darkgate | a333d81913f8dcfc62440055dec0396b39ef3296eb3defeff393a153c6b044dc

Resubmissions

12-08-2024 11:28

240812-nk9psataqd 1

24-04-2024 18:59

240424-xm276afe44 10

Analysis

max time kernel
1199s
max time network
1201s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24-04-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hacks.txt
Size

84B
MD5

e751540f9566e0b6b21b8793f32c1322
SHA1

25092e2748f6e1d2fb75c9e3d0f18a867744a74f
SHA256

a333d81913f8dcfc62440055dec0396b39ef3296eb3defeff393a153c6b044dc
SHA512

e89d2cdf799a3ba8ad5ea26e542708d0b756f4e8719611e1c6380fbb7c044dd7a953fe23ae7570118b8959d42e84422cd04f1fd604fc940b8bce6a4296a651ff

Score

10^/10

darkgate seal001 adobe persistence phishing stealer

Malware Config

Extracted

Family

darkgate

Botnet

seal001

185.196.220.194

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
QPNVenzK
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
seal001

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 17 IoCs

resource	yara_rule
behavioral1/memory/5084-833-0x0000000010000000-0x0000000011A7F000-memory.dmp	family_darkgate_v6
behavioral1/memory/5084-832-0x0000000010000000-0x0000000011A7F000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-834-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-835-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-837-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-839-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-841-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-844-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/1460-845-0x0000000001800000-0x0000000001873000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-856-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6
behavioral1/memory/1516-854-0x0000000010000000-0x0000000011A7F000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-857-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6
behavioral1/memory/1516-855-0x0000000010000000-0x0000000011A7F000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-860-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-861-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-864-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6
behavioral1/memory/5304-871-0x0000000001900000-0x0000000001973000-memory.dmp	family_darkgate_v6

Detected adobe phishing page
phishing adobe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\*SentinelOne = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\SentinelOne.dll,EntryPoint"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\*SentinelOne = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\SentinelOne.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
5084	Tax_Document.pdf.exe
1516	Tax_Document.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tax_Document.pdf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tax_Document.pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tax_Document.pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tax_Document.pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "8"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 62003100000000008c5864711000434f4d4d4f4e7e3100004a0009000400efbec55259618c5864712e000000400000000000010000000000000000000000000000003983ad0043006f006d006d006f006e002000460069006c0065007300000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Tax_Document.pdf(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Tax_Document.pdf.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1476	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1460	Tax_Document.pdf.exe
1460	Tax_Document.pdf.exe
5304	Tax_Document.pdf.exe
5304	Tax_Document.pdf.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1460	Tax_Document.pdf.exe
2108	OpenWith.exe
5304	Tax_Document.pdf.exe
1476	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	firefox.exe
Token: SeDebugPrivilege	3692	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe
Token: SeDebugPrivilege	456	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3692	firefox.exe
3692	firefox.exe
3692	firefox.exe
3692	firefox.exe
456	firefox.exe
456	firefox.exe
456	firefox.exe
456	firefox.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3692	firefox.exe
3692	firefox.exe
3692	firefox.exe
456	firefox.exe
456	firefox.exe
456	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3692	firefox.exe
456	firefox.exe
456	firefox.exe
456	firefox.exe
456	firefox.exe
5084	Tax_Document.pdf.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
2108	OpenWith.exe
1516	Tax_Document.pdf.exe
3664	MiniSearchHost.exe
1476	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1476	3364	cmd.exe	79
PID 3364 wrote to memory of 1476	3364	cmd.exe	79
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 1652 wrote to memory of 3692	1652	firefox.exe	83
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 3472	3692	firefox.exe	84
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85
PID 3692 wrote to memory of 4780	3692	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hacks.txt
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hacks.txt
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.0.1057206550\1301428393" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1780 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {706a2403-bcba-4c43-97aa-d3ee01247b40} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 1864 130dd904458 gpu
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.1.729073211\1684779086" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77d9f0b7-6bf3-4c96-a8fb-0850cb293aac} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 2388 130d0c8a258 socket
    3⤵
    - Checks processor information in registry
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.2.1444273532\507249071" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2992 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f1ae84e-f480-4f30-bc6c-e5457cb150e3} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 3008 130e03f6b58 tab
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.3.1167730722\1518199429" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {362b67b5-f136-4dd1-805b-a228cf8a36f6} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 3580 130d0c7ae58 tab
    3⤵
    PID:2068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.4.451971699\1304075575" -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 5116 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47181c4b-f869-4b37-ac6b-334cd29bd9b7} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 4980 130e2ead258 tab
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.5.1494299245\244077987" -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216a8882-8567-4129-8115-8adb70ec0be4} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 5248 130e5adc858 tab
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.6.1400109061\579437594" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6a7cfe-819d-49d2-a0be-9fbc1efbb082} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 5436 130e5adcb58 tab
    3⤵
    PID:1484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3692.7.1230945138\97391974" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5876 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {261fb77a-2848-46b7-827f-54f7b3cdacb9} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" 5896 130e6ece858 tab
    3⤵
    PID:3088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5008
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.0.140687420\64488855" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22339 -prefMapSize 235168 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6ca4bd-3a4d-4dca-a9fe-d7e0881c33d5} 456 "\\.\pipe\gecko-crash-server-pipe.456" 1896 1262a805d58 gpu
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.1.1729119490\1155624955" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22375 -prefMapSize 235168 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {101c0d7f-30df-4906-9108-fd1c968509a4} 456 "\\.\pipe\gecko-crash-server-pipe.456" 2420 1261db89c58 socket
    3⤵
    - Checks processor information in registry
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.2.1933595650\304226905" -childID 1 -isForBrowser -prefsHandle 2724 -prefMapHandle 2444 -prefsLen 22413 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3caa28f-bcc6-4c85-bbf8-e59829667f6a} 456 "\\.\pipe\gecko-crash-server-pipe.456" 1360 1262d71f558 tab
    3⤵
    PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.3.753030417\2085243560" -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 27879 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29969f07-f8e4-4095-ad12-0fb30f2a361e} 456 "\\.\pipe\gecko-crash-server-pipe.456" 3804 12630273258 tab
    3⤵
    PID:860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.4.472866599\1238951336" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5116 -prefsLen 27879 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {198923b8-7540-49cf-beaa-3a043d90623e} 456 "\\.\pipe\gecko-crash-server-pipe.456" 4944 1261db3e858 tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.5.2096759612\1317140616" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27879 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c8498f-e671-4250-958b-e9b0a06de568} 456 "\\.\pipe\gecko-crash-server-pipe.456" 5168 1263355a558 tab
    3⤵
    PID:3872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.6.392421583\2076357604" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27879 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3bfe824-e883-4c19-a210-861d0b172bc2} 456 "\\.\pipe\gecko-crash-server-pipe.456" 5360 1263355a858 tab
    3⤵
    PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="456.7.1801234025\94567764" -childID 6 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 27879 -prefMapSize 235168 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f089ab2c-8726-4b77-ba3f-9900454dcccd} 456 "\\.\pipe\gecko-crash-server-pipe.456" 5692 1263188eb58 tab
    3⤵
    PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe
"C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5084
- C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe
  "C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f & exit
  2⤵
  PID:540
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    PID:688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe
"C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1516
- C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe
  "C:\Users\Admin\Downloads\Tax_Document.pdf\Tax_Document.pdf\Tax_Document.pdf.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f & exit
  2⤵
  PID:5468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    PID:5520

