
281d96844945df8547fc673fc1acfaa9b6bc29c9da0360217413f9c93cfd6f0b5c836c37c775eeec250d06685533936efceaa894a98b987f7303472afecce95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ottawa

Filesize
81KB

MD5
677cd937d3968f5e4d44e018abc68c28

SHA1
0938efde3a6d291fa1fc7688f2a1ec489df4990f

SHA256
ed589edf5cb7d43c8b7a36604750835e7daf7eb8911751426958c59ccbbfa0b8

SHA512
de662e557252cb68dd8e882cc31f99199de69483a050c2d704bc57c96a36b62c7bf691dd9e2061d09e43f260c9216475045b14172430b628de255bdda076aec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Patrol

Filesize
71KB

MD5
ba07b3e4151e982f2c58af067c1540a7

SHA1
5295c6712c882e92d9eb83f26711f89a0b88a9f5

SHA256
d562d23068e55e6a53af6943b9f4431b5173074db9e7e02f191b7ae2ff953591

SHA512
e548a1b36f99bd38fcdca7c0a3372e0f878a705e43b3ac29544f5d4c53dfa0d1ccac9cf09b4f8278128e058165fe620aaa14730c7a36666241bd1c1bf788406a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pens

Filesize
84KB

MD5
017feb46371870b65972267b637b8b3e

SHA1
a64a26fa0feaca91a3628d55157dbabb5e286d2b

SHA256
094845220dc75c726c20d8c30beaa5ffc2363dfe97a05dc103a87148aa68311f

SHA512
c6aa114808379afbd553056869598d35d083c9e45b2a6ab6d006a3ecefd77560ef3981c8fa6774566167dd3a9020c9d56136675d0dc1c251bca8f1ca6adcb13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pipe

Filesize
478KB

MD5
4f44ee5e7a7c04f1e7a2af5e79458a67

SHA1
46bdeb5da40764278de5eb633a30006f5f020e48

SHA256
855c1c2b2004e486323783302a216fbe80b3778e555d858bc31788af003771aa

SHA512
33cb44a4991405a8b1143d05c1a08618b6834cbc1e9f2f5f104b4e23a11090fc00792c328ec5f19a4361755c18ac21b4f9034451201a3803ba4c21522f38859c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Producer

Filesize
81KB

MD5
d27484d93ee656822aa7cfc23633b131

SHA1
3c385f5180586aee9f02a93e70a22cc55d1adcb6

SHA256
a2c6ba81e3c05cf73ee0ae1652ba132d74262e0d9397dbdae9b2fdeff7194936

SHA512
98bf09201ae661073ac13327c8e4325d9c23ab4336ef82478d0fd338a28dbf2101da74a385bc37e1117f1ab5d8ca94a75801b047f7f143c80cb326e0b617db9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Queue

Filesize
72KB

MD5
044dd54eb76b1c31552fa4c24af5e3e4

SHA1
a4909a6cd853fd80447e833ffc414bf84b014dd0

SHA256
0ba55746a77da6cbcb82e34a9518f97685f0b8da128d4ac1ec5b4ea74f45435a

SHA512
ffe42d0479536e692853ab3cf66be7072d2e8dc0a9c3a60d67a94dd4b3802b1f3884b03d01bfc43aee16b12cd95e20616d7eb31a665578e636862f61c276d043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Refine

Filesize
5KB

MD5
6dcd33ce9e46f6c53e736b18da4f851e

SHA1
e99e59c4fb63a4745ac218b94c8faee3372fc670

SHA256
0aac1e707de99a256619dcf43745ffeb063122c85514c02ec19ebce143d3128c

SHA512
b2243bfbaff10ae7a6ba470d2e3d8036938c129758dbb73164f9a92ae31884251c6889e86a59d0a23c0399e673bd6422b968cf0c5c2365f326a9d69546d6894f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richards

Filesize
114KB

MD5
926f35f6ff48d3d569f4901da91ce40b

SHA1
2c8f0c83c182e5203bddb28b1db7c802051be824

SHA256
d7b18aa093ba314d6aa8b70712e46d16532b6538535f9d7c4a9647f41c34ee09

SHA512
f25baae445ea895ae3bd1d585a0d1b66efd8731626a454f10bbcaa0f436888276c4f8052614c11e8f7f9356d091091798f9d9447002131a88d8a56d3b4850b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Southeast

Filesize
110KB

MD5
28aa7cd523fd8eb388128244b0bd0957

SHA1
3d324278ca1c003438a63a080114d6fb8c385f9c

SHA256
f73e4ac63d48ccfe1784818fb35dc3bfd7bf042ac44383fb65d47cc91789a25f

SHA512
625a5a7710be2edce0bf02b612a89fb32de44c6e8d25e182a19adaf40ec4bc7f9f72cf3ab468c2c0c48a0ba69f87f1767821e4ed355b7140807b4a9044dad114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Synthetic

