medusalocker | 2f3446c2b663193e85c11e08af62a74abc28b44ed3d43f815b78b22dd4a25c35

Resubmissions

25-09-2023 03:09

230925-dnnxdabg21 10

20-04-2023 15:22

230420-ssddrscf5z 10

Analysis

max time kernel
144s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
Size

53KB
MD5

5efa19dc204e46e8d8c57482f80e7a40
SHA1

5c83b3ddc8417fe64e0bbd3495445ddcee52e35e
SHA256

fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f
SHA512

0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1
SSDEEP

768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+

Score

10^/10

medusalocker ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF 1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52 71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8 0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7 B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8 56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96 64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82 20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF 88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2 19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2 1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD 81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82 B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40 8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95 00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC </span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\how_to_back_files.html

Family

medusalocker

Ransom Note

Your personal ID: ��15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF 1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52 71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8 0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7 B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8 56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96 64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82 20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF 88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2 19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2 1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD 81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82 B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40 8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95 00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.itlock4	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Users\Admin\Pictures\EnableOut.tiff	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File renamed	C:\Users\Admin\Pictures\EnableOut.tiff => C:\Users\Admin\Pictures\EnableOut.tiff.itlock4	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-black.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_20x20x32.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Logo.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\win_logo_black.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80_altform-unplated.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-64.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\1d.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Calling.m4a	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_36x36x32.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-200.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_contrast-black.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-125.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Smiley face_icon.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerFrame.fx	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-white.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-TW.respack	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Classic_Speed_Run_.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\11h.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_dark_18.svg	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\how_to_back_files.html	fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1252 firefox.exe
1252 firefox.exe
1252 firefox.exe
1252 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1252 firefox.exe
1252 firefox.exe
1252 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1252 firefox.exe

pid	process
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe

pid	process
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe

pid	process
1252	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 1252	3444	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 4112	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 1256	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 1256	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 2724	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 2724	1252	firefox.exe	firefox.exe
PID 1252 wrote to memory of 2724	1252	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
"C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.0.1616777785\1943734474" -parentBuildID 20221007134813 -prefsHandle 1640 -prefMapHandle 1612 -prefsLen 17985 -prefMapSize 230913 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad248d5d-99e2-465f-aefe-87274ebc768c} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 1712 26f307f9f58 socket
    3⤵
    PID:4112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.1.215497387\234538001" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 1728 -prefsLen 18536 -prefMapSize 230913 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04b68b12-5f41-420f-80e6-7d4091488946} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 2156 26f252da758 gpu
    3⤵
    PID:1256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.2.757277311\1812013241" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 19425 -prefMapSize 230913 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ef5f693-ebb7-4667-982c-3bb854efe509} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 3068 26f33a33b58 tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.3.1686664223\1763097598" -childID 2 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 19532 -prefMapSize 230913 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c382ae63-26df-4b09-97e6-f9643dbb28df} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 3368 26f34c80258 tab
    3⤵
    PID:4100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.5.128959589\136702901" -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 27296 -prefMapSize 230913 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a281aa44-b9b9-45b0-a584-9e09bc676ca0} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 4028 26f25271658 tab
    3⤵
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.4.829694795\1519858780" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3832 -prefsLen 27296 -prefMapSize 230913 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee89db68-e466-4132-98cb-8d830563fcc1} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 3804 26f33592858 tab
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1252.6.735196630\950174340" -childID 5 -isForBrowser -prefsHandle 1608 -prefMapHandle 4308 -prefsLen 27486 -prefMapSize 230913 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {225d6e2c-b23a-45e0-8982-43c93d0df6a3} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" 4324 26f33595558 tab
    3⤵
    PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Filesize
4KB

MD5
2d215ca2ef91b34b7d61d7f4f1c3b907

SHA1
c62ca6efb5c19a26065a267e8f7fa79c6ad7303b

SHA256
66a23e03d9e800b0c68ea82163922cbede2af8ac0b14f3efa489393b1de88667

SHA512
6ad71f5f5cec7858616490967844a24e47718a62a5403cd788fa445f7bfc10e7edaa66133b6bbaeff7eafe7a6f285e8751ff591e9f374767b40825febc9f03e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\026554CFCA74568F33E9E8C292E1C12C9F1AE884.itlock4

