Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
19-04-2024 17:55
Errors
General
-
Target
FA Installer.bat
-
Size
42KB
-
MD5
ac48f9875234a4e5649d152672903198
-
SHA1
6795362296194a79770a385a1a81efa89c6fe203
-
SHA256
e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
-
SHA512
b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
-
SSDEEP
768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 12 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAshortcutinstallerdesktop.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Desktop\FA Security.lnk');$s.TargetPath='C:\FA_Antivira\Fabi_Antivira_Securety.bat';$s.Save()"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 602⤵
- Delays execution with timeout.exe
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.0.2136104722\493456919" -parentBuildID 20221007134813 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {823e8786-318c-499a-a454-040db3466941} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 1828 192fe6d5e58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.1.1980990462\303096153" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2c068c7-3f2d-4c63-936f-cd598da54730} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 2184 192f7f72e58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.2.1498866240\890768151" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2916 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a29694ff-7b13-4fef-bb81-37f25e78dd86} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3056 192fe65bb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.3.62178826\1016935130" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c5defc-d232-4876-b527-9518e625f4e1} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3616 1928577ae58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.4.1169277305\858543024" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e3fcc12-01c6-439e-a73a-fa69b0378832} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 4076 19288aeae58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.5.1721403800\1634506006" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4764 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5557bf-c94c-4f4e-a546-30e50d84dbe4} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 4856 19288aea858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.6.1047578941\968924436" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e99eaf8-a6ff-4eee-a8f6-2860fdfe8f43} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 4996 192895e5158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.7.1900833644\528484141" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9593f7a-a88c-4cee-bbc4-4b222f5f5f7f} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 5184 192895e6358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.8.851461445\771204421" -childID 7 -isForBrowser -prefsHandle 2732 -prefMapHandle 2720 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64847e74-74ca-468c-abb3-01891d8619b2} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 2660 19288ca3e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.9.637401692\1725177120" -childID 8 -isForBrowser -prefsHandle 2652 -prefMapHandle 4880 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1b68e49-ca43-4979-852e-672dd71e9713} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 4292 19288aea858 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\PowerPoint.exe"C:\Users\Admin\Desktop\PowerPoint.exe"1⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FA_Antivira\FAinfo1.vbsFilesize
84B
MD5fad7cd2a49837444cde4548abdf478b6
SHA1376a4ff6acc6ca44f2b660286633c5a31eddd764
SHA2569c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda
SHA512287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5
-
C:\FA_Antivira\FAinfo2.vbsFilesize
87B
MD55a1fc5e5db483c5926a50ee931581cd9
SHA1419644277a92e109d4ce6739a0d5e2d0ba8f2d42