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
32d8563b80f56d8b8183950aaee2136a

SHA1
74fafd2b5f17370ffe9319229c84477f2b02e90a

SHA256
8c9b6dcd6783f69f3a3259b3d375ad410ce090a939db44c6052b0859d2978a9b

SHA512
9ea8c0c435fd918044b67cee6e3de1be059cdc073900b2517753f1d0c37f7b4da84835ac06e69238e15b0cb0d48fed7f7117e93bf4e0634519e4f3d891b858ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\doomed\15187

Filesize
11KB

MD5
4fd1d8e15a97d2a97bb2688314f04a98

SHA1
1b7e1802b5b6502a8f0ffa2b51d95cc95827d9f5

SHA256
55c3d8b17254ce2d38e39bc435fb4bc934d6cbe93b7327837a58b73eff8d9968

SHA512
8aab138b861a19b69518c109382e9a987bce97f89b195fcf477a8fdfbb26660b7727164047a063448577ce8fc015dc738edc2b069bcebeba542994abcc3a40db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\doomed\15659

Filesize
9KB

MD5
6bae2840af9bbb6864ae8a531ce59143

SHA1
66da572fe8e53f5d12d8a2a58b8a460d7e8f8849

SHA256
be499d24083eaac5fca9c85183ad51ae9929680ae827e705bf4e5af5af0328da

SHA512
e8dafee9d0087ee642d65232e5df59ac35d2909433317ae60ad6f6afb36d10ef8dccf966f172a20da4b92bb9def09f11b19f42291a6ad5743a1dd47130074f20

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\doomed\5376

Filesize
14KB

MD5
d63c7687d0f1350c98148a851e026d45

SHA1
386187db5936bb0f23e332f4de4dcc45f0cf47e3

SHA256
4767a1a9e889c1f14ccaa488531ec48eb722d8b49610f8d8a2f87fa7424030e3

SHA512
dc36a3d11df3b553482f3d48873962e21bf72859a0b6a95670f6494f48203efc015f657af15bd9da0a73617d3b5b5f0b5fc5ce0474e898ec7da6c94495875582

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\doomed\6844

Filesize
10KB

MD5
2d431a9e00de5f232671e60ba004f2fc

SHA1
4f0301e380a78ef67896b36756d5a56f48c15113

SHA256
a7230e95bd171948c60b26a4188dd09106048c53f32d3b224dae965c8096c8e0

SHA512
a5da175ca3b5dc3d9c1a14ef40252302f95f3557d13ee75b51c49c9672ecf4991ea896faed613efdd47330fe36e6fc1e9113d6c0b5c59eb1a1e808503c194b26

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\1E3B04F4E0780740ECF9B7348E06EFE1A56C81C8

Filesize
74KB

MD5
8388ca07831e6b59692f2f322dc2ab9e

SHA1
c87ca04bd2f69a3ad0c352a1ed8dfc736d4a69b7

SHA256
a07ba84f3cfa01be77766d44a9709babf09b5744471c219c70db16d0d1d97d18

SHA512
e5a69b6a9aa8b8f7dfa853381bef853f918388a943e2930423cf9805e7e5974206233e85798fa27392acc6df52c2a587fa5ceabbbe653241a4549b525b038b70

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\1E3C9FBA85FEBD06903E757188F2AE386374418B

Filesize
127KB

MD5
2c8d81de34f47a291d6f4168a20a9c9e

SHA1
def6445b9d3f603d95a5cb19f1f207fca4e5852e

SHA256
63145560068e6629a08d7e281033866004cb7b1dfd4d2831877c803ba0455800

SHA512
699e48a5e6f0c288538d7adffb169c033c7a858b9b02c64665e7ad0c25a09dc02d56b547397a89ba6a1860b59c2b6641df8a43b10b68177918d1c8e4b0198048

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
85e3f797c24a1ade7812da23522e7043

SHA1
f13f96fb49c48cf5253fde57228ad6252a0300db

SHA256
bee340c4117b0fcdc774a18f6469028f9eff420ec3efffe274a0fa8d63853b2f

SHA512
9b76fb3fed98aa520dacf60d50faaec1b3a1a5a36409af92292d619afff0a3d46a88e4b361a779645999245f03cfce16d9a089826960e4ab3143878dfe7c60bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\28436F74DF78E1BBB5EAE7C8B2B87AD48F20072B

Filesize
91KB

MD5
973f29066e4736ddea0e2cd78089680d

SHA1
d428f015cc65b96adf8bf1e1a09c4a6a694c2a4b

SHA256
e8c333e353910f69df73952c711547c30dddbac82a25e90cca31d45df4e34726

SHA512
1d9cb8edbcbcbd65b382837a9c81d9d2431afc8d668ea128d04199dfc435471f70f7eab67aea03f24662fce61c9f53a4e5b00ac7298f4230ebbd5a0a726baa55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\28436F74DF78E1BBB5EAE7C8B2B87AD48F20072B

Filesize
91KB

MD5
4df4008e77e970f9f5402d2741753ca8

SHA1
95bc740f8d4f59e19a28be2778c8c3b51c866189

SHA256
263321834c97092f9576377f72b91650b3fc83d69282e742ba09217e3c83fe42

SHA512
e214ea008e9ad762da20b4d347eab358b44524b1e57374ab472e05c572375f8487a65a6a5049996d5cafd6c2d00c9af21312075773392f2c865948ed85a77ecc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\28B5589D678E6337E5CFBEDFAAB7D13ACE130456

Filesize
498KB

MD5
73bc98860448316c0fad66ec56beac52

SHA1
210f14a931ad9fd3e3e68f9d9aaf61ee4871780b

SHA256
284d9f2310aa62cd049562e68ea1ea2504bf18eddcd70207a9b67405ae0cb3f6

SHA512
36241ccd5f76ce66173ec989cd5ec288e052c21fe708efd63881a1492685e701a05d966c38e7f94d60a2a53c8e7555c4398a2528e4f92324ffa2003368913e2c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\2E8BD7051FE7E9DAB921E4DC08084473D8EC852B