Filesize
17KB

MD5
b3183735c1a478f9eed0bca3a99c56fb

SHA1
29247dd98c7709ccfddf2d7eef5eaec036e30728

SHA256
060ecfd461eac8d95b8f2d5a10e0a2ea60d9bb08cdad3b35e1aea58d82ff1c7c

SHA512
551294d5f1e4280990669ffb87cbfc0a45c1cf7b9d179fc74d1f0cce04b77ef05e12260a81681ed62cb5f405c9f56c61ba551fde8d7a318623e7ab356723fe3f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\184C843EA0B8CD10730CA2564A233632E40FEF45.itlock4

Filesize
14KB

MD5
06296dfac8701c1de88a82740b1302ac

SHA1
b334f15d6660c0247e8a21ee12af3bff1049a899

SHA256
9d23b710d27295b54f3530363f2926d2e5210edce6d2ef8e15c5c84977b3849c

SHA512
a523c95b5f83d69fa5fce59f4739ae5d4f0002db5826b570f14d426c3f72233121f1b792116c72bc0fc097574a0755c9a0ec68fdf3a3ea84c9305c3f99b598c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495.itlock4

Filesize
10KB

MD5
d58922c2dcee87bc2a99c4a40c893dde

SHA1
97009c0607109e7f7d3eae34a2a62ea8184434b7

SHA256
90d9d628a314e6871731df974c4da56f670979db5ae94562363a5e669fa82286

SHA512
cc8ea8dbcb4c5cc81856bc77ddf4e5f6394badddf2d2e0521cf9ced2a92805dcedca564931dd9a56fd8202d38745c921ab9bb41b0a3ff686ac8272ed951f3e3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\2897D147DDFC3B1AC15675BB43AA7096EB491277.itlock4

Filesize
11KB

MD5
f205247e73488429bc6fc9fdfc6ad430

SHA1
6ce6bf7cb86fe3f304934b158281e8a7a6ed5ac1

SHA256
4de71a9fef56ee80f4852c747e13687f8049fb26ff224dfadeaecc14b400b2d7

SHA512
4b53e4fc834483c048783354bde67d71db5794fefdff8658db0b0e76b5b41ecb0fdb9c151ed1fbeb1ada569483abba1101e1ec53ee567d684eb32614fa68862a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\66B74AA167026A3DCC4BA7064E8D6E229DE9D806.itlock4

Filesize
11KB

MD5
58f4c6e0ebff323b7dcf588ecf4bcf8d

SHA1
ab00d46a6b886e3751074bba4374562c308ffb00

SHA256
e62c6b3f0dac5ce6557957c09f9535419cbdab883b65988559705b5b2222e340

SHA512
b6c7681bf5090308844e962d3917736eff2c93ed379126bbe57eb317f3e4e49f3aaecd9f952b5cfc75a00be167b72dfd3cf11c38b6c0663b9dcde9cb4c3187e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F.itlock4

Filesize
10KB

MD5
12cf2c2b5ae2f939d978d9a055065168

SHA1
ea78129206b210b86cad2c2bf3381483b9ef2d01

SHA256
0fdeb4999fdaa6a5a2214f94f5fc22ec0600879eee7f5ec861f9db8632c3b96f

SHA512
f3188293e6989226a138cda023023794a5ceffc6d37e75822a32bc05faa29a1686d59fd00e655477745715f06f49e06ed22d9f70254d99818a63ee12fa91a95d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\89C9B59023C6004C5FCA8E641B2BD533BAA7F06E.itlock4

Filesize
10KB

MD5
24da0d22d0cf5c272e6809202155b25c

SHA1
09f5f0266195631542f5de26c18923d4647df4ef

SHA256
d333e0c6d36c52c8a7628daae00c6c147a619a5d3042d9c4a9e69d6bbd32742f

SHA512
882c11fb2a2dea4b2aa2b12e3bcd21881b380d599347a2fc74c52c85109d3ae74bc2c8188d82f77b8b783a2629fbfcf546394c9c0fac817177813e82e568282f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\90E321EE94230DCDBDCD2EC0B77C695A4FC21F78.itlock4

