xehook | 054a9202452171a072912fa08498330319e6a27b4510e344c73721413896504d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

148KB
MD5

13cc6e125c5d23fa2e6ee3159abede95
SHA1

3ebc3644fb453dbf330e6880fb793e10f5cd34a4
SHA256

054a9202452171a072912fa08498330319e6a27b4510e344c73721413896504d
SHA512

b35b0335960ac240dbbdb92f8456abea09ea063b7233b4de15caa99fd7194c7a588bc70663a394127608b10b3f26f99f91c9ddac4fef526cc3bd62e60eda436d
SSDEEP

3072:1euUEEhq+IB+NFzat1Hen5NoBwA/I1qab/n:fG4+w+NFa+3oBwA/I1qa

Score

10^/10

xehook spyware stealer

Malware Config

Signatures

Detect Xehook Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000E80000-0x0000000000EAC000-memory.dmp	xehook

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
132	yandex.com
127	yandex.com
130	yandex.com
131	yandex.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	build.exe
Token: SeDebugPrivilege	848	firefox.exe
Token: SeDebugPrivilege	848	firefox.exe
Token: SeDebugPrivilege	6044	firefox.exe
Token: SeDebugPrivilege	6044	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
848	firefox.exe
848	firefox.exe
848	firefox.exe
848	firefox.exe
848	firefox.exe
6044	firefox.exe
6044	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
848	firefox.exe
848	firefox.exe
848	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
848	firefox.exe
6044	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 3772 wrote to memory of 848	3772	firefox.exe	110
PID 848 wrote to memory of 1144	848	firefox.exe	111
PID 848 wrote to memory of 1144	848	firefox.exe	111
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 3660	848	firefox.exe	112
PID 848 wrote to memory of 1292	848	firefox.exe	113
PID 848 wrote to memory of 1292	848	firefox.exe	113
PID 848 wrote to memory of 1292	848	firefox.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.0.388720334\219460634" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6691b101-8027-4379-a388-8cbfd6739b37} 848 "\\.\pipe\gecko-crash-server-pipe.848" 1960 164fe9ef258 gpu
    3⤵
    PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.1.1382565511\1489622028" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe41ee0b-f7be-44e8-a156-24250ff033c3} 848 "\\.\pipe\gecko-crash-server-pipe.848" 2376 164fe7f1258 socket
    3⤵
    - Checks processor information in registry
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.2.1282190843\391028829" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2948 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82ffdd8a-efe9-4021-abf8-4326a2c959ce} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3284 1648a3bd158 tab
    3⤵
    PID:1292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.3.11590271\605208395" -childID 2 -isForBrowser -prefsHandle 1036 -prefMapHandle 1004 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9239d03d-3076-469b-bee4-912d0da7c818} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3592 16488dd6e58 tab
    3⤵
    PID:4452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.4.511499982\1989856818" -childID 3 -isForBrowser -prefsHandle 1036 -prefMapHandle 1004 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e790a057-6ffe-4b51-8241-f44834958349} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3816 1648b6dee58 tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.5.1593222473\1295751191" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b41ecfc6-2eff-4fa0-9aeb-c5d2ee74671d} 848 "\\.\pipe\gecko-crash-server-pipe.848" 5040 1648b6df758 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.6.768337292\207905425" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f486101b-81ec-4f10-a38a-36c2a5b26f4a} 848 "\\.\pipe\gecko-crash-server-pipe.848" 5164 1648c771f58 tab
    3⤵
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.7.1113024850\616865620" -childID 6 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1140 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c8f776b-10ad-42c0-a91c-dec63a27a2ac} 848 "\\.\pipe\gecko-crash-server-pipe.848" 5356 1648c772858 tab
    3⤵
    PID:3096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6024
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.0.460762210\224521236" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 20749 -prefMapSize 233480 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0578d9c5-fd35-4fbf-b478-a97997d3f44e} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1756 23a004fdb58 gpu
    3⤵
    PID:5352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.1.1708947184\1943562500" -parentBuildID 20221007134813 -prefsHandle 2188 -prefMapHandle 2184 -prefsLen 20749 -prefMapSize 233480 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327d2aad-ff8b-4a32-8347-5be4406fa5b8} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 2200 23a73ddb858 socket
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.2.752569040\555625162" -childID 1 -isForBrowser -prefsHandle 3352 -prefMapHandle 3188 -prefsLen 21145 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60b935ac-c70e-4ade-a551-c1fce00cdaa1} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 3372 23a0429b858 tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.3.742489917\1066497174" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 26388 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {032aed66-9986-4663-b038-d192f76c133b} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 3664 23a053e4358 tab
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.4.2062093371\27036857" -childID 3 -isForBrowser -prefsHandle 2456 -prefMapHandle 4284 -prefsLen 26447 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af807161-7a49-44cd-99d9-9040b13160fe} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 4332 23a055a6158 tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.5.1494841248\581268105" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26447 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d00a3b2a-e171-4470-91db-a466e5ac1f4c} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 5112 23a06baab58 tab
    3⤵
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.6.1806987542\210507800" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26447 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef29a123-2854-412d-a108-eed5f3a691da} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 5228 23a06bac058 tab
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.7.825810714\1280236782" -childID 6 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26447 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {111b51d7-64cf-4c8a-ac85-ec1c3514d235} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 5420 23a07713558 tab
    3⤵
    PID:4860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.8.1532984848\121121621" -childID 7 -isForBrowser -prefsHandle 5956 -prefMapHandle 5968 -prefsLen 26701 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23d57210-2dac-4948-9467-8fe425d5dd3f} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 5916 23a02d66458 tab
    3⤵
    PID:528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6044.9.550126216\786215717" -childID 8 -isForBrowser -prefsHandle 4892 -prefMapHandle 4900 -prefsLen 26701 -prefMapSize 233480 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66310d80-2d22-4f01-851c-8842894fff7d} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 3620 23a73d2e158 tab
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
0aa84cc48a679b637e4fb08aaedf4706