Filesize
58KB

MD5
aa18f817250680dda6363898d6ecad5c

SHA1
84153f64e1cd376b173b3b468f6cc17b931a327b

SHA256
dc8aee19911af971fb44acae6ca5cffd6c5c67c37dac5466cd2c4414156663e5

SHA512
9ca3c89ab7ac20431c9da1c61b2527fe62607c721ebcea0a14046fc030be9f7e983c80b6d1e4086ad8dda4c984524823f755d226eff5880e39935bd90ec3721b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\32C573C166503829DCC6F0BE89D39D58659597C6

Filesize
22KB

MD5
beef51d1bdc2ab2ab2f343d7920fbd11

SHA1
8f33c78bd7198f258b0240390b7a28c1e3c9e97a

SHA256
c099ef1033249ef7b1a4d0aec73fec5cac99c65562428640c294b8ee5f13112b

SHA512
7b9ec6ea6392ec0846cdf1afdbede01687787d559bdde1f5dcf297d5b9beb059d855d5421ba0f7e7e1656f5ddbf548f2ff086639a41f9daef61a8741f950ed63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\32EAE34B25C13F9D04871DE4C40DEE70C68F012F

Filesize
17KB

MD5
0e8418bea3cf15327ef902faac707633

SHA1
365c3ca664c008fe402727bf23070cff9e76998b

SHA256
c61f8086c7a6e0f0bf84ac072e7db988aa46000378fa0b4ba406f27658ed6f0b

SHA512
a825e5a180dcc92379a6edabe4b5e10fb03cd58cbaef0831e2b53c12dc3be786dd39c6dfca2bc0c9d59c74ba58847db75951382571abe72b6acbceed82a2001e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\36675CC79EE3C77BF59B1E79B23664A6F2DA25BA

Filesize
14KB

MD5
a15cf636b1a6f1d057f578c83a9d83e9

SHA1
73b531d5be01b6622f47b56b03d859fd7ca14b42

SHA256
3c9d02903feda02c220b636b15e628e6c1dfff79ccafe522607d1aa94b2d9039

SHA512
721e2cbf57c695cef5d3dec4e75a666441c5d9246cc13c78c59ad66e74ffe8a3fccca1fb8d0d2f64662ed9123608cac2a1b95110bfe5bcdbd3969d118f94c77d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\3E8A24A455556E25B1D87522912E31CB640CC2E7

Filesize
961B

MD5
d2bf12718a031d6ac9cf831b25edc2b2

SHA1
e09aac3301c0f9ebce91439d5abb321d7c5a2290

SHA256
357bba26e313d5d21dd98f35d0f107feb99dd1a1444ddd7fdd57b03920af8078

SHA512
3274d33c403afdb0dcf2c79e5f54d981be29136e0484f62b4c4921f841fef2a0209d1c5e524948546b4c2ed036db6a9752ed12879a52b05a06da78cb575edace

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\40548DFDD8C3E43B6929026FB152DBB071760696

Filesize
39KB

MD5
9f1cd193b7f73b200057bd4061a56e2d

SHA1
63fd35c8ba55d9786d387f530266783020c480e1

SHA256
f6c9a594335f53bc9e7f7745ae92c6ea681851c8e09166dae7445d1c6a91f921

SHA512
097891de5eedc3a022f9c51cef851b8889818ce6c0995ede56d8ddeb38eab32f54a4b8e1738d9fe1b06d84e8b1556d6802dca727809c72ae43828fd8b62288ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\43696EBBE5D1F4A6448C08370F8328D86E87086A

Filesize
18KB

MD5
acad878a19667c0e35cdd2c838463fb7

SHA1
bdbed9b0d040a56e40ccdffdeb395d6b1914d0c9

SHA256
29e3995f8c909aed3a4475298c17a26074ea77d2f55af19923bcbf2b92e2ea6d

SHA512
c3dd073c07d1e5d67c94163f2a61c67a0c22cc7a62237cd7332ec77f77750f57561899e3b0910580b1fbd624b4d7ee99cd564ff6d4f2d470363e120853479c1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\4941DE35BE367229F9501E67BDE5E0FD10528C77

Filesize
41KB

MD5
00b5af120802ed5404ace58a104eab60

SHA1
d2c514c7a0834baebe2faf7158b9a12c978f0f4c

SHA256
a059c1e4f6fce47a2627e3ca2debebafee389b6eea3fc35eabf48fe3c322d7a7

SHA512
4cccf4e1d3164dd8fb61d6bbeeb57b17c6a4d3c814dd4556710d9e40e852d368688da0c3ead6df3cc1b3088789c8e0f3bed5cf2594962e5baa8cd9cf44930b34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\53E578F8E4F44A9EF81DAF86AF996D536F04D757

Filesize
39KB

MD5
f852e900adfe30a4f51625ba55618cf0

SHA1
1dfc29e5c27a3bc584b4054a8a4439370eca943f

SHA256
bf69fb1975fd60d9d7fb1a566a113952e9c70015266cd8b9ebcdf47667243157

SHA512
be6c1ce730dd2312d4eff53d8b68f69f7bd1ae1d80a3551d50ac09ac9d3956bdc0eca51cc7380500d68a764f0fda14ab285b40641db053c6e9ae0936964e61a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\574CE3F3B9D422E270E793A5D7758D1721E2D727

Filesize
15KB

MD5
c790244c7bfc7c6893eb0913ea5e4060

SHA1
a10a55f336052d0a47f408bc7da8de3b6fb9ca22

SHA256
86079d5ed84e561cbab52f6161219f4f344320c8e2e2cc3a1a7185e9a845ee1f

SHA512
ba9c96949555996920636162b623cdc2e0a21ee5a1bec781c9c95d7737c4ccb7ee81b02b2013ff7b8e70f1ceaa25843b63c6478f813c2a9ed54fdf2aa60ffb64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\58C3E9E154FAD10B5F1989DBF6A3EFA593BEC4C6

Filesize
36KB

MD5
74f6ea55cbe3ae992be58d3fc890c597

SHA1
fb435aababbf377a5f877192b75b60d8f7f72faf

SHA256
20500f5f65e78d05b351eed1bf2a83805151962c4c3a184c1da7945dc5baa6fd

SHA512
28f808f75aeced3028e8ac3d985cbdb522b16108d5f0aed9bdecbd87ff71103842c02b270138db35e8d026a36ebc576f8c9fdda49832805774154e15e0e44a90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\5C58422868E57729B704CAA4AAF7B1D1BAF3010B