Filesize
10KB

MD5
519006e8740fd5b80025351a58a925e7

SHA1
040c0fa61e4e1bc6aa9749d58703064bf2edaf7a

SHA256
a85897ebeaa452cf6df89fccf93a84a350e574bb827fbacc2f6c61f809edf0d8

SHA512
9c488c3efcd5bfde3a173958fcde858475be8e104b6749fbb32ca126700b2e423b3ce50ef547d10147559e3a28265c22f2beee57a37e9b902a84262948a4cec5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\9472FB0E9EC6D9565DF4760304D30A77B3C2854B.itlock4

Filesize
14KB

MD5
14b2b177b9b2297ccf173b7dd49b0894

SHA1
330a0ca927842093471127d603b150a3612536b6

SHA256
4d5ea2106ffa9909793679a82e9660bd353a1095cd71a779c03f33b8585838f9

SHA512
da145d453ceaddbcd2d626d934bd833b3ccf459b861076f068f7fed8c1cbde55fe8fee44477bb92b964d4ff327a9195b7a459e30ace1967332ccdaa8769e71e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\CDA62003B1B987A64F1FAC75D1484DBFF94F08FB.itlock4

Filesize
10KB

MD5
fcd9e361427a3e317ea32bbc03a2235b

SHA1
111992f77d85f351c7a57a6b5a8c90cfdae6fe1b

SHA256
e9a932765f2c1e7b6bc38538078310900ad4fcf6994147e02e3a796cba24fd08

SHA512
d5c982e50c950731e4f06ed55b0c3e554003abd019d0f454827c0474074856fd2edf85080d0ebfd7f33bdc9f1719ebc649d4cacfe50157dad38c46bffe8eff8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\D6B0ADD0DAEA00708CBB4290B85CCA0E0FA79061.itlock4

Filesize
10KB

MD5
629c190e988da1da52e5efe231e4bc5e

SHA1
212d6aa27b574d564bf52c7439ed93eb32b4fe9b

SHA256
c1c60d5e641d40fa7aa62a8646ab39ee04ef63167b23091009d6ca8b6d804f8d

SHA512
1429cd8a66ed1274a0241bdb02df0d340f3bcdaeedfabd89b1855e7011836fd1279bfc999151f1b8ae36c0565b73570cc9bf46fbf197f88a874f57143a5f6e69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.itlock4

Filesize
17KB

MD5
aa5a088dd4ddb556bb934e515c9c8012

SHA1
1e1b32f997a18e53a1b16ee73e2967fc2cc9138a

SHA256
0ba0dcaa621c77e9c6f23215fbaec1874b983b0c1cc08ffde2698cc28fff3a01

SHA512
417be6315dc4b5b7bcc7f29dad148f663683367f4cec8a1b817f2f0a27ae4a9ef49651250fd8d1bb9ef5c982bd5bd56ebd831ffb538e987a0ee3d0b0bee64089

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\E78E3F76C38A478389988CA4F4C125CDF3D80965.itlock4

Filesize
50KB

MD5
17114ec46f71881ca8bbd38922e42622

SHA1
b86bd7666d5254c0dfa9d5fe1943c7625eb9194c

SHA256
930c9e29438c383564900e94285401d05a02330e8c35c9965897d75a2e879d80

SHA512
7dab403462ec00c0a954ecf0cab7bb073e6969cab1d3b35feb2aa50c15cb396c720c30ce1bb2a2ef8d81c5bc0784c07aeb7e25e708f201955e54a17f45e556f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308.itlock4

Filesize
10KB

MD5
906f7fd8b4721935564efca88f63dc42

SHA1
cd0bf6d6d43f88bf307a7e2d2c7e73db2b9987f6

SHA256
bd426654cf3c4ed5863f7bf0dcb98439ac1d68c0b55445545a03534efd4666dc

SHA512
b3b7fd2e8bacef1326a6d2201ac1190966918d0cd6a700f02d97617235b30685aa96212d26d532a35c94659615018f7dff5dac1b5c0b0c08ca5efa7ddfcfaa4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\FF63A96CB0EE05C4E8600CAFADA617EBA0BAB35D.itlock4