SHA1
ecb3ba38f59dd8c596ce62cb1006c900343f99cc

SHA256
980a6490abb9414135320170df8e530379a3cdded8b62594640e7225762088c0

SHA512
057a169835407c20db417954a7acfb28497528daedf28d564835e8be4b4a3f212cf1ce6c846860e87c9786316c258402c46fde5202e2c77d5503a714903793f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
9KB

MD5
9dfc8083d4a6a9af79ea997ef8f4763d

SHA1
73e4da30b34c23b26d22bf1e80c794ed3716e15f

SHA256
47ed2e7803734b4323c0ea852faa656ae4d2c2a836ffaffdc3ca3c069a146157

SHA512
53acbe3d77b3bebef55cc1c93540cdda09934ce848f54fdffbbd20487f5390d443ff088b481debc0ba4c7314c232e4dd9ef895b822f18ae7c09e6f534d2cd94c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
955e7d221a037b090465a38dca3d7adc

SHA1
4020e51c826cab4babcfc50aba6615d7568beb25

SHA256
03499b3f440152253c7f6f1a0a495d9a516e8e5ee7d90c58a7404a1dacce8874

SHA512
5b7471d34483837b7dc3c6e35ed49af97ae15120b29828110e5814f90647c642eeba20c4f8cf854a0c3c74f1845758004278ea05bd33b3ecb6141082e292e29e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\startupCache\scriptCache-child.bin

Filesize
510KB

MD5
3fbee38e3fd32c6e703319a34128693e

SHA1
4b7af3fe1a16b4c80add7eaba47361fc3b5cf032

SHA256
8307c11e081ab4d0c7187cdc37a0a6c8a6676e2a3efd9b2083943b15b29af261

SHA512
a7376f2cdeb046ab2bbe84d1b420958796696dcbfc53c9daedeea606204c240917be1b17d910e5a91b7d32627513085ad4f69eb41e8c919feea9615a7176b77a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
489f93c67526b9910e40caec3d5e1b2e

SHA1
cc66fb373bf388e028590585c1868123526f883b

SHA256
de7f6fed50f25d209b8d657457a8b6e33691b75e88880575232c4675f520fc3c

SHA512
c6db0bc14a43cc2a768cbc801a4040fc73fcc4e1f808c746cfe1b2d027819bc620c17c418ed13d753021e3b5c308c7c5d25edde9b69d7b77e3087940db39f418

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\SiteSecurityServiceState.txt

Filesize
324B

MD5
29653988e34f0a3d7fe8e56a56509113

SHA1
cd8afc557f911ef6d09a048beb453742f6dcd19f

SHA256
829d25323b4365e6a1fa00e53c3bee4f9158a4758fdd7411b991329f8e228991

SHA512
43d9ad6d34565e4f232e00db273ace37555a40a4f1584e18f55409517077258e101e13b680e1c728eb753ac24eb49726cbf9bfb0ffb7582fcd5435e759119a1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
4KB

