7d70b19371306e1600e68018971da0ba6c2debaa923a476193f4431ba4d1153e

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OptiCraft JAVA 1.8.9/mcdata/runtime/lib/deploy/messages_ko.jnlp
Size

5KB
MD5

d52d6766cd66f3967127b219e776c7b1
SHA1

e4c609b2b7c3860b9614d74244f141d0fbc43d48
SHA256

4de0d5ceaf4eb8c8c657246cb91ff8dfd6903cda274b8ed9eda531bdd6d499ea
SHA512

5cba8878db7f83408668fa1f4fe78bf902f488f334404fd9e744fe5f26fd3dbefa30116f4e211a10ec7cd49325dd27e8a2021aea27603e46aaccd6d83f6c2084
SSDEEP

96:IiX7fdokXLqlz9yx3f7yhJxpmG32idnr+ywc8LHD7ycX70DL70Dj:d7ucLoINAYGbh/I9i4

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1656	icacls.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2088	javaws.exe
2088	javaws.exe
2088	javaws.exe
2088	javaws.exe
2340	javaws.exe
2340	javaws.exe
1124	jp2launcher.exe
1124	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	firefox.exe
Token: SeDebugPrivilege	1552	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1124	jp2launcher.exe
1124	jp2launcher.exe
1124	jp2launcher.exe
1124	jp2launcher.exe
1552	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2088	744	jp2launcher.exe	86
PID 744 wrote to memory of 2088	744	jp2launcher.exe	86
PID 2088 wrote to memory of 2340	2088	javaws.exe	87
PID 2088 wrote to memory of 2340	2088	javaws.exe	87
PID 2088 wrote to memory of 1124	2088	javaws.exe	88
PID 2088 wrote to memory of 1124	2088	javaws.exe	88
PID 1124 wrote to memory of 1656	1124	jp2launcher.exe	89
PID 1124 wrote to memory of 1656	1124	jp2launcher.exe	89
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 3600 wrote to memory of 1552	3600	firefox.exe	101
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1496	1552	firefox.exe	102
PID 1552 wrote to memory of 1984	1552	firefox.exe	103
PID 1552 wrote to memory of 1984	1552	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -securejws "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_ko.jnlp"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_ko.jnlp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    JavaWSSplashScreen -splash 51914 "C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfa28uam5scAAtRGpubHB4LnJlbW92ZT1mYWxzZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTUxOTE1AC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfa28uam5scA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"
      4⤵
      Modifies file permissions
      PID:1656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.0.1207188778\1365805541" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57cad24c-4ed2-4c67-9108-c95283f81f27} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1852 208ef006558 gpu
    3⤵
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.1.124889311\1626542876" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e21d5c84-753d-4433-88c2-8800aad19186} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2420 208e2288d58 socket
    3⤵
    PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.2.1841170733\1842874449" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2820 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c456813-e29c-4a99-93b9-46bd29df513a} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2928 208f18dec58 tab
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.3.1493128748\1343301852" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 1284 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65c8e6c8-8d7e-4583-aebe-449aced562b2} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3680 208e223f458 tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.4.374715365\392555514" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d229706e-d529-4100-9ab4-3079f8dfceee} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 5180 208e227be58 tab
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.5.611881860\1807017243" -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5300 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6721bda2-0acd-44af-98b5-90706a03bb0e} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 5336 208f646fa58 tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.6.893593153\1467564051" -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5687eebe-e2a5-418f-9a4a-8f93d8aee4bc} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 5608 208f6471858 tab
    3⤵
    PID:1556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.7.2009632966\796765740" -childID 6 -isForBrowser -prefsHandle 5572 -prefMapHandle 5308 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ded62bfe-85c0-4d46-8693-bab7c5281676} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6000 208f7d4c258 tab
    3⤵
    PID:468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.8.2007551781\1402968804" -childID 7 -isForBrowser -prefsHandle 1532 -prefMapHandle 4352 -prefsLen 27962 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1541b15-588a-4b50-8781-2fb04ec409de} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 5556 208f46faf58 tab
    3⤵
    PID:3524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.9.199172924\1617892937" -childID 8 -isForBrowser -prefsHandle 6180 -prefMapHandle 4968 -prefsLen 27962 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08d2b77a-c602-41e3-9d53-dc4d47eb880d} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6248 208ee4e8458 tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.10.753925605\1560769697" -parentBuildID 20230214051806 -prefsHandle 6348 -prefMapHandle 6356 -prefsLen 27962 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b490369-0748-4306-92a0-d9e7c40e4fb2} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6424 208ee4e9c58 rdd
    3⤵
    PID:1156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.11.1529454904\1646789630" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6248 -prefMapHandle 4788 -prefsLen 27962 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb327f12-215c-4251-b3ff-dda877003707} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6404 208ee4ea258 utility
    3⤵
    PID:624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.12.1306786252\2095328100" -childID 9 -isForBrowser -prefsHandle 5996 -prefMapHandle 5552 -prefsLen 28098 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be3e2a6f-94b9-4928-a5b8-ae5e1bd10875} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6020 208f7998558 tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.13.203377092\1820146107" -childID 10 -isForBrowser -prefsHandle 6700 -prefMapHandle 5464 -prefsLen 28098 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb75cc9f-4141-486e-9bd1-1c0089f6fe4a} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 6728 208f799a358 tab
    3⤵
    PID:6080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.14.1121290647\1689269416" -childID 11 -isForBrowser -prefsHandle 4480 -prefMapHandle 3588 -prefsLen 28098 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0a94b92-28a0-4474-ae3b-16b29a88dba7} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4376 208f52f6558 tab
    3⤵
    PID:920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x52c
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
bfaaac2040d10ea4fbf7ea27c2a9ac9e

