Analysis
-
max time kernel
568s -
max time network
543s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 17:19
General
-
Target
Batch CIA 3DS Decryptor.zip
-
Size
5.0MB
-
MD5
61f5ea0a2e7553a9fa43c4dc208ea17f
-
SHA1
4b2fb1c00d55be894184f098a334daa5b08e555f
-
SHA256
e6c7b104a0a3f8f2f639b767e4be9ab483a1bc57465de106653f211f3b4205eb
-
SHA512
0935d4f5c70d26d74e865b1bace7521f28921aba5745e4621cb8d783f101966837e9eed48e8440e532ecb561d8ee2994c0bfccab461a2d5d8e806e0ad87e25fb
-
SSDEEP
98304:BqYqU2RGhR4qGipsHHF0Rf8KJ6K1jZG8y6Y7yAQlkt8FCEjnpoJyTG6UJj9/X5:AbO4qF+n6RfrJvG8wdbtipoJMUl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 32 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Batch CIA 3DS Decryptor.zip"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.0.1192582909\1789331086" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1afd386e-ef0f-42b6-bc2c-280a29ed3482} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 1836 1a212a10b58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.1.1607402716\1293413711" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aaf7d1d-2669-4ab9-9aaf-d0e0cb2d6fb8} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 2404 1a205c8a258 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.2.689255872\548799357" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 2888 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e380383-b3f8-4226-bc7c-5114c5e148c0} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 3128 1a2154e8b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.3.1125202052\803472516" -childID 2 -isForBrowser -prefsHandle 972 -prefMapHandle 3576 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dce61e4-6b8a-4797-ba5d-5e98dfee3324} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 3548 1a217685b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.4.281314237\1973021243" -childID 3 -isForBrowser -prefsHandle 5052 -prefMapHandle 5068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b973d7cd-2fec-43b7-b35f-94905d6e64c7} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5036 1a21972b158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.5.2009284356\224093140" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f4a6f9-fad4-492d-8522-bfb6e0dc97f1} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5164 1a219d74958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.6.733998866\67035728" -childID 5 -isForBrowser -prefsHandle 5388 -prefMapHandle 5396 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca9998d4-97be-44fb-8a40-a6ab9c3c28ed} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5340 1a219d73158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.7.108798650\1526676082" -childID 6 -isForBrowser -prefsHandle 5616 -prefMapHandle 5600 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4b89b84-8088-43b2-a0aa-a335855d3858} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5964 1a218372858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.8.1006307812\1117683158" -childID 7 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56884104-e417-4371-bbfe-1b55fcfd0c57} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5592 1a218639758 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\gg\Batch CIA 3DS Decryptor.bat" "1⤵
-
C:\Windows\system32\mode.commode con cols=52 lines=262⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\gg\log.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\gg\decrypt.exe"C:\Users\Admin\Desktop\gg\decrypt.exe"1⤵
-