Filesize
13KB

MD5
6c76d44e765b1f2c79de4427323ceb03

SHA1
0b5c595b905893e2cc20aa5e60ac529aedd8bf9b

SHA256
1e2862347131cb94d9d4e6d19c9b706d406299965e6fed3035b78c354989d125

SHA512
f1d4bd5ea78b919e9a521e1d05a6a3fa0f79da6abaa772102ece0f6b694b4525ae287439f6dd38446884349b6817d6f7e0aae6f6e68b89cdc89e58504da0a3a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\621EA4E54F529761CEB1177EDEBEFDA7796F328F

Filesize
88KB

MD5
bdc73306f17fe1ebbcc8d569aab3ee18

SHA1
b0250e1bb286c81881a2d17ebdd4c33a12322f7b

SHA256
2676380ca46a21882cb3b45f8149b6f4cd0136f1a41e0efa271785e7eb07b4fc

SHA512
097781a39d8c77d10deb942e2e883d584bef2e34a123908adaf5d72cccce2392fd20d70964cf14c3a50eb9fc8cc427cbcd496783d3ef2d7a2ec23b2c542b9336

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\621EA4E54F529761CEB1177EDEBEFDA7796F328F

Filesize
88KB

MD5
19d0fb7db1b6bad3f245d645d8521e54

SHA1
8da425b244c2e3a2a040d8134c4f0aea36c11fe0

SHA256
bac0c62856b2981af3bb2b82d1e47a13a156c181aa18c20e04672f64d6936d7e

SHA512
4dd735ddc4c9c4697c6644ecf566f206a1d286e66a291d480ae95bc951d31e5e971488f2f7bf9c8367c7a06f406e13b1a2b033477f5165b85f64f32f9b69904d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\685C83C50FB227988C3CD0727DBCF5D3D94773F1

Filesize
25KB

MD5
aba163c197448e5fb061c3bea3ae0895

SHA1
bfaf12bbc65bcc4f847088bb3d01c0d2333567ff

SHA256
e3b619bffb8cd5f8cd91da65ac0c72f3f87b8d3d272db78de515b71e102bb395

SHA512
78b8c96503d123cb26fa5dac615aecb4449b75260ce3f4766d85129c21a5653cbe0304428083d37ffb0b072e9b585ebab29bce6a33f127e49c98aa1c2a3288b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
11KB

MD5
f2e21e47f0b255613e26e20283826ff0

SHA1
9a30115d3f240e16de9b1f40b1196f20b9adcceb

SHA256
868955d5abb78cf0818fd7043505ddd59034685f64c69e0c49f5727709d32850

SHA512
f37f117e45577966cb2afd7a31701c881d1f62639f2ea16bf581c24038c59befa066ef48db562ee7fa6b6158b816e87d2f6d94e1ee865c87e66649521bc3376d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\74E9809659584818569C22A5BB079E1369925A28

Filesize
208KB

MD5
a168a2fb9cffc38ad17816e8680a4e80

SHA1
3d03eff3a68c5ae05067c1a1309fcce75c68fd76

SHA256
15f27232d1f501db2d2492631fb1eb45fb42619c2ffe9a36c153e12a3f97e97f

SHA512
37928f96faddd2ae8b9a6c28028714cbe3e36bc5818cc663101599f4df55c4b922a29cdb6d233242367ef076e3746cefda5c32a2cff294fac37712a5df6c5f90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\86F0C24B6823FBE11493C102B9F6C1380A6FAA9B

Filesize
2.5MB

MD5
fb4a66106e34e7e020f16fac3e2c93b8

SHA1
9e1183b359a52e322c3c85a7bba2bde41e0cc359

SHA256
cd6369f1ec368e3064c8685336466f57acdcdc243917adcbbe8ab74a1cee2ec3

SHA512
07b76d429abbd1c50be2a545a79da92b2147ab641f8dee399ace941649bf5e2e43646ea4e2c07cda8f86ec479866b87d9ff8f95219cd487a8e33e6ea2e208ba7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\86F0C24B6823FBE11493C102B9F6C1380A6FAA9B

Filesize
2.5MB

MD5
890321b7bed9be7531c7f0f7e9bb13d4

SHA1
3e0742ee3ed0b1176a23243bc2520b912896cd59

SHA256
3c3d3f26423e61ec2e72fe2516ea417beb409b2b87f263d3e07c23b1d9ec3929

SHA512
49ec9c41d86dbe5d6786f3302f52cea74aee1c5e60ddd175d4f43f3b87e08d9b160b4b69573135f021e2ae9a74cea0769295c87df1c6f7993eb27f03e055d32b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\87ADBD8BD246501934D4C619A33D3284B3C24B83

Filesize
21KB

MD5
f7c8765a5916ae67b5b78f60384f74ad

SHA1
a9203e3dd3f2d1043cba2a6fd9a7222d1a096c55

SHA256
72ecead9ee0b39ab42fe1a997e157d324649bae4771271a341219a5e0b789765

SHA512
05fd5e0a5f751ba1b6f7a76ec5dcb8a6f02cefa0eca8a238e88c52fb467b23b0a16b966702efcefb3ba904b72c519df1733149588c6e76f1b233d3e28426d1f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\9501E178697122C71DEE22B24C2B7684D9326D09

Filesize
41KB

MD5
b285d1d70be3d0bf1c48e6873a645d28

SHA1
562375efeabfbb87b540f13bf19a541841aa9f05

SHA256
123efccb1fa6b39fe1fc2e332bf19c9cac325b4bf69e0acb5bc32e706a9a0f86

SHA512
9309dc8054fbfbb78cf7c555f3929233dd07a1ab71c8daa8ac63a63106e7b7f82fc3878e7cf7775d583a39851b6541e80f806a910c42cc06bbebb9caf69016a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\A67857D9F3968F35615A3CF78F15A16DC4A47B91

Filesize
12KB

MD5
0713112bfd0460fd34ff12d1980c699b

SHA1
f3eaef7cd50d1484f6d206a4be3c809284ba0d17

SHA256
3547896b23452f73c6497f24d20e2935d03a245c311f79842df738d25fde124f

SHA512
e1967c6c249a1c418620726046fcf442648ddae7729ecaff22138bdf41d1267468bc63a3988857056139960bf46872fadf0da7676c0e69be215841e78558d41b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\A76E295E292332A58A30EC40BFB5C6FE037493F9