Filesize
74KB

MD5
767c1f77d53ee1d84f068ee3bf5806af

SHA1
c574a391c2e96981db01462a3f064ecf326be25c

SHA256
a5504787f92b76bf093f1f4585e5bf7a0cd3a08a108a1a3ceb9b4d15fc1665c0

SHA512
6a7cb78427453567e9912993aa96095cd635e0714576e3384832aa9b1dca52b3b4659e593c36362635e91a4400f4b73104bdbbd7e6ccb72cc4dffe131d970aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tonight

Filesize
96KB

MD5
ff961c8ce985d4f3f792d149537ec64b

SHA1
27570b9423802378ac2960f9a7804f4156e7a5ac

SHA256
c7a27c42f19265500388f727f0018f584d4f3378ea8c692353a78449333fc6af

SHA512
20ef9bc2815922791833388332bddf18f8be32329f0a0fe7cba181c676e84aa2ea47e808b050b9813feebc7bab563089fe9d18f0c348a599b2dd7ac5c62b1228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Twin

Filesize
21KB

MD5
8da6de4a4469809e9a0cd92380021fca

SHA1
c93d29f3ba2c665d5d81094db5c42617d271e970

SHA256
c61b4894a951415266caf4e845575f1d162828bd8918eeb9b07c2a0672bd0f48

SHA512
6c78fda07cd74579e9db8cc6c7426ede1ada2c058ab8bb40571f94ce6bc40b02f2c3b17c9ecd3a48ce17b223e2a9d80bedca12eeaf461417da151061275c7e49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json

Filesize
31KB

MD5
f0ca3fb81b1774fe08d9d35c07872f53

SHA1
34d0115b844149b036333ab4af06af1ef5459c19

SHA256
da5c20f61648da80aedbbe2e3f0a674e5a0b3846b53c3c46079ffca3dfb1a9e1

SHA512
faddbc21bbd1305e7b59e4b78bb9c1c003bf353e1b2be89aefaa36d64dd53e7967873c3c07bb49ed4ebb559ab3da530363a43350bced6b4ef2f5ed5fc6deb85d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\002254b7-2109-4e4c-9cdd-da04f1c2a337.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
8KB

MD5
b16cfabba11632850447a327b848cb19

SHA1
9296407d92e1afdbfd005428ccb88cc2c6fead89

SHA256
423778d0f8a6abd16b775d6c83dbeba05a30072d4bd40c9e3e139652b7f45d37

SHA512
0b7c6c5aa7d4d28101cbb402d9b271422d178c53693bfd388de04aa16ded15ba114c937ac0a616b4a5e38387faef302945c393f82c9f9417b8802704e27cc55f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
550d4dfaab976cf676c9366c50e566c8

SHA1
e1384cd05d883d52cebff05b3e4bf214644088c0

SHA256
d3a5731e29c35f44c2b9ef87f98e4532af5e7aac629c74168650e0f776ab3df5

SHA512
002b4c9c2f93918f4acf3127ed4a3be96f01a62c6e50175e650b5bff82c30e6680eb55edf7814005311c05c73fed691c68a9281a2ccce93b3047f1ed50265c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cff4f8d1b385e84f584964fcbbfcb3b1

SHA1
bbe84bc040993a2389645367c7f5cd854884759e

SHA256
72aba7a838b55eff010b569fff6fda47bf01ed945ca4277f6e5427c7113add33

SHA512
a703cc376b00108f2261c81cc0e95113fdf25ed4acd5d478052325ec9de7a6cbf11d59007679b2a468bb8f9bc8d7e5fc7d6a4f7100906d355647a6d94da51ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\6c2df781-05a3-4bd3-a3a5-7b7c7063e211

Filesize
982B

MD5
432d559e659ddd949ed136fce5f6b29b

SHA1
b8e595c7778430defed88263551294054e6ccd37

SHA256
e6c8e17c825d3e817c76b0f11c737b6d16c3bc28f347cd55aac14f6dfffd1f56

SHA512
8880af6b9b3110bf7414b5b9ad24efad2475485061247c93df6a2217d145885554b548dc993bf16d126bef017bc935048e63cfa26c2e2dceed90cd93ab31580d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\c5f612da-95dd-4a7c-bd88-e6f5d15a7c3c

Filesize
671B

MD5
8816a9ba767e7aaeffcde1e98c9d3c95

SHA1
a722f1c3604c5c3912572c55e04efc69bba82513

SHA256
ab3e716cd666b7879c8a6a4fafee0024cfb5cb4a944e2cbb1f2efb1806c558e7

SHA512
a0e0279e652884788678db1990331d9431242d7fc43e2add6875d458855afad25b2ee94119e7b80ad996de086e9538633cd241c5e52271aa7138370558e0ff05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\cb6084bc-9246-4b40-8101-4530b98e84d9

Filesize
24KB

MD5
c455008cc72a97418690150305e2f60b

SHA1
6a76dd46efdbd495c53d12eea4804be29e7bb788

SHA256
f11b51e0e4ac7096591e30db51f37e2139fc547f9c3e265edd83b472bf537e96

SHA512
05313373f2cb91af894f98157a8dd346490d94ae1446227a0213c8926333148c9e265f154197969142439c1f2e5bc5e197cd5ae1e7cb4a76492bcae249c1844f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
10KB