Filesize
10KB

MD5
06452008249f3688cb6280e2bdd0f1d5

SHA1
af609105707016dee271abe868e5a604c685701a

SHA256
16c12357a88c4d30dcb03bda0581b1c8c8d3fa944f5cd879a9ba79c7d2f2554d

SHA512
140892f2e11a0d63f7d0fd30c5dc137bb95caa1e61722454a0d19cce1e73027555bbdb6804e3a27c2ec7d3300b71a9ed365e665d0c25d35354844e27d5184b7f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\how_to_back_files.html

Filesize
4KB

MD5
2d215ca2ef91b34b7d61d7f4f1c3b907

SHA1
c62ca6efb5c19a26065a267e8f7fa79c6ad7303b

SHA256
66a23e03d9e800b0c68ea82163922cbede2af8ac0b14f3efa489393b1de88667

SHA512
6ad71f5f5cec7858616490967844a24e47718a62a5403cd788fa445f7bfc10e7edaa66133b6bbaeff7eafe7a6f285e8751ff591e9f374767b40825febc9f03e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\SiteSecurityServiceState.txt.itlock4

Filesize
1KB

MD5
712910901f473aabced011082df6658e

SHA1
d8130731015f2b0a47b4d9ce8fa0e53cd9941622

SHA256
f349fafb85cbc25974cead6f014ee0254119f95b2faf63c9cf81d57c36476c3f

SHA512
2df3e36972f869b57e9b8354781aa683f13fe5be265893e08f9845277268e092121e009637df0006107938e4cf999d51bf3fa8e60b2cc886a0b313d02afed74f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\addonStartup.json.lz4.itlock4

Filesize
6KB

MD5
ab1389cb43bc29d0cf7be5ec0cf2dcd1

SHA1
2259d45aff98e7751d4eb70ec2fa38dcf75bbef1

SHA256
91cb114d2d249628df426cdad00a6f156ef15632b10f2c16823724da51ae77b2

SHA512
7fee2131741ac894a77c6a490522e7e23d8ece007faacf69e822ccfc738c01511a5cb82618b2258a3f73b8705cf055d931e6099963b5aa191f176d567fb9a502

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cert9.db.itlock4

Filesize
224KB

MD5
c96e1a601ff2434c438e8c0d2418a703

SHA1
4fc222dbcba61460ca825d21f0fc7b8ed2ec69ab

SHA256
b947f695aff43e1219440918ad5afb3d17490fc40fe1f3aa3a98a0ef3189b42a

SHA512
8bd7e891e740a255564474072c7c9d853f381070a25176bdd460198568dc60cf6d30c520bb73cd1d16826c3ab22425c4bcb495fdc61bd15df65629d43459a6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\containers.json.itlock4

Filesize
1KB

MD5
b19c376ae34151d8b14a30d163d8a599

SHA1
bd06ad28712eb462863cbd840d773cfa9bc5d926

SHA256
6153d551f1ad4547765aba554756b510d7fecb8e719553f59fae864274083fde

SHA512
25a76ac3000659b61eb86e7e135eb9f1fd555edb1cf10ee6a5427ca153610096c63e00a8f17bd96c936bc40eede05abadc93da30adff95e5adb56626fa9d3b42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\content-prefs.sqlite.itlock4

Filesize
224KB

MD5
c95e309bab1c98b6d372c7e5a5b3852a

SHA1
3ee004f37571ca49141a190db1ef62e1e6efed36

SHA256
bd7e723e14646a04928f5b5f25d5273fc17c509df8bdeb176f0c9510240db479

SHA512
6d4b9831b3c61de7c14525d9f718eb78241a8ef805f22234bec386e454d8f867a00819826f63c39a93257ede9b92d5886b9562660a7c3510af56fe5ebc3e96e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cookies.sqlite.itlock4