Filesize
79KB

MD5
a5a8bb129d91936963e1c4b7b2327cf1

SHA1
2414417f4392228cf4643d67b8711b9ddc161cf4

SHA256
868e19008f926f8dcae314dd57cf0020b9db22516c7456073f88342d1eebe91a

SHA512
63b05a161c2fb636f4fccff283736b905ac9fdcbb106384889b50d940603e3c531a6dc3e26e6718783681cd6e9f43711449e57e6c35c9a7f0a4eae3cc5ca4f36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\A9E63CB755290877A90CE4DFA9167FE8646FB017

Filesize
14.1MB

MD5
683715d9f7be6b25b0bc57d08a155fc0

SHA1
6771c009ffa45f58e3b2aa32b9a62b8a1c49d519

SHA256
6c84e865765c02c24056579ad66b987367218b9041d62939ac57ec6d628620ae

SHA512
667093eb676cf04b06fc76bb435839ea8f6e5a74ce96d4fdb9703f423615f79fe8c70c64cee6d1ab01a41c1d12214db87f8a3f6c699e20262b7fb6d4728a3f0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\AB323C032DC041F414D39AFF35467D5091E3C3BB

Filesize
12KB

MD5
e60d696b010855eba675cef9ce8aa490

SHA1
d338381394f84a815b20b98e7023f08f95197832

SHA256
ba50f86647fe72a460d3d942074c75e16c5df99ec61c9d09bb414371230829ad

SHA512
c167df54dcafb12de6241a717e8c4579cf1d857c713c6a97e148c1d6d91ca807433e37716fcd1bef0bb1fbb0bbcfe67f19269e9047ebd36bfb084233125404f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\B7C258676B84035FC28045F320283755FF33BAF9

Filesize
16KB

MD5
6fd277431ecef82eed8e7373531ce049

SHA1
895f66c06de1a0b4da5759ec581eb8022c3ee9f3

SHA256
8c9826550450dc336a852efabd54fe0f23546700d264ecf0a3cc98659ec5b1ed

SHA512
7c03925f4fa8ff562c1e809e23ed725f519b6776bc3a5577a6bc13399f1738f4b676e3664d283331125f61ca52117c679373c4584aa8305b4415f30bd9f8002a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\B8BCD5D4BEB76E93CA1AD638ADF5798AA26165FD

Filesize
13KB

MD5
70b3e311b360c861efc2bb1cb678a3ca

SHA1
9492a4a0cc3b6472d7a32b99befb3685399444e8

SHA256
7e6fd05f5f0fcc6aab01a53e0c4c2381e6d36ef34bf1d6e888f4112acc49ef20

SHA512
d42a8b96788fd9abe66837a866e7217b516f337f5dcd15d1e1295ab1a26180bb5dfe95bcb689815a7864e086c82d8f6f862cb62202853a8eaddc05fba5d04047

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\C2AFC3742C17A1EDDEF85FCC38405FE00E7638C9

Filesize
110KB

MD5
b5408aeac3275cc364dfd750ff0f2309

SHA1
53973df5b9db114e9267dfe003388dcc7f6cdcfc

SHA256
9b6bd22e5b8b99eb0dab70e708c5457485e39dc4ef3304370a289ae7cb20acd6

SHA512
2f2a9506f082304b28465b178c5b6060f11e8fff152c756bc1b15dc071b902c931af9311d6ad119090b809a291183c6d11025bc16ac3042613b6cd153b8fba92

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
28a07b97f73a90439ca69cefb260b21d

SHA1
e401eb2c50e9ed0786b0496360aeb6fc24f23866

SHA256
b7e99512bbc71e7ab537caa3ab7d5ea2e2f8b0e309e2fa7a902d648611a258e8

SHA512
c12fd1c77712434b11ba6bfdd44498aefd7e6a98555185cd197d4f18c4b65494810ccb9a1c9c8060f5565eaaa40b379bcfdefce0a0f3ca7af7ba14d2f93747a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\D088778B86287928AABCB305848CBCBEFD234223

Filesize
136KB

MD5
7e898c0da5fb5669e418aa85a584abdc

SHA1
750c813e4b69718c8d6f6b87db0ab07b584e88bb

SHA256
2a3bb58658c5a21dcd68fdfab653dc8dbae64dfa05c348753897b319e9ce7261

SHA512
bb31a26e2c3df7cb0e392a7648e996f80ce3114efc875f495bdbf934afa96be8f9dcead09e96e36918b729fc9027ee53302465fe3729cc92ae67bc7951eaca63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\D94AC9DEC20067092E0D88563290CC04CD8DB8FD

Filesize
35KB

MD5
be91ab0ff554d9a9c20c717ff03e93ae

SHA1
855248637a29089c3aae5fde7f66220ac63878a8

SHA256
0f38c0791a880a1ed2e8849be3ce50034ba623be1fa23a2a823d76e44d4ac608

SHA512
dd1d235a7e4a7f3fff7aa0bc71793fbd77c403f8debe4389c6276ea3891bb14b67864a51212a6d991f5b1dabf5b398a9f4b7bc846dd9f6c191152d8b397b733f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\DF9585F8783732A0174419F75426156EA549F798

Filesize
11KB

MD5
6e4b6ec8cb4aed608678aae3c81e4e67

SHA1
a6f1fe309cb8b4a200ea77d4c8d54a5c671eb5da

SHA256
155340d3b430789e158da3fb51832ccbff1e55b906e6d7b1fbe633772cf00206

SHA512
65bfa7d6a489a3276f0f7230730487535a70fb3265071181a6324fcf11ff4cd37fb4d46eb72546466f91f9beaa018e923e70811a2d58065eff974b78406da5ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\E0658C014D241D67CFBF3772D07F36323980245A

Filesize
214KB

MD5
e441a90be32f8c75dd021afc3b64f751

SHA1
1c1c656acc980339e903a5c58b58ca182fe395ce

SHA256
4aae9ba6f624b6f68c8d2e47761afdab51987f3e1840672e9b01564e445dac99

SHA512
a440336da763d80fc9d11b55c330a01c0ec311812425f3d5ef4b08090dd306f3829285779993d5e038cc49f9a817215173f627d786e84f45b6828afa319e2ef7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\E4B23161F3DC5C5181CD5E936506A976F5C0BA4B

Filesize
21KB

MD5
59befcbf1b7b8e4ec3e3f79e40046460

SHA1
bfeed40185bddfbdbdafe76636bd97cfc088b7de

SHA256
9c4f0dd4624e6c04917870136ee98d91fc819a31c88d591b1105b1d84a8bd665

SHA512
e62e912f6cdbd388481778715dfa27055e5eb5d40524eaa4d49db71b66c4c8e6d1e3df05dbfc10767bf71a6a09e87c5b7bf87b34794cdc2617f3a6dbdc717418

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\E4B23161F3DC5C5181CD5E936506A976F5C0BA4B