SHA1
6d674244b60e050bce4d3659c1cf92f49b6f581e

SHA256
c5b8bfb40d71e22a8f6c5ccec24e2f28c2387c53cd6d1c1f4a50a762153d9fa8

SHA512
17d7180d33b0df5c2ffcfd47abd1d0688a39e03183ca3f0c8a8f7e34203acc5c5cc9750954f1ebf1df8144bd72802d82c9432aafb1043ea52305e4877beb703d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\doomed\13144

Filesize
10KB

MD5
27641de9b19dce2f8a35bf32bd7ff677

SHA1
ff79cf7ade61edc5c1feb9e93d7c6c17e6f1a15a

SHA256
aa0c8774f78830198f97007686267528a56a69274c1c2171dcdf80f436da97c9

SHA512
d313f906796646392877d4127ae0c1e7522c2e2b933a1e4706524d4ba67e326bbfe3f5cecfa7e4a001bdaa72125743340b6372e1cfaf6a908d4cc118a978a8ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\doomed\23750

Filesize
13KB

MD5
326ee1ed34593d1147d8bc36ac3c914b

SHA1
8cce2220808375466577e23e948631183638c8da

SHA256
703a4bf51d8d631df81fa17caaf1b4a8031b76b47983237dea59d70a08c08a8b

SHA512
e22e15da6946b4fd9d61f5f842034bb66fb1a51f72bce773fce35daeb57f4805b0cf9e31dc1868e60cf369c582f893cb84641a3fafa73f41471908781bd6d87b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\053830E52CE4746137DAA2DC737A6A096E1BF98E

Filesize
439KB

MD5
2f1e97df4f7277f322dacc2b1141a288

SHA1
ff798040ace602f617baf1df2a5acc8c64d80fe4

SHA256
6d7925576769da12417cdf686d4f31eb5987c69b93f70f7d7909702fcf62120d

SHA512
504bee512219c1c0718314c6d104e8cded5cfa316f9cd818ef405c7ab968e4838e37f7d0548048ef0f7e8510bcbd4cab27b29698e41eb1b3fda5129e095f22a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\0664B9E68FD71B4290E39500BB1B9C68175A636D

Filesize
14KB

MD5
a5cccb0ee6847a196ca0e8e9ad2cde8f

SHA1
f1cf55d716fd38a6d2c47a06cdef4e0bdfdfe05b

SHA256
79a1cf2bceb6bbe01480a4e220c55704cd59f5edd59af73ad3d894ccaa225b24

SHA512
2d1810efd6356700d1c1a358f765016007b169caf627261dcaebbf11b8f25fe7b54cea2b3f878f3aaeaa1db9163e0d45eabb53c98d0e78b00562b8b98b984714

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\200FD832FC41AE5B7D070CEEB69F106B9D87C49A

Filesize
38KB

MD5
790c485900dd3f76a2654d2e77f1377d

SHA1
047d63dd1c4c1715d3f55405292a5a87fc0f441c

SHA256
f749a7dbb1790f04c4e0757c32082ea3ad10032fc6be71efb2c52a6c0bc94557

SHA512
4fcb18c29b567bfb54d8391db2114ce16c02a697587f67e47167c421a00caf1d83f44f1e3866f99c3f73f417c5d624b29f30a3c818dbe3870b026398ca28ce44

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\2C3BE0740101B3922AB088C6466620DAC68F74CF

Filesize
364KB

MD5
c7b27b8056508cccd42bfdbb919cfee0

SHA1
10c04fbb14f35299907cc81947117697bebf2099

SHA256
b7bec6664dada2359ec1da60c1090a85a8b34693f053e332ec1c1295a21edae4

SHA512
9305713778ca8e014e0d5869333f0deb73df1966c04772e78ce07afd4d1a70c77ccb577ceddfb221e0c51d9a0714b97cce0116111a2643b6db3078c49db8caf6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\5C35B9BDBA80C0392EA6B9E213F5206EB6D03462