MD5
2408997c2df2ac98518a1d9ccb6f6f6e

SHA1
202af90642f3c2a3cdcc3f6412fbd548647ca154

SHA256
85d462832370f4627ad3feddb604740e3ade3d29407ad0b027171fa8191a2cbc

SHA512
db5652cdf5513e7ead7579bafc0b6dbe23913c0b84ead69e35301e8a67c005306e9aaaf1668c6d3aa18d5d9285df5972b00052fc32fd25ac5e7a978960680fb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
11KB

MD5
63dedcd28db3bdb5408397c68674a1c9

SHA1
fbc7411d006ba10d4ea2ca106e5c741525ce2cda

SHA256
5d2fa645d748a2505c2a14cda86ac5023120c7a2de37c09c923f36f761839ff6

SHA512
4eaee5446eacbc94ad0be2fbc9be09cd7500a1591129ff2c97835ba40238af4b35c26806c055653a6fd9ee651e9e47ca1bdf00bfbd606ffa371cc85118bdf288

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
9KB

MD5
a32ced82f7bf848353f3425a026d5d2f

SHA1
01e2315a06c4a1ab46cf122dd9c4492a05ac5a3e

SHA256
8294f7eb79025d48c55759bebed74148e0e0f3199d3e5c093415bc59b743fe00

SHA512
afc54a00b9dc84dc9832fadaac7a73cd681b8254c416091e52e55c4f4d5df92e5f4a593b6f39d6f8fe5bfa83cd2e43db937f820c720d9675d192a5ab736dde7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
eef600e5841d3d3e8526f440f265ab6c

SHA1
526dd539fd63423ce588c4fcc669ff39d6cf203f

SHA256
0d43e33b0b67778beebaa5dc2c80cebe196c20ed97c081a0ae09f0044c12e663

SHA512
936992a83080e5cbe128f03cb027b615d3d5325a1e0b459acfcee50fa1aa043c709e4040ff57197c4a3798d8503d2e75c76027b1f7ca7cd904bbc13f3207a0e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
113125cff3601a5c7d2f0e237000786f

SHA1
c6726cd9467b17b3a3b88711ee7fdeff4dd2e349

SHA256
c9714a3e8bd3620203ab24b5c9c58a5528db141edd87ac6a9e6bb264503f5c22

SHA512
4d2c753a88fdbae3e38d92663039daa0943c7f129f34c2c739a8c5af74882c0e8503e43ed15d0f615b3062b2c7f729f413b4ba05c600a5c147c511e767d5d33b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
1d3aa79a0e4e532c3d65ec38c56c46b3

SHA1
48f4bb406c306d8969a2fcf09677c9254d904abb

SHA256
41570f2cd1bf29c3c11309ef1a145653c01cd4c2c791cbc118c8fb99405f50e2

SHA512
6845aab5cb7c5cb65b03e888a3f6bde242e924be076bb1d580141ae5aac1753085f25c6cb6cb7face49e4b07ebf80f542e1969f6378d5aa13831c649377b510b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
fda9c392d2f85b6e3eb024ca5788b894

SHA1
ac5544de4108e292512ffc34b0fbbed1f0726391

SHA256
89f6ad8319cd19acbb11e2378dd138efe9e5015ce77fc3b62ee756c68cf4e6a0

SHA512
8dccf238953512f3579516423dbeb5ae42c326156fec76bac909d97760dd51a6f0c25a16ddff86a6ab2af78d3eb766315b71d4705d05b11c2cda4461301a7c81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
81e8868d3352d07e7e81f7446c978f19

SHA1
962b4f4da1548ccceda9cd4ff45637806eaca23a

SHA256
043023b7dca84a87ce9495a29ccd20fa2d066b82c9e6262a78a06aade860469d

SHA512
584c225f292bb5a5a76d2b986ff534c0140d2800548fe30eb8b08bc408237a959a47f569e15f8fb88cdd84d20a9c44f16ba739384196b780cb53c22dffbdc6a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
9fc8f756e7109adfcefee2f252c8300b

SHA1
88f20402cb6802b94589612c110a2993862e7483

SHA256
567b38083f0484e12bb49e9c083f8d2f325ff1636ad6c387f002b0508a8b7100

SHA512
c2ac8a2bc4e3d2cb35ad22336e3dfb04f136d4491e532a78cbbdb6f9e0331c88031f4be1e8e307c2cfddd7aaca7ea59adde777d39bd8ab4915a5abb8c0bb3092

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
memory/1220-80-0x0000000003EC0000-0x0000000003F15000-memory.dmp

Filesize
340KB

Download
memory/1220-76-0x0000000003EC0000-0x0000000003F15000-memory.dmp

Filesize
340KB

Download
memory/1220-77-0x0000000003EC0000-0x0000000003F15000-memory.dmp

Filesize
340KB

Download
memory/1220-78-0x0000000003EC0000-0x0000000003F15000-memory.dmp

Filesize
340KB

Download
memory/1220-79-0x0000000003EC0000-0x0000000003F15000-memory.dmp

Filesize
340KB

Download