Filesize
96KB

MD5
d91941885c09980fb98296c439589011

SHA1
3f82924c829f7cfad408298f48866d82155d788d

SHA256
25e8c487261ce9ae45765f33610ea9f9ffeeee764461ffc7d431d6649d1c43ac

SHA512
e4847cef66444c53d0ff29e02fbac3e773739c22fb31cf7c302b148b59e9ac2c639df6c99cf0e819f916ac43eb7a022e83541fe9e275f6b1afa2577136ca4eac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\datareporting\glean\db\data.safe.bin.itlock4

Filesize
1KB

MD5
06160bc431c14a48c136c258939b565d

SHA1
6fdf58a42d4d85e260ce983e02211e1bfa589287

SHA256
5334d543b40faca7eb269d15dd768240e24257b97156f3d4d8b7157bcd760127

SHA512
ccfc278a5af0f300ca27deb951ac8eb49c67cf20e2440d6d023d8622b16d0508e01cfc33c05548b4b1e6b0b47a0bae08f80def7a72cf1f01d4838dcb9177627e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\datareporting\glean\db\how_to_back_files.html

Filesize
4KB

MD5
2d215ca2ef91b34b7d61d7f4f1c3b907

SHA1
c62ca6efb5c19a26065a267e8f7fa79c6ad7303b

SHA256
66a23e03d9e800b0c68ea82163922cbede2af8ac0b14f3efa489393b1de88667

SHA512
6ad71f5f5cec7858616490967844a24e47718a62a5403cd788fa445f7bfc10e7edaa66133b6bbaeff7eafe7a6f285e8751ff591e9f374767b40825febc9f03e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\extension-preferences.json.itlock4

Filesize
2KB

MD5
3ab6ca143bc13c2ee011c396ef84d7ac

SHA1
e5838a3c713b8078e4116a94ca8a1eecf39690d0

SHA256
6aeedb95bebf97e59a3c073831ebe01cf8b8ff3ad25289b7a9884cb67ea1966b

SHA512
a4961884ec9176ea9d2a788d3694a164f0ba035022754f55bec873d346d7b585bc338f7fd08f4fe47f4bd8bfdbf643ea709b4042c5050e3e6fadf1923c5bcf7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\extensions.json.itlock4

Filesize
42KB

MD5
b8378203e27c795abcb2e9a028e918da

SHA1
d2e0f89624e9df67899f17c102bd82b4b4cc32b3

SHA256
2447a7eeb01d2b1c43baf9fb54863410a878f67e55ffdfff028a5c29b9abde04

SHA512
0603c9e3d507ddfc9c38d6a75802c50d4b4ecb12afec64e16b083e6480dbf86f6e3b6667c0200da6aacb0b9661884545d9276705d460555a56ee901e54453ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\extensions.json.tmp

Filesize
36KB

MD5
5e675b927e0cb7873083b0af7dcb30f3

SHA1
1f20c3d6c52917ce7e6a4f2d1a5527af4dfe387e

SHA256
661acb3c0099bb25babc34e1fc771bf158fb5a7392a34b3f3a77f507308aa25e

SHA512
f6aa9de803d0d945c41b858abff266bfa75f0ceee996e64c502b1ea33487c4dc6119c635bf2feed48887b10e5572e9bf640580b5a4b613d35576a37e52ca550d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\favicons.sqlite.itlock4

Filesize
5.0MB

MD5
16d366c07c1d1000e832b33b12917733

SHA1
6b8ec81d0ea1ddde9dd6c68f505c2abaf61908f2

SHA256
1fd4d9e52082cc92e3fbfa1ad366388f847a3d7727f0590bd32f99219d009330

SHA512
23bc028f02cf11ea94b199483cfe271c641e249139e613487b508dd624b1b3df5c446971c0e0c6e78323812ab5cbadccd66a1a8e6b3163f1476536e6fc07ebee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\handlers.json.itlock4