Filesize
21KB

MD5
2096c9431e7e90b0c4a78239e47962a8

SHA1
0f5fd11a58658d36ebc248db19be19abd4195cc1

SHA256
dfb7d9c3542ec4a30cbab08e338038a5c79326d16093feff5bffe4c188d32df4

SHA512
974d145c2e8a5a5c499c65e04777758f8fab12013cee4f6bbae007d071e298632bf43a4d51891c853fb24cd4e362298d076ea7834f4a20a37d8ede81bd1b0134

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\EF43AF777B2210E638A3CDF321257CD9F9240042

Filesize
27KB

MD5
62c14c5f01c295acb976a9a1e4970360

SHA1
065589e4d78fb3fdbd7f0f92ff530fae85b183c9

SHA256
ef8e35372ca606ee62f9aae57de8043e557d395162c320c270e32885120da234

SHA512
d3d4373b3bcdaac343b0fd0410e08985a86e18cccb0cc4655735807ec52d7232e254b2109f6163efb0b5f965551471c2f7a24a694c7684e067eb2fb166920880

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\EFBB61F3AE81FB3104C177A541272AB5B96CC475

Filesize
35KB

MD5
e15b44ebaf03ef1392799561d3dfbc58

SHA1
27d6ac2593f473f1e31e7e9be30ea54d0ce0631b

SHA256
3cbb6a6645073293e662bdbc63c0683e8a9b0b1a704c2d85ef7bdbdd3fb36fa2

SHA512
d27ee2c42fb36a7e018004e62e28b842a0d8f39cc8e865b4a14b1472bcfe3d5772336c05c1b7c183ab37b6c4a217e0a20ab9ce1ad5f934effa73f445cfa17f3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\FC9515790636EB1D8E919F70768E740AA701E28D

Filesize
9KB

MD5
9056d6014caa004946106e8b3af7be5f

SHA1
538290b6bdb82f8f5adf3d5771a412ece9284367

SHA256
1e8d845b23bf0ee118550eb95fdaa5446663dc03eba20c2de91f0135bbd5645c

SHA512
dcaa4524bdb79995b91f472f939c283359d1db6485ea8568c2c43dc4e3580164c4f444b1696a31fb20d6e0cf705dea861a227bfac08c039115cb9a8f235abc12

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\startupCache\scriptCache-child.bin

Filesize
465KB

MD5
b54b62e24e8d35c181683816515fa4a9

SHA1
ca201b76bc93621bdfa5aa2ce8e440a416c0d2bf

SHA256
cb7bd42837ba12ed0a24e4968d05d860171944a03be21b0322db5c955454e902

SHA512
4b13c6b4580a19767f8ba782bc9db627be8babe24e758db6fd57407f3c697c6de04bd5c35f5694a0bcf424a2e1d902d467beb976552e120db4adb4bbe1eb4459

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
044dbd63b3d9b8a07515848f39abab4a

SHA1
e8e62c1bcf2c3c6b48e2bee951155bb2afcbcbd1

SHA256
0533455c2ead2d206d0907b22e64550424eff71d84c117ee503f5fd0c74329d5

SHA512
4337b585cc24fc8fa18a8e7dea8365860136ebdb94b98a4b79391664c65714f70de0f4cab9cf0eddfb373cda7e9b3aacc9179dd2e7cd6f97508f8c3828bf78c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\thumbnails\d527a32d9829b928e30e839973de3c7a.png

Filesize
2KB

MD5
922971589148e6d62551746327f7b36f

SHA1
136e2ebb5356b76828edcf16a4f8c9032fc457ad

SHA256
ce0513d4445a975ddb6953cdb07dde28c1efe9678c4e141cba5a18479da481f2

SHA512
f0743d04999c6738828b316f2724624ce13f2a620711e2668c14536285f939804bfc8787efaa5ed8323824738f7842e1c9863e1a3bd93effdfba8b3665a0bbfc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\thumbnails\d936ec07a892003e6fd950e46ec9f2f5.png

Filesize
2KB

MD5
c29d24d1ad99a42ea89c11087db2c0ef

SHA1
1084adb4bcf9625ed8ab27e1513180d2020db29b

SHA256
ddb65bb1a02ed184f0e6a553714ef6ba8dfcee6f3dfe487b768898b739474988

SHA512
f1626cd18bdf13e600c9327390c0896f7db8f31df87145721cc21e2df68122ebbd3e52cddbfcd47134b235e8d6ef70ad0be30d0bc768031f20807564abda295f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\AlternateServices.txt

Filesize
645B

MD5
0ee0f82b2150d1b0e426d99fa9b78a00

SHA1
adad8c0fcc55448af6a665cd661bd5498654843a

SHA256
b2aedad712b52b4d7390146ee4705dcce1180641ec9992453d8ca5ae4a3c8d07

SHA512
98e8190516aec21535c2b75c30145b6f3641eda0dbc12bc8d290d437d06c803c965bb03084f18259e3bf38cf3cf38eb5841efa478e695c0b0ec2fbc5c3fe956d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\SiteSecurityServiceState.txt

Filesize
858B

MD5
e5db4b31fd532450c001a659724b791c

SHA1
376992ce678471fe7541c57d164bad269b54dfd6

SHA256
2209e6fcb984880af5c44e7c13a6fb866b69a401719a39e0e6b0986fa6794be0

SHA512
ac8dbef9262098dd26863d3c60f4ba218f183e83e99989b3e8f8410757da65abd2f385bf6c3de3b062d419828e7da90b3e7bdb3e521aeaaceffdcdb77ec00d11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cert9.db

Filesize
224KB

MD5
3f8f2724414c67fa8415b389ab5dec5a

SHA1
b25b5d0ba4fff07e3a0291ebe3a23325480e4004

SHA256
ac1181b82bd7f6570b51d9ea053181cd3050079e495dff341dcb04df7b25a37c

SHA512
6d25f5111da65464527af08a2aa758884f26db99184d0e34d97e0cb2e88c573a78a9a44f46713635086f74248317cf795ec043c73bff37fdf4133785e455267c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cookies.sqlite

Filesize
512KB

MD5
06f3c27b3f413604a03d412234693aae

SHA1
349435f620c7bfb57359ae608420f0615abda604

SHA256
fb037e2f587c068a8db5c0b3737fdfba108db509ab0b3d5595ed00d6f42a44cc

SHA512
4c54d3de3cb29e6629ce51709768fa1b13a69c4163f7c2e408e12066d4346f8dad74fac2a1767ee22cdbe1269f9b76cefd5a36cfafb9e53b73723f48e753fa95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\favicons.sqlite

