Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2023, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
-
Size
1.0MB
-
MD5
790f3266b308066cd14f9900329e6f0c
-
SHA1
7a9aa50d276c7f8b616d1c0b5bf8fe3d9328d0fa
-
SHA256
b2d2f116713950b0742c2cb384c0377ac414be769d317f9e246ecb66730c889d
-
SHA512
ce45fd69dfdda994b563a4bc946bdee94dbc3a27d8909ef32fb44a5c3aa0f08af72d0daafd4adb14474918ff23a2c721b0b4a9a915c1a701ded69565f607bb44
-
SSDEEP
24576:whlXrm7zYFdAlYobCNtwc9Vr+iUriIVP1PRXplA77RRW6:GXi7MAlYlNWcqNriIVP1PRXpwrW6
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Loads dropped DLL 1 IoCs
pid Process 3048 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4492 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe 4492 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3048 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe 4492 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 4492 3048 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe 114 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\statshemmeligheds.zir Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3832 WINWORD.EXE 3832 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3048 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4492 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4816 firefox.exe Token: SeDebugPrivilege 4816 firefox.exe Token: SeDebugPrivilege 4492 Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4816 firefox.exe 4816 firefox.exe 4816 firefox.exe 4816 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4816 firefox.exe 4816 firefox.exe 4816 firefox.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4816 firefox.exe 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 868 wrote to memory of 4816 868 firefox.exe 97 PID 4816 wrote to memory of 804 4816 firefox.exe 98 PID 4816 wrote to memory of 804 4816 firefox.exe 98 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 2356 4816 firefox.exe 99 PID 4816 wrote to memory of 3208 4816 firefox.exe 100 PID 4816 wrote to memory of 3208 4816 firefox.exe 100 PID 4816 wrote to memory of 3208 4816 firefox.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.0.28109163\2008700094" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c83df7f-8438-47b8-a5de-edeeec2e5dbd} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 1920 234c4e05458 gpu3⤵PID:804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.1.1789040711\16726713" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e37648-1a3b-4d7e-a373-1f5b820eacf4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2356 234b7272558 socket3⤵
- Checks processor information in registry
PID:2356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.2.1758971233\639175372" -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 3208 -prefsLen 20934 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d67cfd2-4c95-4f98-8407-a622f43ea26f} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3300 234c7cb3658 tab3⤵PID:3208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.3.892752573\628329880" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75c5f1e-9d06-45e1-a311-72ae53cb34e4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3652 234b7269f58 tab3⤵PID:1348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.4.948893861\1974531752" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64744aaa-dec6-4df6-a3e6-eae281c4ebc0} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 4624 234c9caa458 tab3⤵PID:1440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.7.786229675\410069347" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c676987-1feb-4771-a4f7-de02972fc11c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5440 234c9a8a158 tab3⤵PID:1464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.6.264835245\438694947" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f66e19a-a4ab-4ad1-a6e0-9b01cb262ef1} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5248 234c9a89e58 tab3⤵PID:5060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.5.398737586\705088505" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5216e6-dc46-4a78-86ac-070df94f12b5} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5092 234c9a89b58 tab3⤵PID:2344
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json
Filesize148KB
MD51b5d1653a82dcffee311175dcc164fbc
SHA11d8ed433bfe1994e3b3ee790768eeddd4319a12c
SHA2569d249a475b876914ce5b3364a9566eb8e80d3bd7ca6386fc1ec4a59a546a4587
SHA5120624c4617490c1f7b312adf3553e7262c08889e27cddc91d9df614faac546e3024009bcc4f4cee51e01f680d5206e6c064f4e556d0d9ab9f61c62cc56badf80b
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8
-
Filesize
6KB
MD55fb4a5b9ed048676168272676f46f6a5
SHA1181ca1a3cd79bdc78ce82f642d6fc2212479dd26
SHA25666ca187123b1a4c969d1b7cbb2549c2cd0332b82e175a7e5a80228572e321319
SHA512be54d646d0969d997ef33284177ad97bc3d3824c386d526eea71542030c99ad55e667319f30ee2b104c219168d87b8808ce6b4fe96fd662bf5366aef6e122ad4
-
Filesize
6KB
MD5cfdd55299f3df8fb7c08ab906991ce98
SHA1e88241d2aa2a5bdf9b2ea74e9dd53f1938534f1a
SHA256bdaf786c4a95be17fb4a90d8256125b417fe9f6e5497fd00c5004e44cabaace9
SHA51207517ded2840efaf1234f8bf0ce0e8ae021d749388362655d687cfd708446fa3a80ec019b93db22e5b224f0a3f1fa198351470d4d572c7286635122e7418e540
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4
Filesize883B
MD5cc104f8c30653a539798ec66ed6d54ba
SHA1343727512737c905016ff967a0715d8adba28336
SHA256f65e21d967ccda300d34365e982e6b79c0567712fc667236ad50e3f60f8d93f6
SHA5127dc14d6d645e8825b114470646a81ec8a6bfd2d7340e73cb84c90c9fa188732630b299e7cd6a34f16905d896c11dfcaa37f654d21e63372fd560d2693fe9ed85