feecd2830709103478f49231d1d7c21999c41a7fadb68840fd138ac47c6f9c34

Analysis

max time kernel
126s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Portal/PORTAL_1.0.1.exe
Size

171.9MB
MD5

df5813a79f1cbd04afffe017a7136291
SHA1

bd1fbb80c9ea0605964d627fe87914f321e4ef84
SHA256

f2715b40cff7ebbf9b3dc7d22896f6b41f01eae7bb37bfd582b4b7a3efed54d7
SHA512

d3b16fdf0562eb356ea34267b523334f281511297bcccf3ea06e12d999797662eac4e2c205cd7a19f387e3f05d6fa85da7520c0e19a5532642f0b5054b5915e3
SSDEEP

3145728:OQYMZMhEF3ie5Mu9p6BGt/ieRUDWUSinXWhuuufR9YeA5uA79J9SyhncBFBAA4IV:OzKMhER5db6QtNRUD53nGhj69YeWuA7M

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5088	PORTAL_1.0.1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VSTPlugins\is-O3KA6.tmp	PORTAL_1.0.1.tmp
File created	C:\Program Files\Common Files\VST3\is-EOC84.tmp	PORTAL_1.0.1.tmp
File opened for modification	C:\Program Files (x86)\VSTPlugins\Portal.dll	PORTAL_1.0.1.tmp
File opened for modification	C:\Program Files\VSTPlugins\Portal.dll	PORTAL_1.0.1.tmp
File created	C:\Program Files (x86)\VSTPlugins\is-4IQFD.tmp	PORTAL_1.0.1.tmp
File created	C:\Program Files (x86)\Common Files\VST3\is-TQE6L.tmp	PORTAL_1.0.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	PORTAL_1.0.1.tmp
5088	PORTAL_1.0.1.tmp
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	firefox.exe
Token: SeDebugPrivilege	1520	firefox.exe
Token: SeDebugPrivilege	5728	taskmgr.exe
Token: SeSystemProfilePrivilege	5728	taskmgr.exe
Token: SeCreateGlobalPrivilege	5728	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5088	PORTAL_1.0.1.tmp
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 5088	2600	PORTAL_1.0.1.exe	87
PID 2600 wrote to memory of 5088	2600	PORTAL_1.0.1.exe	87
PID 2600 wrote to memory of 5088	2600	PORTAL_1.0.1.exe	87
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 5048 wrote to memory of 1520	5048	firefox.exe	99
PID 1520 wrote to memory of 912	1520	firefox.exe	100
PID 1520 wrote to memory of 912	1520	firefox.exe	100
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101
PID 1520 wrote to memory of 5020	1520	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\Portal\PORTAL_1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Portal\PORTAL_1.0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\is-QU7J3.tmp\PORTAL_1.0.1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QU7J3.tmp\PORTAL_1.0.1.tmp" /SL5="$A01EE,179743547,151040,C:\Users\Admin\AppData\Local\Temp\Portal\PORTAL_1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.2103912363\1389117726" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a779f8d-0494-4ca2-b026-278ae4d04485} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1976 28902bfc758 gpu
    3⤵
    PID:912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.1.1385101850\271599842" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a423d9-1b55-450a-870d-85aff5e0b99d} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2376 28902afdb58 socket
    3⤵
    PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.2.1141348262\1459974699" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3084 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ee31790-486b-4fd5-b666-6f1d15ea4526} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3296 28906c9bc58 tab
    3⤵
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.1876431501\1940468617" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86835dec-3e81-4f1c-bb0c-22b36c781812} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3676 2897615f558 tab
    3⤵
    PID:2720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.4.256230575\143163300" -childID 3 -isForBrowser -prefsHandle 3556 -prefMapHandle 3536 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e8fe0c-bb26-4aeb-9bc4-411bb1fe1486} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3576 289071a7a58 tab
    3⤵
    PID:2992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.6.1830651438\1105348579" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a130b848-d158-46ab-89d7-08a3c3e043fe} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5096 289094f4858 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.7.4467798\2146230433" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a25f3e-1684-4576-a34d-f36eae92a81c} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5396 289094f5158 tab
    3⤵
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.5.629243526\2120114588" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ff6a2d-e4b0-46b4-9c80-396ca256528d} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4956 289094f4558 tab
    3⤵
    PID:2892

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5728

C:\Windows\System32\nuwnok.exe
"C:\Windows\System32\nuwnok.exe"
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QU7J3.tmp\PORTAL_1.0.1.tmp