SHA2560f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab
SHA5120351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240
-
C:\FA_Antivira\FAinfo3.vbsFilesize
71B
MD5a61c87927d31edff281df2818dde924d
SHA1f076867cb0411e0c584f2f9052d4c1e550cd53b7
SHA2569220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517
SHA512ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970
-
C:\FA_Antivira\FAinfo4.vbsFilesize
97B
MD5d912098669bc85cc04cccf0248617120
SHA1a817741d0ce4427cf0a0fceb7ba483972789fc60
SHA256e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422
SHA512578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48
-
C:\FA_Antivira\FAshortcutinstallerdesktop.batFilesize
579B
MD543ac0b308354a69a243ade90d4710a48
SHA1eb13fd963da445a000a2bde81254a6165fb35ede
SHA256a66196a3237ebee214521d8a60c9747137c2abd928dd3123663ce6bf5b760bc7
SHA512e5a8f9934c72492bb7631140a6bedb0d114f8dbc9b4c1a7cf80976216db0e9acba411cf0841bfee988a3eee2639a0596919a51c6eaeced3ab1a62de2abe96ab0
-
C:\FA_Antivira\FAwlc.vbsFilesize
37B
MD58af233a3816f2564fe1dd935a228eed5
SHA1e135f58494c4aa12e4c3fc1c6a5645716bac5384
SHA2569c30303185a1337fa4f8b22c5cf93bfa40b5f437bc82abd168c4aa0a85889ec0
SHA5122fce3e661e3d677848817d80567fdff464bc5c12badf3ff454576252facd49b159bd00e8da6ed96fc9748ca0c8b9d24d64a35651c29de1daaf2cc718fdbff8c2
-
C:\FA_Antivira\Fabi_Antivira_Securety.batFilesize
273B
MD5c67e9bfe1056431c086554c2206401a3
SHA17d7b11a79233fdc2c5b8dcd0e9edf5a028324453
SHA256d7b9799fdfefc9e083dc43cf74e7f8019a5f1e74c68e30ad54fdd208383cb2c4
SHA512e38c705f3cbdddc0b437459d1e9ce3b37e421da2d137f091ecd399eeed07b2d491abc39ea420546f2b68c6a6266ae99ee75ca3be656ddd5496513d7643be8b3d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esmecadp.sos.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeFilesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
C:\Users\Admin\AppData\Local\Temp\systm.txtFilesize
37B
MD530ca469928087c938ae57c78ab3c16fd
SHA1460b3ba902e9fefc3653d0857864d1e405a00ed4
SHA256843a92a3ca4f5ef30f345cf403c5caa22a1e49a598b11c5080feba9f52daf7a0
SHA51282daee0f611eadc20c9759cddebfb60a0c6b20cb986286ae5fe8d06b1102a2e8a3ecaf3383cadd0bab7439bf544147f540f4c06c98475784f8d52e4f6f362c57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD539d0aca66df66e15cad3a1d641ee8d41
SHA12434660ea74876b0433edd19b1c7c9e2ecf71756
SHA2566ac8a3f19e947cb1dccd114238b99d5705c45487d7f12058edd01f60e88d2b9a
SHA512236945b70f915706f4b9c4310e420a6bbd9c7863bbfdc1f54a37c5c4a7fc8f7b3b212bbb5a79a2ad605ac88361147dda583f06fda3caa2d5ec087a50b1e66fcd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\1ee7b666-9ca5-4222-b1ae-0e1b9da77467Filesize
9KB
MD538bfff6e071c5d761f2f3de455b4d4bd
SHA10451f9eae862dbe85036878acbff6f7da0e9d9e6
SHA25633ec65b7e123fc0faaf5f32dd288f52a6dc6344db81e0956580cc20b69964e2a
SHA5126f5ff7e849d8c7f843e69d5662537f0b64273c2f3222eb200ed5672eed850a0f9ced1d5c251aa1e3919a1021cd22fdc2432e05c0f75f5cdf0fed4c01ebabb13e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\41149c8f-d8f2-4bfa-9d97-4674fb8b08ffFilesize
746B
MD5ed3f121f4ca4de99cb4763d618be066f
SHA12a1c44c0b8200c63c87523aa45ac9c8ce46fabd1
SHA256897ba30e0ebbe6865aaab920d8374ce9e31efe932cf2907582667aa187d2300e
SHA5124e03a0edf34d62777c1d902940ad7b0868bffb19c656918b4f30f008539ad71091529981f9ec2d2978c10ed77eabcee84d5bd29674ea68b0326005857df77194
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD55d7475315492591b1f65db625927c91b
SHA1c80691852b8ba6768e2ec8e6fa2f5104bf134517
SHA256cb504b64d1b8434069cdd69bed426df7dd3b9bb2e552dddfd89685b510ebf49d
SHA5123a03367059fda18a14cb7a05edcc2cd16f20ec7d7f30eb5fb3ae64dada332f45e85ecbef817ae81bbe3d3848dacdb0105afd31eebb62523dbb2719a19d69c0f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD53cae3e936242a54a7c696936e20fb6fe
SHA18f73fa877e6f2fb2ee46e28d268e723f49514740
SHA256567d4a6425fac1e6c775e533893696cd5e804cfb50d301e7cf59e87f4877cc20