Filesize
88KB

MD5
eb0c32667fdabcfff97424693bdbc4ae

SHA1
52437bbede849b0f315c78f5f25484af66b7cf7a

SHA256
2770b83a5340eeb83795410f0120c7c9aac217ec1ddc877ad1ca7dd0e311a738

SHA512
3fdb9615fb88ffaebf7d16b825a383bf66adbfb5b9c29ca97891de89b3b33c2cea5c170c94e553aeb9a853d60161a1dbb4eeda7b9cd6e35616490680fef4ef17

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\678593AC98AF1B86942F892583088760F55A7F40

Filesize
145KB

MD5
966503f8e49a35bfbd8801b319e8a14f

SHA1
fb7d511c4c77fd55be5e4f4c0282290f470b76bb

SHA256
554969dd2f37c9902e1e6e785b93ac9817f553b179995ee79de5e810a5579287

SHA512
31a0afd0bda6cf0ef0dad387421173b925612e529b812df6f06b950cabc073e04f24a6c7d987250ba40c28ef66ff4c8329fd43e64cadeff41661e73a664fecd0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\8F445B531B77EF818EA3088FEB978E0F642DA086

Filesize
823KB

MD5
ee7ad3d0aeeb209148ddc563eec2690a

SHA1
2e58cb6f252ca048b03987a6dd3d8e88a26d3dc3

SHA256
44b4cee8bb895fd6cc9a68ad7b7d825ce524bd0c4234687dd1699830162f6b2c

SHA512
13b0dbb0d053b69e4cefc9759516202bcbc6eda4d05be3d33941a2d27a36c60c89a2d5b3d5be4e943546123d0517b2f18dbfefe9a35d2941410c10047529fc7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\8FE6BB5B069E32193FA90551D0CABC9D6A7D8B08

Filesize
955KB

MD5
2568da25ddd265af16756f431aaecc1f

SHA1
454da506eb9c1eaef16a66427607a27228a44f77

SHA256
f25ee6e947b51c450ee908bc22dd331adca0a24c5689bb33cd6c45ffa6b57f09

SHA512
165cfbed9b89a7806464802813a25f9a2fb808594f5fae7656a96942eb4cca3821c0f215c8d2fcb37968ee3161f4186f804da3c3071996994efa0966023f16fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\98689729A01594603E35E48D51A9087E8E538EF9

Filesize
521KB

MD5
3dc16b9f25cb0442d9eed33e81f43caf

SHA1
7bcccd8b9708d351506c670e84854153bf52cc13

SHA256
e1db5a7638a59347aa1884b31a7c1ba3114ecf2ce3acc903880c1c109b97cf0a

SHA512
916d561510c2ba2cd45649e83d49c6d0a7a42f1eb021a8ea0bfdfb3c78c59b117953255492fa0229f9690b699385004cab8522f661355a4ec966cb36ed712944

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\C63B0883B859315BB5C9C10F9EE4C6CCE266A07E

Filesize
4.3MB

MD5
ab1b24099ea8fd0aa930805ba3990a3f

SHA1
18e44801f0085974e5b616b3ed2d0e3f743b28c1

SHA256
55bac9b94ccba8416f2e4aa6f8d1b76a2fedb8ba91cf33308648d9d1e9452a51

SHA512
12b20245830b57507ec327fe7b15cdc889c0f331d1750b86e5ba11150b06c93f42def4fa5a825a7b397223e50883151d319515064c6385beb935c71c9baf6b05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\ED53B1CB374618B6DFB0A4D1CDDC5C2DBED21604

Filesize
155KB

MD5
3fb23af2efe098777e1d25c8adc6dfa9

SHA1
befb8c596dc3fda99bb707c905dc9f946804bd93

SHA256
80d8c05c9e072865e3d235e74560e9bc062bd11c011aa833b9cc2bb5cd00f2fd

SHA512
b47d26cf12179d0a26a836908dde3ffc3d15d34dcaf7cee0bcc99b46c149de03f95fe062498f323ec91dfd96966edb2b00a9b9c973d8cfc3d3bf2713dac5343c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
7KB

MD5
13632b32688d87b4d9313947fca3f17c

SHA1
43dc698c0d4db332980c6ae3db584ae531d5fe30

SHA256
c2452ff65f52ac46b1aa82f60585976a30df5235a7531070eb90230679c841da

SHA512
db0ba2467da6fbf9ab992cd091237b915b442f05d3365c011305cc2592b4905a40d93e4dc86ff11ebde158bbe6ce13604bd4ed26c2443379c10bc093721109d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs.js

