metasploit | hxxp://google[.]com

Resubmissions

04-05-2024 20:20

240504-y4na1aab9v 10

Analysis

max time kernel
299s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

metasploit backdoor bootkit execution persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

rad79044.exeNetplwiz.exe

pid process

5904 rad79044.exe
1752 Netplwiz.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

210 raw.githubusercontent.com
207 raw.githubusercontent.com
208 raw.githubusercontent.com
209 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Netplwiz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Netplwiz.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5904	rad79044.exe
1752	Netplwiz.exe

flow	ioc
210	raw.githubusercontent.com
207	raw.githubusercontent.com
208	raw.githubusercontent.com
209	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Netplwiz.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Trojan.Ransom.GoldenEye.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Trojan.Ransom.GoldenEye.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exeNetplwiz.exe

description	pid	process
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeShutdownPrivilege	1752	Netplwiz.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4104 firefox.exe
4104 firefox.exe
4104 firefox.exe
4104 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4104 firefox.exe
4104 firefox.exe
4104 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

4104 firefox.exe
4104 firefox.exe
4104 firefox.exe
4104 firefox.exe

pid	process
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe

pid	process
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe

pid	process
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4184 wrote to memory of 4104	4184	firefox.exe	firefox.exe
PID 4104 wrote to memory of 1452	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 1452	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 4296	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 1692	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 1692	4104	firefox.exe	firefox.exe
PID 4104 wrote to memory of 1692	4104	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.0.107987831\439865132" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad7a4398-9545-4599-8bd4-9e8e1693209b} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 1964 245347cb758 gpu
3⤵
PID:1452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.1.1569017489\1385371248" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93abb8bb-7648-4911-9b77-04288c97ccae} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 2388 24520a72e58 socket
3⤵
- Checks processor information in registry
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.2.2130694463\1249633306" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e660f36-4a5c-433c-bfe6-2a851a6824c0} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 3128 245386d9358 tab
3⤵
PID:1692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.3.23530996\181321757" -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3968 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5fc23c6-d6ae-49ca-8db2-d3ab9a3655fe} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 3992 24539292a58 tab
3⤵
PID:1548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.4.1826221400\651718608" -childID 3 -isForBrowser -prefsHandle 4660 -prefMapHandle 4656 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24ab0d6-82bc-4931-8359-e00a9d7093ae} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4680 24539ef8c58 tab
3⤵
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.5.1684182758\977070039" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4676 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c16852-12d4-4f78-8dc6-cc6c472478b6} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4732 24539ef7758 tab
3⤵
PID:3800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.6.345658177\1873823473" -childID 5 -isForBrowser -prefsHandle 4704 -prefMapHandle 4696 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6db6e4ce-b207-43c4-96bf-489498595b2f} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4864 2453ac55958 tab
3⤵
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.7.985925781\2062753640" -childID 6 -isForBrowser -prefsHandle 3128 -prefMapHandle 5356 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374b0a7e-3726-411d-967f-1ac3a43f2710} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5436 245358ce058 tab
3⤵
PID:2648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.8.1211001264\769576717" -childID 7 -isForBrowser -prefsHandle 3168 -prefMapHandle 4196 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feebaa74-c8a4-4df1-b443-13da4a2bf76a} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4276 24538d04758 tab
3⤵
PID:5856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.9.2064125967\1952368283" -childID 8 -isForBrowser -prefsHandle 5112 -prefMapHandle 4708 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aee78d1-426e-4d7b-a331-8d9e9b7cc434} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4764 24520a62258 tab
3⤵
PID:3380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.10.1208244819\2083333456" -childID 9 -isForBrowser -prefsHandle 5840 -prefMapHandle 5848 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c06e6d6d-1697-4229-8a18-adf3daa6092e} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5836 2453c847958 tab
3⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Trojan.Ransom.GoldenEye\GoldenEye.js"
1⤵
- Checks computer location settings
PID:1492

C:\Users\Admin\AppData\Local\Temp\rad79044.exe
"C:\Users\Admin\AppData\Local\Temp\rad79044.exe"
2⤵
- Executes dropped EXE
PID:5904