C:\Users\Admin\Desktop\gg\decrypt.exe"C:\Users\Admin\Desktop\gg\decrypt.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\system32\mode.commode con cols=52 lines=262⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Checks computer location settings
- Modifies registry class
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe2⤵
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\gg\log.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe "3DS0007 - PilotWings Resort (Europe) (En,Fr,Ge,It,Es).3ds.7z"2⤵
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe "3DS0007 - PilotWings Resort (Europe) (En,Fr,Ge,It,Es).3ds.7z"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe "3DS0007 - PilotWings Resort (Europe) (En,Fr,Ge,It,Es).3ds.7z"2⤵
-
C:\Users\Admin\Desktop\gg\decrypt.exedecrypt.exe "3DS0007 - PilotWings Resort (Europe) (En,Fr,Ge,It,Es).3ds.7z"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmpFilesize
23KB
MD5e86968027b88cb23fa7c871ad42ad809
SHA102c8fb714556aea4d33cfb49b58ffa03f807a925
SHA256b0b84ced15c9b7ba408761baf06504126982f80881223f82dbfbe122114f8844
SHA51256e27ad74a6e458400bb6a4a47a8bf9b6ac2ca073068c875eafeef4e02c6da3caa601f6bf102e612001c5967d730ff2ad147e10ae2adc5da68f5a15754ea1c1f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BAFilesize
13KB
MD5ff9496c2d0b3a499833e533830e4038d
SHA1aee00f0df4825c21ad45a9f4a74bf383ea5cb579
SHA2564d17685a35df4a054e295a87d0d1ab12db4997841d6ea8fb71a99c1478c5463b
SHA5124c0621e89d6e434de8c6607c39f1d008e0c4b1e2cac945b884947506cffffa52676eb232752a33ee351a37b827fae7b7a970d6ef1bde39bc9b98fd22f62d2bb9
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\Crypto.Cipher._AES.pydFilesize
30KB
MD5fee0d3b5e4d558b7f50b39a39a6c22fa
SHA18de9c523389e6efb8c57dd8cd9ae1ea667b03f1a
SHA2569072e92e648e4049a3cccb981ac3b5c97114dac0dc69e94daaa5a6b0f75b2fbf
SHA512a74009f18291ceeed1bfb55cb05ff9fb88d4549f6c82e792f9ea2bf451728989e427efa5e40916dc031e05234dcae8f56c791f8067b578b5e61e1e16167c4419
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\Crypto.Util._counter.pydFilesize
10KB
MD51d2a5bbfe1b75bab56178cb8ad1276b5
SHA1db5e86f806b4c11c97197a4bde3be2211fa4de33
SHA256eea2d7e4436e6907fa1db6204ef525e5ea21cfbf3151e2e00fda83d8d860b462
SHA5123a9984128a7330dfbbf0364e562816acbd9842eca2bf43a54ae42d561770745db516820d965464787b21858b635e41fdaecc2c91abddd733ba345f269c95964a
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\_ctypes.pydFilesize
118KB
MD5e15a8623d227db645c00a731f45ff339
SHA1191997f0ab3fc7b209f8ac948fcb866f2193dc57
SHA256b21637ce6acd18dfe911a0392f491da9dca3787f66fb8ad0b50eabc2ec37c1f9
SHA5125d1f24d8c77c66ec055a9ff51366743a87aacedcdfd004f7d9ed75990dd7906a27dde0f432c21cf2d9db4eb0e1968212b71571c47e5f39ba5a04de75aca3a752
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\_socket.pydFilesize
49KB
MD5d2331f27c43c5bacd203c1a9fbd0057f
SHA133f17a65381d1ef0d683c7ccead67c12ee40ea3d
SHA2564e06766f7679b824f40afe07985dda0c26718ff2f9eddecf412dde5ee4a19249
SHA512d901cba774f1c0b3e8c221909fab0d8cffeb84c761b92702655900a9cfec735fa19d870c8a5b1ffb326b922b23480fbb5de842d9bc25d260c38f5d46aafcfc72
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\_ssl.pydFilesize
2.0MB
MD5c0f47eeac56cf1a8a2e8904ba5344b97
SHA111611fa852f241ff73b2df286d60810efb146106
SHA256a2c27832e0e73aaecb501edaf594a74ccde2c9fe74912607644c664dce0e8c39
SHA51283cdb282856138756fd7412bb8b40bbc097c1763ab625d73711e9d8d3f7b73ebba66f956ab942b57e59de6e5d9c454ec2d5d90c2ff7e58c68857718e2763932e
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\decrypt.exe.manifestFilesize
1015B
MD5bd481c2264befefcb67f14ff6aad732a
SHA1673c81559df226c9371cfe4abb3cca44a80bec7a