MD5
a07871829c08a0f2db6b9226ed81a5bd

SHA1
d6e86e8c8c2aafbd4d825be9549fd1ab2f772051

SHA256
d8ed25fc1ac95960c12f13583be9bdb3491ed753fe0fac04553f4296f01ac2c7

SHA512
aabdabf438754806e6e4588f25c72bd079494315fb2b95df6cd5a908a92c811a2e1d1b9727d400c53efea97488ae747277a1086368a8005b959f8085f390646e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
28a737a81f959d6afa8dc421763d71a0

SHA1
1b5a1a97f016ea40c106de9ee6c72e47572d14d6

SHA256
eef8f946140398747e1eab5117060d925a7d1f029fa9b258ea0833baaa702288

SHA512
a0a8d6c367019b620c712c118b85e6901e3610ed0dacb0bb796f823aa0ed47ae6a7d676f6aa8496b9bd5ab046112f7c5f3cdf5bea150fd5cd03cce4fac5c701f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\0bd812e7-d2ee-4b57-a800-b06c2b131803

Filesize
746B

MD5
89bdda6e1a6d12da1180d3f8b6f00c87

SHA1
6d13dc7d62876fe24723c92d18967a5da5b85e3b

SHA256
da143583635431bf883540f5755753d2ab887f71f0203b331e4433fd57b6ca20

SHA512
b03a6187339a551bbeb411e714ec18a97362b0c38413e99914c5d8f4084dafb036ef886d937312fd3b93767d02eb127b96447d2d38de7666ca277d762c0362a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\7ef7b09c-46c3-4be5-82cb-d6e3a763ecf6

Filesize
10KB

MD5
4f6b4d906bd266a50a1ecced425a71ab

SHA1
6951244c21f9e29d0fc30abe1378f3fb4f417433

SHA256
7527a5422b7e1439cfa36fa7465c5f1d8a05e044238e72c2abd977183314e223

SHA512
0cf1b7a6826b4ce31afae29a0abcf7598b76ef7bc339cb2c82b9022e1ca4723dcd9ab84f17916b75d999966182729bf4517f97d76dbda748df4f5974f97fcd5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\f025f477-1e58-4b22-99b7-e493582e98c1

Filesize
657B

MD5
0572b42b857b6814c49b327ab7e1fa12

SHA1
d02976ced8f8d5afbbc176bdabefcdd6000f67a8

SHA256
22029f5da7562479dc0c0299febb8c9a3aaee4e7ecd047e5935eda4dd485c812

SHA512
7b204fff9f789da4ef934cbbc17dafc14e2b3ef668063ee0738b5eb4a79412e64267ebe53a127da213f4c6ed80e1fb73c18fdd4ea9cf149948572307b6afd8ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs-1.js

Filesize
6KB

MD5
1e17b90d54d4ea4098687fd3c6fffe69

SHA1
cedb1d42b672169812fde6f08d8d61cb9ec93758

SHA256
fae62038ea9bbfbe673a5716e4145823872431491734bc4217c392745370e033

SHA512
eb294c821abb4130c0beca45fcdb71e987606ee1463a74dccaf4109fe081dba251fcab9a9824fa104d32ca5ba69b3f4505cd5801f7210aa6d35a86288707677b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs-1.js

Filesize
6KB

MD5
e17978e11a5fdee065658f37abcfedc2

SHA1
5daa41b53d300d68e9bda55333f23c02731bb6fb

SHA256
806d0fb9d0387ecfe32fe4523c637aed1e2dbd1ee72f1a9765ef10c243b6a560

SHA512
8bf6277c75d62fe15bbf01398aaf74fde4b35c81d7b0919f38441af006029dc7c0679ffc2e3d672aafa3110058966d1284ff2e1b483734b6b5907d3144452925

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs.js

Filesize
6KB

MD5
545e0f642b8c06300ed61f18543431f1

SHA1
7107c9058cef8729026d8d7bb5d116bce5b01cdb

SHA256
af4baf427f0176c49bb1d612f566f1bf36d365d06c70e88029a5f7c5381903ca

SHA512
7f77d228bf4a9adb523a420bb2ebe7a7bc9549de1c0c9396dcce656d547ff2a83dca29766d7eea0b96e88ed0cfe0d90beddc06228af56a8e57d3b2e592604eda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\protections.sqlite