Filesize
5.0MB

MD5
5f699efa042793d583391a0cd90fbff1

SHA1
24d44914cd537a09b0a6bd73269e7b5474a6d139

SHA256
5ecb5004926ac258dd25284ac26c7415807051f459d6a3e2ca5be2d87e0200c0

SHA512
9e45560003042f7854211bf0ce700203b2f502bfc1ff858810af6252fb4193037c0a15f5643e5910782d7a84c50766dbc9e1ad6c44d106403962503bdbe826ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\places.sqlite

Filesize
5.0MB

MD5
29b403a510a1a9993515529ce5e807dc

SHA1
e4aedddf37aaa1adf017388ed93b9a109115b971

SHA256
037278dbe3345052b5d1c0101070450f73e3a9126d8496c2cdb2a7c18fd81cc6

SHA512
6c654784aecdf35ee3e5656bb0f84ee87dc1c06433a359b6a492bee5a5095c679c6707203d688652ac09089da1659fb79658abbb148b0228eb459a80086d06e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
7KB

MD5
3d877fc82547dc816b0a25e8d05d4114

SHA1
5630f15ed56b192e99d6592e67a1c1facf95970b

SHA256
f3feb41aa846722cb7636f77ae29d37ef81e6246a2985904251e3593dcb05d81

SHA512
cc726c62fc3ee6331ae24d7d7d413ee231c5de8df1e0c8a6adeb3669173c45871047e0c37b961755a761edce399ebb55d6451be8b29639b6837dc512b2139e40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
7KB

MD5
7ce7826328044335729baf4326684063

SHA1
9b482c7deb388bf9af8c9afc8cf6ba0c4abc3176

SHA256
627d6fc4b4932e48c697e58256ac4422c783822dc7dfd87fcdaca7c671465f7f

SHA512
8e927bdc4c5e327378d6d72b95f5811d3cfa7e3b43c9482c9c6839c3fecbfef22bc3ca4f93eb6177f006bc2dd65325a60149aee97a5466c75d7cd57dfb8b61ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
7KB

MD5
0ef8c197b759aea14a3685501a53df9d

SHA1
423eb8f6ed8c7a3c94cb4766e7966bd1f1efc003

SHA256
d3ed9dfdbd964ca0799611450a800cb78d3c56128d9bd6a725f59d30a8c686b5

SHA512
a11864afb1048cad3b3c26cab1b5dca180dce5cb116f936a350b0035b518226df944b175c74429382a30dde20af804c81062ad42f88c7ae3056e64bd6077871c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs.js

Filesize
6KB

MD5
caf2762d28a877510f094f7bc6e76ef3

SHA1
844c89df642d3868c7512f1984637eb80a7f6a67

SHA256
aae183af00c4c46cade1152eb78615dafb394414db9b5fa21e7183fdb09ed634

SHA512
dc01aa4822236db8e4468c2ace50705672dcabc5af7f2ff9c9b61bfaaf7fb26ce2dd03f01da0bdca518f392abd55de4e1a04766a93036fa273cecea9e9acdd93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs.js

Filesize
7KB

MD5
1251f88957bd2740fd2b6f2a57336092

SHA1
aea89d3e58054d95832bcd130eb3dbf2aa819db7

SHA256
3fd7ebfed2081478fa437029945ee277c26a6d51b62810ed8d90decb4ccccb6d

SHA512
d7de31802c267a94817361ef3f5f84e90cbdf894c61f4fd0c0909803a06cca27b6fbdc11c0370fde9a59d9f892fb97e090ed01f1d9ec4eda5c09b479abab8b38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs.js

Filesize
7KB

MD5
72700b2bfc6b2de34247e5a068c02b6d

SHA1
1a4cf5fc41d07d327742f5af5de786cb726d225e

SHA256
b2bead6c1feb5634bcdb441064c26547c351ebde944e2c22f2e5b06c7b14d6c9

SHA512
c0298a22825ac69be701b5fd3a73d69895b35f4774240f7e61e2cc7630290bd9ef93dfeb331d56e5073dddd2d0f1985ac4ce4134ef6a519413eeca67db48b22b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionCheckpoints.json.tmp

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
4ffc9e1bdc83a9e3b1a3b3be9b5e2f84

SHA1
297fa0faf93597efd44d724ae7922bb2a61585c6

SHA256
156efd62df9e726f15cfb1b3dc3ddce79caf54eea87fd56cff6088e50331f209

SHA512
b7998f16cce1dd02cac672c7fd55da84e202375ac51404fd6e625c54366c7e713482a71c4230655d218275941a3ef0c82aed6082afb4808b39da5ef441a6dc77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
29e1d45ecb78fcfae6357617fde709ff

SHA1
3532d1919d403f256e89a9020ecfc695f044391e

SHA256
0520dd2d308d9d3b3b7ce35221b07b470799ecb431acd992e4f2a8270924bb13

SHA512
c4ffed2a2b675fd99e229d2f7d321b432db618424a03f2d156a5ac4b2b07f38b1ee659b0b998b8f613c950d623ce81d46444377cdb732fc748f21e2505f152a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
17KB

MD5
a49331562a5e716f5758753d9713a935

SHA1
2c75315ab85d4dea03213f017908bfcfe6898318

SHA256
05c0cc06ad13069fd7c4f6e1b8b441c0e3bb95b14055c7b902b9d50cb6582b7d

SHA512
6511383ebbb72c7a79379e655f354520cc37270f1dd2b0c85abdaa0444723e08a4df94ee4396355d8abd87bb43da0e215038a322c40a26a9cac6077a67ae249a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
37bc38791076f14a4238048f08c9ad44

SHA1
9073d4a202a8afae94ff6a4f123a37a40544a6c9

SHA256
637ed41cfcba8d3ba0450e942ddc4ed11b46bebdf0d6b8c09959c347076d2014

SHA512
2b76655a558b3656601aa4baefae191f911d6253218c1f8a213ec1fc05a4886938c50282160beb79d523f6d9ed9f09c0c1e4818f4f17011f82e527bfbf1ed6eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
dbc795061ec67e77e17393fd994e2737

SHA1
5fbffbb98a0fb032b07f1ac6630df21242d8019c

SHA256
4f927ed0678f3405f321ff7a4f830752f1b067801ac908ccc4722e90807ade36

SHA512
87b4c97481b71cfd93830a63e59228042c3ec46de10135811e9d5162361393ae75d585a0ce9c01c837b3b2a7006886aff4a9c652f24e4e083c26c1e600559cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
4a78207fac32e0864de7dbbc0830101f

SHA1
fb37faf34b5cd31ab4bd3e9dfe6b27936ad94e3c

SHA256
4bdfdad452ca90169a11862aa6d32c8f6dda3e2b5a810a848212303f980fea13

SHA512
19db167e351610a9496231c3e4478614012c965c42d654c9d384b81868306479dadd03a9abac78e3aad77362f8d6b14c5dfd5bfaff4aaa1557c3aafcbbf3d1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage.sqlite

