4b874ccf649ee4816f5ae6a5537fa35a90dfa4397b2c7f071b03c27fa48887d7

Analysis

max time kernel
114s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 16:03

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-23T16:05:58Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_8-dirty.qcow2\"}"

Report Analysis Logs

General

Target

R263964.exe
Size

2.9MB
MD5

20fbe9b7c70a7f4c3c2f5b977a93b668
SHA1

84ff886645b372465bacca594c0b788bccf4407d
SHA256

4b874ccf649ee4816f5ae6a5537fa35a90dfa4397b2c7f071b03c27fa48887d7
SHA512

d93e3c5df17653ba156ed65863f6392ad8ea7e614a034c2c33f888a4b8027af8318c46e5a2794d91c3ca0b315300808bd62df76f1630add5a8968971e6d7a42b
SSDEEP

49152:cNzf41WhAJ9nqEwQfk4fP6ufebXUywiWS7IAv2+kdKG9pQCn9ss1:cNzEX/nqetDGX/St9D1

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3928	AV.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023767-515.dat	upx
behavioral1/memory/64-519-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5544-559-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/64-560-0x0000000000530000-0x00000000005C3000-memory.dmp	upx
behavioral1/memory/64-543-0x0000000000530000-0x00000000005C3000-memory.dmp	upx
behavioral1/memory/64-539-0x0000000000530000-0x00000000005C3000-memory.dmp	upx
behavioral1/memory/64-524-0x0000000000530000-0x00000000005C3000-memory.dmp	upx
behavioral1/files/0x0007000000023766-512.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
325	raw.githubusercontent.com
251	camo.githubusercontent.com
253	camo.githubusercontent.com
254	camo.githubusercontent.com
261	camo.githubusercontent.com
321	raw.githubusercontent.com
323	raw.githubusercontent.com
324	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	firefox.exe
Token: SeDebugPrivilege	4756	firefox.exe
Token: SeDebugPrivilege	4756	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3740	R263964.exe
4756	firefox.exe
4756	firefox.exe
4756	firefox.exe
4756	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4756	firefox.exe
4756	firefox.exe
4756	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4756	firefox.exe
4756	firefox.exe
4756	firefox.exe
4756	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 2764 wrote to memory of 4756	2764	firefox.exe	101
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 2548	4756	firefox.exe	102
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103
PID 4756 wrote to memory of 3456	4756	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\R263964.exe
"C:\Users\Admin\AppData\Local\Temp\R263964.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.0.1324509253\2069218672" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5682512d-f7c3-43a2-bc98-6519905c0c50} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 1832 1b91d20a158 gpu
    3⤵
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.1.1291365791\1517831555" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64618f5e-3ba4-41b1-9a69-d29706dc8c7d} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 2404 1b910489f58 socket
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.2.248190027\120103693" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85063064-7f0b-4280-b70e-f43cfa88bdf1} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 2964 1b920012258 tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.3.1612691232\1263727552" -childID 2 -isForBrowser -prefsHandle 4192 -prefMapHandle 4188 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b19a66-238a-4252-a249-264573b8ed21} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 4204 1b922094a58 tab
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.4.1084914628\753084395" -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 4872 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bc8cabc-88da-424a-8a7e-d0938a4dc07d} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 5032 1b92244f158 tab
    3⤵
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.5.1620179527\968319289" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7edb56db-dacc-4ecf-8f1a-3b1793548790} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 5164 1b923c72f58 tab
    3⤵
    PID:5132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.6.1911475255\750311908" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4185a348-d0a2-46a0-ac29-279e151306f7} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 5356 1b923c71158 tab
    3⤵
    PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.7.9573029\2137290604" -childID 6 -isForBrowser -prefsHandle 5932 -prefMapHandle 5936 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a244522-e050-4793-afde-0096e15ba91c} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 5216 1b9260bc258 tab
    3⤵
    PID:5924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4756.8.566184041\674525954" -childID 7 -isForBrowser -prefsHandle 5140 -prefMapHandle 5708 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0859374f-f564-4623-8add-f2d961592ded} 4756 "\\.\pipe\gecko-crash-server-pipe.4756" 4816 1b91c559558 tab
    3⤵
    PID:5788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5512

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  PID:4176
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins2031.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:6080
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  PID:5544
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
b429d717c3550d53be415e4043f76455

SHA1
12d58fa704df9b86b84a086022787864374eed01

SHA256
f1b2c6a5e1a0aef95cfd9b1d6f56e8cf606b5d0cd9f561bd046920ee535dbc2a

SHA512
ed8df95d9080042ceafcde0da6dac8a45fe8bce9cb4b8ef096ecfc043cc8650b737284be1ded7e49085f2749859437e99aa4587b81889171f61260016ad8b232