Filesize
1.2MB

MD5
e0f2c72e0027c19a79bcc03c8daad27c

SHA1
9f32cf87f774aee6ec91c718bc9750eb1df78914

SHA256
dd6fdc7d65822d0f3fb0fb3db755ca78a0e5e5f814d04e82af0f3be1a73351a6

SHA512
9dea09bc96e883f0d19cce9a076a55186a7f9628aeae48ad57c5eae2552eeb7c2512fb6804db9925661caa65a92c19443f29242f01fea509ae0c2bc440d7cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5371e98b95d1cd55fa91eca2b98f2687

SHA1
61150457a3bf7dcadf2deddbccbc91aac669846b

SHA256
b98c436e05084d86ca5ce1d8d7ea49b217c5b07209da99dcb4f5c58c1bc7eb3d

SHA512
6aafd30102030924dcb32f32fbc23806265386dffb65d9885adcb586555ffd1c85055b8337c218058cabf64f66a872de1a1b892fc8cceeb4941400670246dd77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\09222c1d-4c1b-447b-bdbc-aa926e9b653d

Filesize
12KB

MD5
a668dd4ac3ca548d50ee0cb27ab8c0fa

SHA1
d0967bc9215d25063849ff280d43c06b6fa35e68

SHA256
18d2996e4eb6cb7893359fb08a04c3083b19174dc8c91597af1d37980f178f07

SHA512
855f1af13c5f8f137de046618b3d9d9f08ee7b3dd4324ec035d2df24fc3af8cb4dee391d7b7c019da6d764502010294a8e542dfeb5470763d3a18c3cfa7dcf3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\096fd33f-d9f6-4fe1-9177-c4965232b901

Filesize
746B

MD5
9d245dcf441b88ff53e152ca450bb011

SHA1
d345f2ba737fa41fb16d061852332e2b45fd5779

SHA256
2e86c6a294a3f6170417dadb474323a2641bb0371dc5dcc179c569d4b81c1a55

SHA512
16ab78a389b93aba1166814a32fa8576e7776e1de15b22f5a108db3a7228e39d1a470eaddc1e22503585893e8dc0590f3b1dfafffbbc7218bf550871defd7148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs-1.js

Filesize
6KB

MD5
4060a03434ef612c2adcc25572acda9c

SHA1
fd93c1d5d5ebcf96b6c25ebe385a50983c67f658

SHA256
490546beb8725154353c2c1581c0da12a0c5091102fac8c778b72c61fd77e78a

SHA512
7314365f7c90d0a4233347985b7701cd232d9b59960b138b57aaa33116cb2021f342f44f59b72ebfbc05740e3a72e0e2a821f88289c46527c1b075b673e20ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs.js

Filesize
6KB

MD5
d731392b9036f9ab25b88cf941af06bb

SHA1
b7c52ae899ac92833085b12a3254541bf6182b91

SHA256
997b7af2d985acc3b91ae40c5868616377c21832ade973effee680a6523d7049

SHA512
a7caa6f23fb295d6499854a7f20c6bd8d09f225ee9d90e8d6768b167350ddcaee332a60149a061420397a43035c497bfa21bb9592683353d730fc6908fbb360b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5faea0026f3fa8d0cbffd8a41a1080da

SHA1
e417e2c310f6bbaa414f2d769a9237fc3a9da45b

SHA256
921ad76123db08df4ceeb2e3b1c8695f87dd883aa29d80ad7c494d02503e0c9f

SHA512
53fd191c4a918dbe3e5f6e6c612f498d14a89a7a5e5c0ed3bfa8126fc9e8495dbbb2526225e3f6c14e8d0196778cb834f7a94593255f1191aee4b9af6c9ee161

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4b187cd97e9c4827fbb4306276444216

SHA1
35352694472efa275d172eb63ffe8df937f3c485

SHA256
153c5daf63e2ef61b70fe69969eddac0d911a5bb5e5ba8049eb41172d90a769c

SHA512
ec9b5f181909fa654f7e760eac71eee9b80bb708ac69894649603c95ecebb8035a4e4035cc9e8908aa3c1ea42c4e036491df65541787d82911c6d3b8a20f74bd

Download Submit
memory/2600-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-1242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-1241-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/5088-1229-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/5088-50-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/5088-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/5728-1358-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1352-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1353-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1351-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1359-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1360-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1362-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1363-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1361-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download
memory/5728-1357-0x00000203077A0000-0x00000203077A1000-memory.dmp

Filesize
4KB

Download