C:\Users\Admin\AppData\Roaming\{70244ed2-e7c3-456a-b703-e0a32f61527e}\Netplwiz.exe
"C:\Users\Admin\AppData\Roaming\{70244ed2-e7c3-456a-b703-e0a32f61527e}\Netplwiz.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\Downloads\Trojan.Ransom.GoldenEye\GoldenEye.exe
"C:\Users\Admin\Downloads\Trojan.Ransom.GoldenEye\GoldenEye.exe"
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\30847
Filesize
21KB

MD5
0a38161a0572a90f9018c8a83bcf35f5

SHA1
a63b3bc35be4b5abc94c22b0d81f5bfac412dffb

SHA256
663e5a7200ac90ddd89fd3e00942ecb305c9c963de7f3894f9dab79103938f5d

SHA512
58ee2d15cc1b999d80f51e13460b886ebbb4b0c4bf2af4822fc2e52b395c1fe710d0de4314d5042138a5f340b18ade2a3510bbf1197e343c4a27f476b72fd7f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\0CDBF8D53B1FA479FD897DE8978105568D14E92F
Filesize
105KB

MD5
f9900f3141060ad0a78abb269a2e19c4

SHA1
e1aff99abacccf6a1f62046c3e39f897c36f2464

SHA256
05b520f805b29b914a12d425dfa2b782e62955ae660c26d42c3e9fa28e287612

SHA512
2f0a6ac8ea7ab3c8a96bdb9b5e2c671697132159d21c0243012645a593c032605e0b62570ad0372287b68f7731a40e47f8b6cab8e92cec4ac86cca3dcabc1ae7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\8FE6BB5B069E32193FA90551D0CABC9D6A7D8B08
Filesize
955KB

MD5
0fbf17e97cfa09703b4389a12d1607df

SHA1
e05a630c75e67c42ed0fe1600e497072651061e0

SHA256
532c34dd62f821a4fe795e6b2adee425c15dd54e3f1c5898421a6959e38bad49

SHA512
84ab2ed291500a4140e93b75ef8154c6f02f03e51f602e087ad7546497466c147cab8c3a1f14eccba80a17131aef34f32ad5b0425f1b8a7ede3bc2e685071e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad79044.exe
Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
3KB

MD5
bb2af3f3777e39bcdf1dc6d8b6447b32

SHA1
281043cd8538c45268132617d63687db8e66cfe3

SHA256
86e4615a95714af3119ac12cb19e55453b7d43a5ffb0171540aa8419cc8d6d2e

SHA512
220d44bffc2edec73cdc1cfd8c07c5e11da5ecc177c37b2d20ceb8a0db8dff5318965d184a6dcad7fba193bb9cd2edec6895ae3d37c7dc3757e08a5c2394c319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
3f5f8accbbdd38a57628d4450257dc78

SHA1
c256045318a507383a4a76f645a843f677bc1c92

SHA256
e1b2fb9996fa9bed4734dd0ad43fd7bd8e18993eb5634bc9e4336e956656e43c

SHA512
d4b40829f37e96842548200bc3e86a6e9e17a96be7fcedca8137491323788c433c1bd8a5d7005e7013a93ec19ebe54f68ffaee80cce3c3a407c311af0ce2ff36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\1943cf8b-bd07-44e1-b9bd-dc2f5311296e
Filesize
11KB

MD5
7804d7ca1f7e99c92d3d81c315e82d7a

SHA1
9e5210169bf1a79303a1e611142f0bc5cb1d033b

SHA256
2d4a2d3c4e53890ec043dd43bc563ed319b214140c94c157e018b1ee707433a8

SHA512
c5ae8a944a390956ce9d625ffe613ad218b34da2491eae8bd44443a4ce2b0c7b8e4d2bccb48a6fadf93fda9d5e882429f2a9f9f468935feefe88d8c7c69dbac4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\79eab65d-28be-46fc-aec5-a62774f5b5a5
Filesize
746B

MD5
74c6633b9234adb24a99c412c2b13320

SHA1
5ece574e8bc57330e84d3ea32e0b44c8dd224ead

SHA256
c18152080ee90cf8b44eaed8357885ed74f789ba44d22a8b6ef2740e8dc58c80

SHA512
ff63f3e6f05bbeabe3c0d54a0cd531a319cdd1e97546e65a9728bd9bb8804f5baffd33e715774c1f3051dc6b1aa8ec941512d5fd0692c277319c32f21a5bddba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
6e41aa1e82d46c9e34f90f7b9c0db9f3