Filesize
1KB

MD5
e5463b29470e4e4748be7b2dc4eb22ed

SHA1
9d8a22d7fe5208d077e9e5e4a77a73f0b18bb410

SHA256
07e47e129c8eb25f148cf8aa1455750c1b676025806490fe4dc350cd0065cb06

SHA512
f4dfbaf567e6cbaedbcd77c25edcefec80bdae5313957b58e68f28be8bb3795129934ae94f6bcbd24c8c70160581d0da1ad08c28115a4bdb715912f93e0f2bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\how_to_back_files.html

Filesize
4KB

MD5
2d215ca2ef91b34b7d61d7f4f1c3b907

SHA1
c62ca6efb5c19a26065a267e8f7fa79c6ad7303b

SHA256
66a23e03d9e800b0c68ea82163922cbede2af8ac0b14f3efa489393b1de88667

SHA512
6ad71f5f5cec7858616490967844a24e47718a62a5403cd788fa445f7bfc10e7edaa66133b6bbaeff7eafe7a6f285e8751ff591e9f374767b40825febc9f03e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\key4.db.itlock4

Filesize
288KB

MD5
d8121d5c0766bce5f82862feb8add8df

SHA1
6f268a39e182b836b024a550848de293af636234

SHA256
df5f367219e9e807685b967519a0fa430f76d2602186050e7a12535f1b211014

SHA512
d5588c74b9d52093223d9abf8f6dd8696e47a7278823f7f314b6e7c792e5525b61ff6b43477aa583fcdf25bdefaf98c84a38ed47c6797b8c05db85d0b449ad02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\permissions.sqlite

Filesize
32KB

MD5
01cca8b0c6008a5d6b49b43e6bd2790e

SHA1
4c397a67ba2918049b7aad3e6ee9fbd486485b39

SHA256
82622ee14f33102461622efa5f44cf4c820433ef30156adfe84f4bfb11401c6e

SHA512
1f030cc10ac50d1ae6fda9302845d61883178986ceb1a0dff1d9fed9c515d9c4efbc7a18db12a668c8babfa5b59a3f889f829d2e2d5d993f3bcfdcc54b5b1d6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\permissions.sqlite.itlock4

Filesize
96KB

MD5
5281308346ba11f6b7664ab3bcf1729d

SHA1
9e3aed18de8ec05184c9d96b5b9656c80a763706

SHA256
91355542357ff62eff210e28e4e48395dad9636e10afeb507c12898e0b8a7651

SHA512
cbdd4e73fe03f724917ef9d6dff36621a956a00bacf60a5d8fd66f481b834eec85cba11abd56463a7962d1e4eccc1eb0396da61d6a3a8ccb054d6a3a307baf5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\pkcs11.txt.itlock4

Filesize
1KB

MD5
aefc45b9da02606fcdec87692f6cbc21

SHA1
a2729cb4a18f8b860ec9b365a68dd787fbf45ed5

SHA256
a574742e46c7b257e2aa2510743f91a2d96400b94e1643aea564fbdfd2c2aaa8

SHA512
9ce3bc9a0fbe6538922cd8f78583612fe79e2bea0e04bfcddc00a6de6e5f3e3b7eca16fb8c6d5aea966e4f5a88fa1d51e2f37d6310750c5deec30a6a427599ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\places.sqlite.itlock4

Filesize
5.0MB

MD5
434651381467903fa094974764fd7c56

SHA1
6cf6b06f6d4c9e67b2e27191a4e6785c0054b0e2

SHA256
27238ced63d26f5a93ac1a760b78f48a3fed80844caa8cb46e9945fee8a2fcf3

SHA512
22b02a3ef4c8aed0936adf5a4216840f6ae7db020370a569dff517f8a1793c21bbffdfcfd262998506a7a4b1d234a4751f644de8beaea07ddce790098d0e4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js

Filesize
517B

MD5
1167043bb5ccbf9604eab5464cb3c784

SHA1
4c84c56364f74c181d840e4200dbca16dbdc0872

SHA256
6421f4ef14b097cef32ca120e8f207c6f723e09854ac2cd839f717b6d76abac5

SHA512
487cc2fd65ab2973f5d6dcc8a561fd05e950f9a1caf235d54b8d0561487b3489d68b8c4f1bc6d01b49e332835e01dcd0d6148f7793bc9d781294dae5cd423107