Filesize
64KB

MD5
deeced8825e857ead7ba3784966be7be

SHA1
e72a09807d97d0aeb8baedd537f2489306e25490

SHA256
b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54

SHA512
01d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
991B

MD5
f60ab7195f8b796dc6a8de65ad83e0c1

SHA1
35daaa91c02ef2b577130fb206386bbc9da02566

SHA256
2b7f18de2b8ae7816e17c2b848dddd494e4625cd5e1dd62bb8edb2f8cb2ebb14

SHA512
2bb705cc8dd0721db8cd1b626d167ae413a849ead3421c1ce95dd746d7ac14a4df98f2084cebc450e5ba46dad9b70e92cd7e0725a3b91a4e2d14e9e91e76c5be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6b90e9604ed22ae420a3baad287cc32f

SHA1
9b747aba4be3e33a48336ad023f54ed008cfbca2

SHA256
24e64815ad711dbd867066d18196dc6ed0cd999e99877f8178b3a1a946e67b03

SHA512
4f481745fdd2e068c7cce33b2440f1c2f701e0966f0b3a50b04ff13b4be4ca1b2800cd523b7670b772bd90bf4ce7b70bb7ae53b36dcd556139eab168ea816c81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
6725a1f351225950d2f59cfdc7a36ef4

SHA1
21ac25b2954160a8d013db8705c7aa218834617e

SHA256
618334f567e14dad615a386fed1fd70b079702dccde3fb34edf4334bdad19304

SHA512
8d0687a589aea04ea395e56a8292304fc4211bd8b4072f36ed2364bcdacfb00bd20ddb396a4015009f7936639e32d5739e38c8206a2a666bcf7a4dd34369135e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore.jsonlz4

Filesize
898B

MD5
b42e5ad41d30c3e9c8e4b7815ae67009

SHA1
172bfd6e8c8f94e11d45b80b87a82c7dfd3dc9e8

SHA256
58cbff7d9fc342f12e681b827273e3c7110bb4f0b1e1b5c2ce59e60eb2f25240

SHA512
4fe7122d04de72438e6a743834e1065843990bcc3dc4b3d623f3f2f6c3083077bc1351308d2f40bbe30555204521678e1659a2b7a7c1edcca606c01827fa15db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
5e991c55a3e285f7df8ce36b78cc3fbe

SHA1
988916166e88637691a5a8dc299b2ffe5ce421aa

SHA256
7d0bfe14046e02750d6f0fcacfddab93f432e3ef1cd27583bd7e1ee368d15e4b

SHA512
eb26e84ae508f65d44cd2528ff7343e6537d4b43b7e3b37444027a0873c12dcb78a84b143f3e7470987f1a68d4d23c60235f0e721cd6c5b61f19d64034ca51f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
79c26abf87c39b7caf1d662c67843a1a

SHA1
cc14d725a732a898cd372f616b671cbb1512201a

SHA256
66b42e782077d58647087a4c7f2a2039ebdbef1a35b26a2e78c527bb63bdc2c2

SHA512
d080e9f00ef65eec9f9a345e0579f89355ff479bb21a5ecc58cf485e9c5eff773930086dac70525b1a4591291fbf90919be7f3d49b0dd9ac2516c4fd8e184b89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\xulstore.json

Filesize
218B

MD5
ef607552e2d9c2f8b70e4d05434da0fa

SHA1
4a6d0f80bfbbbbe3c4c048cbf5f805a1b58870a8

SHA256
73b00798fa61b3ec0e73998cd7c75d42dd43eaa7eece3dc20b781f5380adbd34

SHA512
2820eb00ce7360e8bcfec3f4f6d8f898c96a89ad2cdde3069556dc76c8040fc2f91c9317d9379fdc9bc97e10ebc4c0f347bbd06eabdf9c283bb3db0c6371c93f

Download Submit
memory/3940-0-0x0000000000E80000-0x0000000000EAC000-memory.dmp

Filesize
176KB

Download
memory/3940-3-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/3940-8-0x00007FFA2FBD0000-0x00007FFA30691000-memory.dmp

Filesize
10.8MB

Download
memory/3940-2-0x00007FFA2FBD0000-0x00007FFA30691000-memory.dmp

Filesize
10.8MB

Download
memory/3940-1-0x0000000002F20000-0x0000000002F3A000-memory.dmp

Filesize
104KB

Download