Filesize
4KB

MD5
2edb404a75f44d8cce55601c97a823d8

SHA1
15741d29bf7c53946998488772ca6c2e50249b3a

SHA256
c1548bee3aef26753708fc69c3d5a7390e2756a4e3ee23f4c09488547a023076

SHA512
db540ed8b9936f66ef44b082760e11d7c5a82c1f2336939c8459f3d1bf7a3516649cf31dd4b4d2afed055704a9ab5e3040f71b21df8f8ac926422db4aeb7bfeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\default\https+++acrobat.adobe.com\.metadata-v2

Filesize
64B

MD5
713de5044129a63f9720a365bdac2aa3

SHA1
c3cef30fa7aed7405673866abf4d05273c04f4da

SHA256
c5638a7a5f66ad30650c467546533a2c4293869380b294209051bda652d68219

SHA512
38666e9b7ad84e1a101f21f604d511c35a9c0d0c0ad72f1e90690dfd355797a1abf9118cf02f07cdff50e7a189e648d2016cde300cf16e4ac0049f6f584465c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\default\https+++acrobat.adobe.com\ls\data.sqlite

Filesize
6KB

MD5
66dd22ca7a8546a1d75d6f42514f5510

SHA1
a6075d8c30fe15d0336254f77b8c1b2af02976e4

SHA256
e82a245941ed9f6be2e9baf69e6a5bc180febafad98ea8ea205b6b9e759a6ae7

SHA512
442b66048f2590949fa25bfb0e4fbea5147d6b1eb93f1c8fddeb7715f0723f4512d92511a2b58ea6d697eeb51c1f1906061a67fe820a1a3b2d6d4787d5583753

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\default\https+++acrobat.adobe.com\ls\usage

Filesize
12B

MD5
3c799cbdf463db58e9f69ab7c94dc97a

SHA1
299629d36d893db78b7e9af40975373239074edf

SHA256
29c602651dd9a5c4b783cf414fb207c45c2aed91bb3a4a54ea9fa7c840ed0d56

SHA512
e527ae67394e5125290191707b14a1e27664455ca92f1349c3601f23ca2cf2d5b94639b7c9b1faf8bb4ef94f75b8f7775441b80bcb5fb9849f371ccc2a2ec70d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\default\https+++auth.services.adobe.com\.metadata-v2

Filesize
70B

MD5
f369d961939fea52f2cff1674b98ec9e

SHA1
56e660ee8f6e0a383b5c18aa5da7256a99c5822d

SHA256
8d0c6d8b88950c76292f7f270d628a3e44490760a132a7e8b6608e0bd31f4694

SHA512
5c4904c415d2342ae69f85b843fa5fc183c7f47ad1595904cd4864efed696ccd8720c42eb99b008c8c742a011dd33f988866e0c698205faa58276dc1ca50e0e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\default\https+++auth.services.adobe.com\ls\usage

Filesize
12B

MD5
cff5c04c9c69501c2e94ce53a78dd336

SHA1
396ce9c98dfc2c92836a51abbf39ad538b664ec5

SHA256
098eb84610da7bb362ea220833967c897d4d722cad13435a2c25ec975af690e0

SHA512
77232ee0ac65d47061e473e195587be227d7dca35b15decd3d64a6dcbb0b002d3c625b82656b55e6cfc90da87a871e1f0447ff6407f43ebba96a7fa4f4bf4acc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
d7b4a76f0966c4173eb9e01a82951150

SHA1
580c3e483c5321ff16629d9d56ef6dd6169867b8

SHA256
3c0e518546fb07c21179cfeb52cda8d9ea6da3ea7d4d9900b3f7d8a0c8a2e2be

SHA512
ded2e3db7a95bd2d2145d1f18d465a993a517d2831e9ebf2c71d99af13d9099d0b0f8923cc49b1320794cc5e172a3ab3b6608d451d2d234c41ee34785815f815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
216KB

MD5
538b32dd70f842d976d6cab707771cdc

SHA1
311ee3075f3d97168639ef61a3fbde50c2f7e8e8

SHA256
c3eee4de5c41d4ddacdc8b532818b711cb28a88196670074042f4ed1581b4d25

SHA512
cf31d7159029f7a2546e92685137a8c1f1ba7108c2a8bd8741ac583780f76aecd23bb7bae2bba4810d781c361a4f3fab96066aef279b79f522d78c49de51c324

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\xulstore.json

Filesize
120B

MD5
8d689c06cb844185099c0398a280537e

SHA1
57073c7526ec37e94bb9db44fedc6d50276f7a6b

SHA256
96729e9b38f216605ff10715f96f364be32f02e2de23ede7e74b78244605124d

SHA512
3c7df326c695143915df1068cb2c0f58e93e4881b2c4d94b33948b80e954fbd4cf944ae53b4d15002b79fcdb8e88f8e9cf4c89ca50f56b7cfd8a13ea7dd6fff8

Download Submit
C:\Users\Admin\Downloads\Tax_Document.zqm71rRB.pdf.zip.part

Filesize
13.9MB

MD5
2dd1a7c3a1e315e310ce0a8af9e57afb

SHA1
38092153924993101933d60a33394260f20468ce

SHA256
06e916ab0dcf4f5f0dd637bffb2db12e22d1a5a9fc511066a42a58a8fc486290

SHA512
1960fb0e9ca539bc0937552b9dfb267a524bdfd1229667bb35c51905202d166a1506ea881a2d83aac16102066b4027744bca402fbe7b6e9cd4f285a5ec602269

Download Submit
memory/1460-844-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-830-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1460-845-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-834-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-835-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-837-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-839-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1460-841-0x0000000001800000-0x0000000001873000-memory.dmp

Filesize
460KB

Download
memory/1516-849-0x0000000000C10000-0x00000000014E6000-memory.dmp

Filesize
8.8MB

Download
memory/1516-848-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1516-851-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/1516-854-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/1516-855-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/5084-829-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/5084-833-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/5084-832-0x0000000010000000-0x0000000011A7F000-memory.dmp

Filesize
26.5MB

Download
memory/5084-826-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/5084-828-0x0000000000C10000-0x00000000014E6000-memory.dmp

Filesize
8.8MB

Download
memory/5304-852-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/5304-861-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download
memory/5304-864-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download
memory/5304-871-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download
memory/5304-860-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download
memory/5304-857-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download
memory/5304-856-0x0000000001900000-0x0000000001973000-memory.dmp

Filesize
460KB

Download