Analysis Overview
SHA256
f5e861fd4008ab582c228cc5f7e059cf0c8ec6b7288b2232f46077ec282960ee
Threat Level: Shows suspicious behavior
The file scrbk (Public).exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Checks processor information in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-31 17:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-31 17:37
Reported
2023-03-31 17:40
Platform
win10-20230220-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe
"C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B90.tmp\6B91.tmp\6B92.bat "C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe""
C:\Users\Admin\AppData\Local\Temp\ss.exe
ss.exe
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.0.1481268292\601862093" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2805cc26-c978-49db-bda0-f540f82fa608} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1748 25c43d18058 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.1.97940300\460555626" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d32c6c00-2825-4c34-b1a8-916b538638d5} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2100 25c4290c258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.2.340389598\1264605645" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c327e00-f8e0-4b7f-8858-3a0627ed1424} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2924 25c468fb558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.3.394240737\1077489319" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3388 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6472191-7659-40c8-85b6-a0251796e94b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3404 25c452ecd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.4.1127642730\658669889" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e351454-83d5-4db5-86f1-0105890fd69b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3884 25c47d6c758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.5.2031028268\2059166047" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4740 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bc0b1ed-9f78-4395-bbc5-14b53dda322a} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4764 25c48ebee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.7.1382802005\652032785" -childID 6 -isForBrowser -prefsHandle 4728 -prefMapHandle 4976 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44abcbd4-edba-435d-b5e1-deaf58bf3826} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4736 25c48ec1258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.6.2066862558\204274639" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be19206-541b-4f41-8248-af9fa8698dcd} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4976 25c48ebf458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.8.673582576\702076905" -childID 7 -isForBrowser -prefsHandle 2636 -prefMapHandle 3360 -prefsLen 26904 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {710eca7c-0eb7-4c54-9ab5-fd882b2b4a29} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4584 25c48ec5e58 tab
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\StopCompare.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\StopCompare.js"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameExit.bmp"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameExit.bmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49713 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 44.236.158.174:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.65.55:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.158.236.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.158.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:49721 | tcp | |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 20.189.173.15:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| NL | 8.238.21.254:80 | tcp | |
| US | 8.8.8.8:53 | malwarewatch.org | udp |
| US | 8.8.8.8:53 | malwarewatch.org | udp |
| US | 188.114.97.0:80 | malwarewatch.org | tcp |
| US | 188.114.97.0:80 | malwarewatch.org | tcp |
| US | 8.8.8.8:53 | malwarewatch.org | udp |