Filesize
6KB

MD5
78e4fa23739ae96d3e0de9268882971e

SHA1
b1de4301699370a6c214584200901763a4ffe486

SHA256
ebf6762757fb79747e94f60bfd9d9e4319fdcaede31e04eb7c5bcaab3f4f0438

SHA512
3b7f97bebd13755939816be1d47bfceeea007e983df71b0941223e029b278393bd5ff717218f74ae59c6b58a997cc552536bdf5f9fda1075e31b26893a970c11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0c64426a7239ef11891666a7ff0d4420

SHA1
e874f9cd7975ef68303815404b85add4584dddc4

SHA256
b7e0f6a941a8b003821f339fa4411ef6db2fda62cb82b30b5df67db90735b32f

SHA512
d4009c3619ea26404459f7e777212fed84e5c696eabf3e62b589a51274b5ea01f7c7cf57918d1eb2e923c852dbc1315eedb98e2f0e5f32fc47319d0b1a762790

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
90KB

MD5
f98e2cdcfad8b92a44bf679818447293

SHA1
e228a658e6bcaa40ea63167ac4bb9df34fa02622

SHA256
a441436fc21cdaa6cc65278b871be1e1443b2653311f63054d117c913ccceff4

SHA512
69445b0bb5eac1baafd660cfa2e8ba3fd53f8cf4288978dc1be8e7d065395b4e1f6272d6bea3ae77a408299079285e9ae1981b41ac15eabefa85e8bd63b5c376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
92KB

MD5
76a5d66e6bf5d149384851a6d80acd2c

SHA1
e8f5bab564b5591e6e94377c87581f78cfdf323f

SHA256
4106ecf6cce37036ec23c5fdd374e22f389a488ca16f85026e9bc4939b991826

SHA512
4bb1fa4785b9afb0bf410a643e0641a7db524fa3caa8b9b57deb0e907c7d6494abc3ce8ca91d7612e5c3d11427b19eb8d856b622164f44ee0acfdc5a501bfc61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
96KB

MD5
7345ae03bbc22a7a357c98cee2daa132

SHA1
edc257a790d451953bf96021ba783cc0ae9818e3

SHA256
af9b1120368f5f8ed5886ec95fd25fdbed3537f430ae422633bddd2ff5feecdc

SHA512
f5bdf23ae75ce841643403c6c3a3ee4b8cdd378075995417b2b9e85b4789475d53fa32ea7d8296eaddeb1b7441b508b261752202c1e2554a1d32f2408d24ab13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
65b970a0cfe5cfc4abe7b5e28c7bc758

SHA1
d3c3c82356344a5f58392b076cd32645b4342495

SHA256
ab1af7e0b4e9a794d7f5fe76c1cb32c2072e455d1e1a3bf6f7f7822fc1663a74

SHA512
b7dfdd6343a3734915a32dae1e5d549a3de7f13ca772cce30646abf498985b6ef89c17afa36d5007b1fba68e0a1613e5cfde81bff1ec1a778c62f0e017dd2b3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
98KB

MD5
59f12673dae110839556dc41582b8867

SHA1
074bd9493fcdf40d64b9d90363a352fd828a0e18

SHA256
9e951e5cda69355f87d48f814d0b2e52299e1ffa76848cbb114eb9f6249dede8

SHA512
857000b0a894a07a29933e4c39a01b83b8aab9c01cbf8bb71b7a5a2c1ab166ed4b5a24f216c1cee18b8d2e3660ffa7721189a1483eba964fadb45d8b6976d204

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
93KB

MD5
d42714b863425ec278cafeb0b665434f

SHA1
f9e1afd294d080ede1709a469c024b6f7f33c7b4

SHA256
d279ae6bf9421e14c645e8f00e7950663c0c996bb64c1b311d7d6b03345419ac

SHA512
7c2b2cc314f133545bdf23dba17340dddbe94c9aa1a13aca1fea554a480be647b292debb6b933812a6df1c6229fdd8b2250a0a6e7c1d3990a9d50f377123bdbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\storage\default\https+++www.xnxx.com\idb\3621224591DXBX_NX.sqlite

Filesize
48KB

MD5
8c4a9d144d00f5d4bdf865052b2b5bb3

SHA1
8aca747b5ea7021c01357f94db036b3a1f568749

SHA256
039097d423a9775bc9b6eaa1e37f00ec38080acf3ae6bd67978ec4b7a90b639b

SHA512
2dba395102e9de2846213a673dc5321127a6cae45f3d2af07effecca5401bc8d3fd9382aab7d644f929225f980ffc003df403bc1f30076a6fe41129046226254

Download Submit
memory/1124-109-0x000002453F200000-0x000002453F470000-memory.dmp

Filesize
2.4MB

Download
memory/1124-108-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-87-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-82-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-68-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-63-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-28-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-15-0x000002453EE40000-0x000002453EE41000-memory.dmp

Filesize
4KB

Download
memory/1124-2-0x000002453F200000-0x000002453F470000-memory.dmp

Filesize
2.4MB

Download