SHA512da0ab98831cda6e1cbc2a93c0054a9792fa58f3d6ebcc6d116085de753a7117307754f682fcfef90cd28bb5ccab3d62d4ff5e9590ab6e2243c8ef4ab6b9bb22b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD56e212d6e8e99170ad3907149a7dfef77
SHA1b0351fa8faaec1f564c5d0dfe7b43d1c6f70678e
SHA256aec19d2945fac1eebc3630d16e50a9ded5d78d70d902085abdafe580f500f2e4
SHA5125b1e1884e924b8e6ad85e3d6f28389183bd4395c51d17783205ec8cc16eacfa8c2d87824f3788f78b818cdaf5628aff61738ddc31f5bf2efd55fb02187794665
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.jsFilesize
6KB
MD5899842285977ed800333b85015a547ac
SHA1d8b7a99861ad1b1b803217f65bcb497516529232
SHA256d7c979c324d3c190599e3549269f22d1da33309d0b8861c564327d0ee6c534e0
SHA5126a097270dfefe876556a84fd00ace24f5fe4a70da49d2ab73bc2e98cc3caf0e1df93eedb24fceaa5b20ac99bd09dab2b15516baf3ae09c1d44781900766293e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5faf75f8d05d7bb552470a57d0be0bdff
SHA16f0f593a5e5a6b1accf3e24d06d0c3096fba0169
SHA2565e642a0f1430ddb07b0c218e8576d148a7000418771644b1e9f829796c25b03f
SHA512e4e7970e79a847a40ab85d5e1538341e0de291ef48efcd948be85818412a2ee7e41cd9be86dfc0caec068f6b0400980a51bf4b8160df4ebf4504ed73dca1acf3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD58dceac46f619dd80ed1c9b8a023cc306
SHA161c6ccd37038f3eb98d698e673f2e8f247631caa
SHA256e583538b95da0ffe17a4b92f63ea7a9824f1e0e86dd385cefd343e55bb514466
SHA512aae0917a741685630ee0fc88129e0c8e3b497b494c4762a9388ac128e9d10e9644c7ea1e0d7f42993cc1a2dfa65fcf534ac52d0a83745338e28ee81bcaa719ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD57fb5a9096fb545fe3330de0a8f0a9a7c
SHA1ac7987f31bf2e78aa96245d93b9a8b9a4ccf123b
SHA256a484d30a03aa5f5dbe134e775cdbb22948e94320162c7240066fb0e3f6fb23e3
SHA5128be811e24eeec8f59d00ed06a879f1ea8a43d068a39528bda48e227a004d44ee41faf291ddc2eadb88ed61a84a9ba9fe0250c2ebd57146895790e202e673fa79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD527957e8fa9fa1af17b5b7e404136dcf2
SHA14c0b80221414022b73307a3a29e788637ec26dc7
SHA256d036a8aa7c635eb8c9254ab52518116d7d66de01ae4d3cc2ddd9dcd23900d9e3
SHA51229ca1c87d01f1b3d6221a17b844601e81b9f53bcc3ea00921a4ab8af97cd0b7d3cb00eb59d0817004e1e61a835ee08cd18e8cb4db80ffe7ec1cbd9fcf2c4f419
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD506e4e6956e0cbbf3aa87a7af11dc339e
SHA1cb26c92b11bd8c9c3b1752ae528f9c6b98868329
SHA256ee554a862d9a0cd6bdb2ae6a7d1289f5ec8821e6b15c105330d15e8aeb21e90c
SHA51218e9a704805db9c95ae2025b0ada480d092c4f767557504bb604d1cc4605fe06d5e909a6adeb2bb81bc78d6cf003d0b01bb09cdd48f309865b6d9a3b44cbc969
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4Filesize
4KB
MD559e51ec6b7823d792f6716c9ef5d165d
SHA1ecefb841c2769e78ca799faa04d66d4987b1b075
SHA256810d47ccee49b02854219652e0ace74936453e1db642e1ea5a25c9e7fceeedc8
SHA51252c5788d2f9c2805dd1c99c35853e4ae148fc9c19b2f718f9a12885c3fed92923a25d3ad69d73adbcda930023fa63a899452065d0bc7a102662e35a65697a85e
-
C:\Users\Admin\Downloads\PowerPoint.g_xgB69o.zip.partFilesize
17KB
MD53b497111cd676ca57883b84570f06ac8
SHA1f5a2a0d6edd5d2c196f016b610bd3eaa805f8a35
SHA256ee6cbf35d3f19a84c7f530ce4cac63464d3e7613e131cf6f27a331972d0407cb
SHA512302a166b1b154694b681d2840e8ffe2bb38fc020d9ddd9cfbd690ed8b0f854e16527a34d9e6c2c42fc1c31253d495785789c98fe2167409d1846f2bef07e8b54
-
memory/592-547-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/592-555-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/1064-553-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/1724-99-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmpFilesize
9.9MB
-
memory/1724-95-0x0000021244290000-0x00000212442A0000-memory.dmpFilesize
64KB
-
memory/1724-78-0x000002125C950000-0x000002125C9C6000-memory.dmpFilesize
472KB
-
memory/1724-75-0x0000021244290000-0x00000212442A0000-memory.dmpFilesize
64KB
-
memory/1724-74-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmpFilesize
9.9MB
-
memory/1724-73-0x000002125C7A0000-0x000002125C7C2000-memory.dmpFilesize
136KB