SHA1
431028e5aace18117f75643f9224ee5b1befa10c

SHA256
877ad22dde75479336550430748e82a83b667f92bd1e75b6fab6825206bc89b1

SHA512
d9f153bbae311aa65840c959809961d98bd691ba9e8b8cd0815186af029b7daf5b5e4ad34bec2ad4f9258b98ca5c6b04df03497e38cd236a102cd8889e502f90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
0d0dd55929ed86c9d3c12d82f92cfeb2

SHA1
56e5b03b0cc5925ecdfdbeb2f93c79887b16d441

SHA256
78fc7227d2d7f59a3279c6b498bcb8a378476d58a58b2b0f7f81b363d7a1bfbd

SHA512
38b3b3c8bf6a9bc2bd6cce2fec81d2b46674b98b01302e6dfd7f480e53b423ca3beab7a79c33af63dc47660c51bb63e6900df6c5bf2e6f3927b66008b984a408

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
Filesize
6KB

MD5
60704d68ecb72a82cb0234227f5be2aa

SHA1
cf0cf0235ecce35d3dece37116b2962833ada336

SHA256
b32520edbc154cf1c07374f5d3a14fd02fb8f0e7db72b402550fff95c63c37e9

SHA512
6cd66364316c987613e851f23f84e12c0daca6fc8cd6a6946ea241f82fa17872020f34114c7ee839669b0e52e633785914988c37097907764c7c4b9872197a31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
Filesize
6KB

MD5
b48b770e4bda6cb9ef025a2e90e11ade

SHA1
f4540b9434258f59fe3b3b97a191fa6d2dcc728b

SHA256
a49e8de997161c9ffc00bc5633f079913173db5239f0326f74480671d822abe3

SHA512
591cba7f5278d1c129c78df476543ca76e6cf6adb28ad8eb3ba274d58d3f99f619b06c90854921aefb609536dfb18097b0a452c2a2fbb09842eb7ee063ca0fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
f50e9b009a9ef51499728f333871efb4

SHA1
986e3b1c4e39ca46071b72e1db580767442905de

SHA256
a5c78b0923d242b84f154c5f294448cb6d89c66cb65dee8563ddb87f17850759

SHA512
e71cfcdbb8ad4f31246932ff016eb7187b52d03b10d2dbc01249ff5468ead13b770d04e7384ec296562749ddb444f3f0d588c361bf01fec724a2132297ba4d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
6052d54263d3fd1bc8db266db6fe4e4f

SHA1
aaa8ed9cb3d606acd900d67002b1108702ba85e7

SHA256
7b3c4c7a828e0ad179ef50edb0aa290c552d4849464756e8d9fe2b4461b0d47b

SHA512
49c6723ea0c9fef68946aa303fe17dfb4c89fbf9c7a53e0678a2902e259733ff33d9403574feef953214b656046a97f3e6019d57e77bbfb5c74cb80366ca46dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
b0d41b2c69d2d44fc3980390c82573a4

SHA1
ebfa8419ad7dc0236ae4cdd1928693e031ea3dfd

SHA256
3461de0dc6574acf402cae7abfc0bf82c734c36e74467a8cfdbb2705b65da6e1

SHA512
5961f053a659b44a0adabe54e5b5121bfd32b1685832e9deb392ab3399facaacfe4be9054bb7a9b05c897adaf71a7ed27d5db027ac22c3b47e17e8953f8e7d44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
6b73e6162730ccdfa25332c0cf88101a

SHA1
8d2711f20c8b33cdcf3f519183fbf867f3059066

SHA256
4f5a1a294329aa243938eac035fcbcc9c2fa98c3b1dea6b4781da138904ffb5a

SHA512
713068d9cf19cb90b8a0097961d930dee19d2ae5837a286b84589876c9b0289b87aed8e1f91aaf4e53cf3688881e08f30f3005f158bb74e6aa0d83fc8323722b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
6ed9e4b4c3fc2b4df8b0bfb503a9893c