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\cache2\doomed\22735

Filesize
15KB

MD5
8c28bfa7fd0e6823ccdb110e15494c32

SHA1
9f8f4e579327e518c6e715c1ebf80b746722178c

SHA256
faf84ab2e6e475d11dfa81ae94ec46937dc93b9f36dd69042abd7bfc8e0f088d

SHA512
21a1fa4369f48adf5c136364b72970800584cbf3be63cb997596a88ffcef0a3ed28f5a76d562637ecfa2e6025f0012b39eaf10b20a4c3fd640d476b1f4b88bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs-1.js

Filesize
6KB

MD5
26a1a05052d483a787fc166327ddcc96

SHA1
11eac42c82bfdfdb0bb3fcc38b328500626ac0d2

SHA256
6112d48034e9ef11a45d0b9cf77d2603b656d09fb49e3810a1f3d206e653ef30

SHA512
4c5aa1054a6a47711d470e2730d6400b57f7c97ac8c5bccb5ebef0d9aca09ec35426a5be99bc77afeb14605d7489069d816a19af465bd42033ed1343b136f9c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs-1.js

Filesize
7KB

MD5
d1bb0a351edd7d2ff8395f0708ac5bee

SHA1
24bd84fa8c30f9c75288c235cfc7701090793b36

SHA256
ac37f27fd29c304d3b3771d8a83a94863309a74b0f3d09e2a0fffe456dce0984

SHA512
fbfb0b0d9f7829c558c36920ff6ae9fe6a0906fc4897103ec54b58b486b3d11f62d35858adb8d890a4af81889aae9aa717c0eb4c1223da4ec28fe19414e54848

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
cdeb1983cb50922083b7e9f5c68df6bb

SHA1
80c74b347e062af8bafe12155e957a31d8a7584a

SHA256
27f418e7f1191fffeced52cb99cfdf20f27604ddbbe12789593db74029bedf31

SHA512
44b682ad5b7d7f1c0c482458236c53c27941032349dafe918a112c1b7c335c8e69be4041f30cae979fd2f296ed462e835e080036e4d08d77e7614cf31fbc7007

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a03a5b577aba70434d7b13a5f76cea62

SHA1
17825c5e751849c12df916c0055a5b2f71de9742

SHA256
c3f80d70e4689df5947c418d6ca48cca4c8e56ec48b59ec33ebd5bc7098e4a03

SHA512
77b31d094d2302a798926b6296557d08ec64def1c54f2ae1079111e5cc8b2d94918835cc0aa8e034474a364a87d7a99da463858da5f12ff74bed3928357aeb5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
b62f275e89f412977e3f38960b447aa2

SHA1
6d65a83ca6363ce981c1c2b31e71949be1edf181

SHA256
81d706555b448fa24c6dd1e0d0c8e7ce1133e055c4688680660d41dec9394bd5

SHA512
243e9c966d7d9da3cff8f47cbe3940e02c8fa4be650ad27784589c6a01ef73168b582d78383a8a01bb5b9aa117f7d59555a7260984545d561b537b6ded775c70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
36be3705a70a67f5a239e558549c9a09

SHA1
490652233ee5f1e59402856b0e8f3e5bf3c0935a

SHA256
0fa7fb37f3657cb16c0be6bb9c339a188fc75d50b25727e0ecded3d8c7186faa

SHA512
0928ba70c282707b9c81fd6fb7c8b780ede0d90234fb59992bb95d3cecadc61114e4e933ec3de19c6f9579fca09eaf0e96c88b76b57dfa4d7578387111b008d5

Download Submit
C:\Users\Admin\Downloads\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/64-543-0x0000000000530000-0x00000000005C3000-memory.dmp

Filesize
588KB

Download
memory/64-539-0x0000000000530000-0x00000000005C3000-memory.dmp

Filesize
588KB

Download
memory/64-560-0x0000000000530000-0x00000000005C3000-memory.dmp

Filesize
588KB

Download
memory/64-519-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/64-524-0x0000000000530000-0x00000000005C3000-memory.dmp

Filesize
588KB

Download
memory/64-564-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/64-531-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/3928-536-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/3928-558-0x0000000073F90000-0x0000000074541000-memory.dmp

Filesize
5.7MB

Download
memory/3928-541-0x0000000073F90000-0x0000000074541000-memory.dmp

Filesize
5.7MB

Download
memory/5296-563-0x00000000005EB000-0x00000000005EC000-memory.dmp

Filesize
4KB

Download
memory/5296-544-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5296-561-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5296-545-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5296-562-0x00000000005E0000-0x0000000000644000-memory.dmp

Filesize
400KB

Download
memory/5544-559-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download