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js.itlock4

Filesize
7KB

MD5
39a49dab436360501f67886bac2bb079

SHA1
a44bfce72dad7f7f03b14c84ae608f60ad39ddc1

SHA256
e0b957a492a6324e91159d7568573afe4953bf3dc88bb743638b352e55d7f8d2

SHA512
4dae68abaffb97c7ca4d9949c80fceb341a1cfb764fce4ed453268c1806db9f36ebcefab3cc57aaaad4415862a4effcbd1e14b34fced82ef7494f3ea25439461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\protections.sqlite.itlock4

Filesize
64KB

MD5
57bf34b5224e2dc937db829da5ce7925

SHA1
aa53bd4a52b807fa1704d529a8742873159fc410

SHA256
5c29342849c02714b8cb40cde048bc3acb2e46942bb1f3040c484d28301376cc

SHA512
3d83d007704c7a7424e2ed6a9ec2a24d2b724d704b2d9bd347fb0a21004300626bfd51e771709b1c8c637dba5f8ae8b00c41291a81262d2ad7c5cef3d91ff44d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\search.json.mozlz4.itlock4

Filesize
1KB

MD5
ad3493b87419af65500a81cb2fd54ef3

SHA1
319033cda43e4422bb1f17b0a4cf6c56167e1516

SHA256
67af50f5211ee105a39da19fc957a4364ff0cd2bbc136fc0298eedbf1aedae24

SHA512
2e9cf7661373d9daccde64e9643dca95d800cf878f87d861b37e347449938d61fbcd7cf926399f410c324c071a1c39842c84a46be266df0d50bca2ffc01e5949

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionCheckpoints.json.itlock4

Filesize
1KB

MD5
31d7f43d130b4294eb1f280fc3667ea2

SHA1
faf856668db02c2136814639490f4330320ab9e2

SHA256
e8dc37a64227d2d276eb7c1edabe173c5d1673120fcdd3a83eef2a999df080d4

SHA512
41dfc1d4ab8f4ae659725ae4109d46af6a976ead1c73aab731008570a9abf79d8407eeb7b8cb46377046b4ec50a5abae61e8b19620e94b3304143dcfc91ed166

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
856B

MD5
6e5a3a0ccd4217da99109fc44ec5378c

SHA1
3160971fbd275df4b3504dca8db778c79ca926df

SHA256
a4f6893e35470051712d826601fe940cc4bab467b1b1f02401c9f3179dd39cff

SHA512
f5e69ba9f16b0914b14fef4ac85da819622387fb100994a5df19ce119b53afb11c736d12d120ae8c8995fac04c9937764e8865a7f01eb9af47783e9597583fec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
855B

MD5
24f45787e01698be40efb464b5a16eff

SHA1
f2e0d5863e4fd416e55e209d68309dcd66a736fd

SHA256
7c3ded47d526a066e28763e52b745e05e2f794aa3307f6ff38dcd9e15df468ae

SHA512
173319dc7c14576cbc7c03b3bc41817ac6c4a1a6cfe6768d423a73c30b8101f47b64550ed5bb821276e9f25cf3a21acd50063b0efc9c9212f6223ac72c6c8f9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore.jsonlz4.itlock4

Filesize
1KB

MD5
e133fd5aa592d4ec984d2c8abd0921cf

SHA1
69f74c12b0d012578d922b1627d7dbb304b18500

SHA256
7a44a2f50476a05cf59667f5d8ea8b42214cbc861ed4448b1261e32de8500df8

SHA512
ac58c54ca6be6ddd64954d48c6563cff1cd0475b43148376e92ffe60b9449040d19829e029718081f3e77c09217be6721360aa07c6290bf35ba3f9a6360d5039

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\shield-preference-experiments.json.itlock4

Filesize
976B

MD5
b0ce7666c484cb214e4df4f696b25061

SHA1
de1f4d124237ff8c69fd0e7832be47978161b6d2

SHA256
6967be02d3c309c62041595eb0beac88e7deb90e272c1a98faa93dc6aeb0efe2

SHA512
81c6891cd55622c46b172a87abc17e2c7382ee2b18b3157a5ca6291697cac26b1b77149e929609cff3ac4e51072c8b96cb7b225ae57c1196daa27742e56d68a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage.sqlite.itlock4