SHA1
85ace02fe154c618495bf50b3eab33789eafe6fc

SHA256
fb350aa050d71a6a1ca5f75761f7881d643fdc791aceff92236ddd31cfe43e07

SHA512
961ad02bccf54a08cbb8db585cfb2d03a230f2a941cf9f95c54e83076a9c570057037d7760f8674b071b7ca1b0d6be7c1fbc80c841e642bbe702303b71cba12a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
a98534557f186018ee08a63abb6b8ff2

SHA1
104a08673f25b79fc26e53be1e73041f3809b145

SHA256
9812e652f540f65b1a56498241c9f9e93dcdd6c8b75d332edc63f2a6ee48a7aa

SHA512
788323b86180d0ef88523b4c5cfd18649a3edff55775fb7688bd638b8dca050fb41303d0ab397c30e0ecb1980e99efa86cb395574d35f950a94ed1164e852fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
11f666d3c0a1cf29aa17006df1a555f6

SHA1
8fbb70cc1c0d21b8c6aab06c54874edc0a97da88

SHA256
b9d474df0c7882909dede87af8e493a65a7890b5d9a132e14eeb75ae5d3c1f99

SHA512
585686d9fed3bd4635015367923ee4852bb15644d12259bd67745735629460665bbc7a45a0bfb4c10b19deac6db23be17e03c939b43c08399591a78c7c747aed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
bd08506d7773d8b310f69e961459e235

SHA1
86c41dee34388d597b1dc6d81bd6aeba99c1513b

SHA256
0676ad707197211cecfae34408d65be20a4dd7547acc15f7eae5c00afd28dfec

SHA512
f69288ed327718924861b9493bb955a2c875e74659099204a86af72385ba4dc23a604fb3e184b58c0faf02d4abe6fb9f1a12cdf5c11463c271547f5e86e5f30a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
34e7d5044cfce23590bab91d5181624a

SHA1
4a4c9c6c8825490e355ddb4f9672b1688e5c2c9d

SHA256
878c4ecdfd97822ee7a7e1aa9f75eed6e382892a950066d53960298c2eaffaba

SHA512
c19db8fdeca9772710a42a79dc961bf29914e79324f4142452f52460038696fc1c2844c961898b1e45973ccfc2084a6a252efaa59e641538681f95bff9703a54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
82f328cd0d4c2849ed5b4953653acf46

SHA1
2c235987ebc9fed2ee65f922a0ff3f519f8b1eb1

SHA256
ff39ee542973c419a9dc1f0af89fb80097a37ff5c5e89ad35fceba19fb6fdc1e

SHA512
789aab4fa96cacf002e647749de5450b9977dab02804ff2e93802e43ca759383689dc44c331cc6f749559066a40a9cce3f5eadc2c6d60facb2d9eee95df6ea76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
fefa1c4d76c561af880a934f862fe51b

SHA1
ce026f1225a071c6f96364405f786f65edc5b4e7

SHA256
aacf9d1c3ec02898aa4c8a7f4e94f59efba0e00ba967690e72b642ac5e59c0ec

SHA512
f550c00f3d5148930afe6ce07a8e5bd3e8c1c84971add36f09483fa0b86eb499a51994c4383e018336376c489e1d308bddc97bd070f4356bbc240d021a5ff83a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
Filesize
7KB

MD5
e5235d52f63ba05c84411af827380f1f

SHA1
02b5414872acb759329809d43482c82d53a4c67b

SHA256
6245632cd72b405b18cd72974ee3df5d6a73e01c87bd292230e312e67e064d50

SHA512
1ee8ccfb0ba407bc961071b2ab97587796ca90a21cbfa9909f3ea4b54faa6a1998c4ae339239ad056376ad1e59c0b174208b738af3c3ff5fa4d4fdf0464e1897

Download Submit
C:\Users\Admin\Downloads\DGEzPqTk.zip.part
Filesize
323KB

MD5
fc9a825f9d890c48a1680ba6edb404b6

SHA1
187ad9c4164e57674f770b05a22d62a12eb86c6f

SHA256
24e74afd2f0d567fb433a84af7065770ba4f75825bf071dc5862eee78009bdd1

SHA512
2b7f1b102ebc42eb5524a1e689254ed31540c53f2e268e8506315aacf1ec103eecd36d7c3462011bd424ce664f348f2ae1c52345d071942c68bfa8cd62f7ab79

Download Submit
memory/1752-906-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/5904-894-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/5904-893-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/5904-904-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download