| US | 188.114.97.0:443 | malwarewatch.org | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 188.114.97.0:443 | malwarewatch.org | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | use.fontawesome.com | udp |
| US | 8.8.8.8:53 | use.fontawesome.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | use.fontawesome.com.cdn.cloudflare.net | udp |
| US | 104.16.122.175:443 | unpkg.com | tcp |
| US | 8.8.8.8:53 | 175.122.16.104.in-addr.arpa | udp |
| US | 172.64.132.15:443 | use.fontawesome.com.cdn.cloudflare.net | tcp |
| US | 104.16.122.175:443 | unpkg.com | tcp |
| US | 172.64.132.15:443 | use.fontawesome.com.cdn.cloudflare.net | tcp |
| N/A | 127.0.0.1:50164 | tcp | |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.132.64.172.in-addr.arpa | udp |
| US | 172.64.132.15:443 | use.fontawesome.com.cdn.cloudflare.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\6B90.tmp\6B91.tmp\6B92.bat
| MD5 | 997051b5f0f314af27eb52f258ee1713 |
| SHA1 | 6a4a58ee54e9c7bdbc2688effc819acd284d1ed4 |
| SHA256 | f5f74b7f30fae4a6c91680cf405649d535eec2ac29a4e635adb10a4cd2f47c20 |
| SHA512 | 0a9cf83c432ba1ce760b3d1afb5e2015da2853c348adf30b7ddbbc0fd1742292c29681ddbcccfb921e3bbb3637a1fd89a175d59606786622660f35a2dcc2e45a |
C:\Users\Admin\AppData\Roaming\ss.exe
| MD5 | 3cea618267c4fa15e7a2939924a86b94 |
| SHA1 | d44aab0ab239e01604b62a174c0fcfd7bb3a5e22 |
| SHA256 | 03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5 |
| SHA512 | c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | 3cea618267c4fa15e7a2939924a86b94 |
| SHA1 | d44aab0ab239e01604b62a174c0fcfd7bb3a5e22 |
| SHA256 | 03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5 |
| SHA512 | c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd |
memory/2096-123-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\screenshot.png
| MD5 | 334154e5443bcddd185697cd750c5f16 |
| SHA1 | 1b16886fe3384b507f010ea881c2dfb45c3aab9d |
| SHA256 | 0d40726d54e719d0343d5d7349ffe2aae0210119826591140d55e849d18b3734 |
| SHA512 | 0875a48e4874e7867f0ad234c672eed46c264091f94fab1e612c8879109481b76a4bd6437ce2f5795af58358e3abae1ea0e9c4329e461017090c92ad64357d9b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 9247c91f98e020412c5d97cde73f8c4a |
| SHA1 | 310b846c68e3002fb8d658c08d238ed722e5b093 |
| SHA256 | d1fa35a27b5000e9d476257c900c2cc628dfc1d8bdda1251525ed69e4eee930f |
| SHA512 | d3e93fe0520e00650bcdd2af2888395669f6a02210249f8d19cee045f8efc5e36e6b002d6532205c70bed70086e10fcae8a0fc95349abd3ce209c81de5f0b5a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
| MD5 | cdb5a91b7898f75f98e448e80b41dba6 |
| SHA1 | c749651f98e32a2320d2e52fd467fd6217660535 |
| SHA256 | ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc |
| SHA512 | b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 12233c3137846808bea3c0b009c4a754 |
| SHA1 | 684b1274f0e38e42f7c34b8924e98e3fc8171c44 |
| SHA256 | f5f29d801e2cee1471a905255e063a08a4aa1b143fa98e2ebd5204bce5303287 |
| SHA512 | cb8156b6dbc8bb32a79e1b0703f3e7582755e534d956f57821e14685433bec05fe5dba888b49c38a5bcf299bbae83520c42105a4cfcbcd201b2650c0c52f5b88 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cf28cab65f6d94302fb0c5abf0b602a5 |
| SHA1 | aebc709c0b9a1a0f2bc632cf6e429523bf6c777f |
| SHA256 | 83194f058bcaeaebf5382dbbada7a772843e7aff81c4454cdfead851ffeefd72 |
| SHA512 | 8dc416b64816cd946c4aa765aeba3850eb98633473abeafbeb239acadbd25bcf16ed5d8f86289dd767a3479e8211992e262de552bfdd5d2804ffac9c3c8f0c14 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 52da1dfd2d332db7747b41aeeb44affe |
| SHA1 | 4976876da3e75020785b34ffec0ba6032557d309 |
| SHA256 | d1869cd469726183b4cd85c3d7fb5a97f6466ac10e939c772b0c3f0763864b2b |
| SHA512 | 8fbac1777be44f61dea963e08f1d658ee2179b1353254de877d38ed4d5ff1de7f4f661f221ff224ee859f169766342687ec0691ce1ed63216d9bd0f7ee0fcd0f |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 1685184fb8f887a74f77e52104dc9ccb |
| SHA1 | 172bba417524b5012963604b9559e3484fd35020 |
| SHA256 | af126042b92cc7994f9e81c7b8e72a3e84be30fc26431de9e07a5a722550d105 |
| SHA512 | 6a266d25a24a0ac77070f6f545c2d2cd8ab6d0642695e725115838645c3666fdae111780812bb549e4df5df335c4dc462af9a9c0c5be451511836c887978732e |