Filesize
4KB

MD5
d1528f1072fd449bef1c6ead9f3665d3

SHA1
c67f6c797c002a36e272fa7b68a71d8cf4ca4be6

SHA256
d075cd64fee41eafa78a357e09df353580fd0cdb2d40a2cf0d36b12d8ad41970

SHA512
dfea897481821640f28577f8d620a5d3d2fd7161f7ffcc8f805a11e315aa7ad68c63587ac9dfa90ee63abde2ff377da64a108c66b04becc9b1576a83ae6acc03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\.metadata

Filesize
29B

MD5
ce4c29fbc9f152502cb0e85ca38a96ed

SHA1
e540090d535622ce2eb88674ef46c809f9df084f

SHA256
6d0ecfd3344dc52885a230a7345b7825aaa8e6d26a79bf5d52b4ece0f68cea59

SHA512
c24a2d16350cfbd1fb013b7f434029bb28b1a6c239cc1df4e9b80b0cea7a7e041da3863180cf1a9de0fe01db3f7a37ac2fd6a2da1b66956ae5e3e255e28ae892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\.metadata-v2

Filesize
42B

MD5
6815ea3ada759dec38f0072499ca4766

SHA1
1e382e23d9b837e51d3a3eafb1effb70c2fdbf68

SHA256
4c9a8bfc374ea15da65bf2cf986fecf17b56738caad8e13b4f0b7eb728837745

SHA512
6fcab20a10b3d266f39e4f10b4bcbfe8799ea82813cadcf4b7d6dc40dc3b041576e5f9dd1681fad33542831eda3c6368a2b97bb440fec73186ffc26f39c712ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\targeting.snapshot.json.itlock4

Filesize
5KB

MD5
5f6dce5b329316706aea5774864204ee

SHA1
b5a0a447f6e399d87fa4c2f517163771664acce7

SHA256
72b5270b277c9b33d53bf813b9d27e1c73f45257be05d4e378eb56f79e2b8b31

SHA512
91ffd9a5cd5a3a47a94c66394ae8d64f2e9619d8332838b669cc6b1811565f54e6261f0760788cd0c1d770f7bcfa440731456d87025fc8f7a0c4c1608d99d661

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\times.json.itlock4

Filesize
1008B

MD5
a8650f0f544d3f8220705b5c76f518a4

SHA1
51175351fb333868b5766cc6447193d9cce3170d

SHA256
a97d479d640e2c1d5d0b6fc9ee8667b1585d10b5cb3b03d6a9e49ab58804394d

SHA512
60b2a57f5815eec91788c9a26ed2db2d9a2fe6c847a8c225cfcd17cd2aa83fed66cdc916c6e24e647d91efc88f93d21322d4f794f8f72eb71bb242867861a62e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\webappsstore.sqlite.itlock4

Filesize
96KB

MD5
83252cd3a2c77c63b2120a2e2aca1a12

SHA1
933f8f89abbf38adf60d57839cb2b4252440c350

SHA256
ce2e80f0c7b1cf98c48254b677f86a1c4b1e4cdc6947143629b73e0a62694cfa

SHA512
088076b39286d28d3776b3ca137348206b17957c1ef883d3980c7393556a69ac14da0a2a3b15b8a15d07ca9db1ecec013fbeb5155deadc60f13e1386e158a633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\xulstore.json.itlock4

Filesize
1KB

MD5
cff3c96407cf2ef24e4d4de20c645488

SHA1
296ca9b34f135030ea57f3d7b7464e00e0cba7e2

SHA256
653d9ea44b39dd77391de0099309167ab6b3b90f44118fa6acb348c8b7ead955

SHA512
30ca4f2ff5a8b5cd57ce168c5ccc5d3c2ceaad8965137bf647531dc9d9c33e18ec381c0b4f6fdf9a6493a5de2889e335e8949535adc06707565621ffee8a3ce0

Download Submit
memory/1528-526-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download
memory/1528-122-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download