SHA256c66a6dfd70b89b0bc19b982c0aac52a9626b7869fcba0642308a3aa35de870d7
SHA51230b21c48e23e923a0634e795296eac35688f386ae34203aaa0c5c8b63b1ee3c1fe821bff745fd1cde0c4c0134c764e70c7e13050bff45b41ed9801c8e131679f
-
C:\Users\Admin\AppData\Local\Temp\_MEI59042\python27.dllFilesize
3.2MB
MD55a1a820dd6db24e28084ce4b2f286147
SHA1a9c0112f183ccd05fb8b5e423bcd5dd39d49312f
SHA25675bd6533c64b50ee970bc0484d1c490f4c65b4b30cf734d0778c1bb7ed84887b
SHA5127bc30495440f7d96c0f6155bb286d2ed35f97266bde7eabac81897e6d4f5d57a1608a865a99412178640e46eb63be4f3dac1e48bff3fa4421edf5371e8d57242
-
C:\Users\Admin\AppData\Local\Temp\_MEI59~1\_hashlib.pydFilesize
1.4MB
MD55af923146b2224a468044e5e215cf3c5
SHA123faf7f46072746443c8ef5c5b26d050fd612a21
SHA2560c9013b02b5bbcd694300c230b310179588191f6154398d10b86f972b5a946ac
SHA512d1a1029c44f52729cfa066dc19cc927aae7d070a227850a1051da27f08ba7654717f1d35946642ca3af3c6c37249dfa58447fb9544d102ae5d1bccd665bc0da6
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
18KB
MD57cbd11689fd6ddf40b675c4081adf412
SHA161383f90c5ef8baa834cc86fe64e7d5f92415808
SHA256e30de9edfe64b7e43fb3b88db6badb85cb9f39f3bad21d02018f54e9f927e26c
SHA512c274658f6412e8367bc60ac197b1acb8b2fed3f45d5887a4532484c999b9a4721cf53a0fb6499e9c427d7ff0a96a7e39b7a027f179dc0ca057c474c2d7fca4f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.jsFilesize
10KB
MD5900bcccc7dbfad31c5731c0caae1eab1
SHA1b85e19e2ac2bb7814a6c350b35260852b9698804
SHA256ed957fb0046b6c781b7db671e47aa819b48d90c71b05fe3bcea6682a534fa50f
SHA5121203d218a8a499b46bdbda0f4dc046b6b2ab28e6a8b4cbbe856430cafc4ab7a148586f0fb8a02c24e329e0b43541d1bf812b1db136f08f8eb9feb2fc413543f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.jsFilesize
6KB
MD5a59cd985411beecce1c2ad65a4f6a684
SHA18be0bd9811f38762d38376d20679d4ec773fbca7
SHA2564b336c2e95eb5de345beb2ad04628747f40049519f2f4b2e7efb35b7f517d28d
SHA512f315e10b5f4d50635be97acb1427bf8d71767570d07375f912b35630319230b129a3f47046c19e673fac5c28bd44204a4282da4bf45c9b1c782d6f804d320098
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.jsFilesize
7KB
MD56955715f6ac3bde4c1aaaa117f9ceeaf
SHA1b5231f329ad984c0a1b4e5e674e002d88e90ab09
SHA25672c237b1155fdeae6883af27c10b50b223564ce76b2fecef6ccdce48e7e95309
SHA5124e15950693bf47e0021f2bd512c592611ebc50eed91130cd358e6d8a86b8292ac7969b6d359bc758afc77b88e2ec36dad71c3d15309c3474930c0f52ebb79b78
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.jsFilesize
7KB
MD58715d3f4926e48acf3223b0c91323286
SHA163e6f3bc239817d6f3ed6525b61515a637640cf2
SHA2560990fc121af3e4e465928b2eddaff7ae6035cddc2f36882f97d1de14524a75d8
SHA51299a2333d9686ba5a0c8b50deed44d6289f7d1752f5b702432a93fdb23efa59f07360767eed9f5abeed91a33d88ea8fdd207664bd2a7100974bab2d0de080390c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD52f570c5d446464665f4ee27debea72a3
SHA17be9b44bd749a49d3ac8766b3d638d5274b83108
SHA256a7048c194b920998d1becb06678da0e30fb6fcd286ed54e5688022af3e4fc648
SHA5126f18a970b1211fac25d459d6a5cacb1b7fc0cbd6d5ac183514f153cdb0fbb583014ddd3c57a7ac3e9812d1974f0c442eeb27e98f2690d3ba86dc4f7c91a699c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD5108e7742f40bf281a595b6a852c7fc5f
SHA18abe5a022ab997a31a5625bec61129722306d11a
SHA2569efb7c6712e1fde9cf9e527d03bd322a6acc0be0823811ac1f6dbd75a0de4c62
SHA5123fe931f3944a6557677d71337b2798c66112fc1ef9a034bcae5aec63f0f3781faed04be23d714caca1b3f38f341f94cd12f14b739f66b5a200bd1698ed706061
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD5312b858d419bc9c4c8c224d05877d2c3
SHA19a59dd91a4dd17cb3372c05ba6e14e4c550469c8
SHA256f2901f5238f6aeedaaa814d2ec1e149e1d5720f839f12cc04694f4b589bdc3e0
SHA512c30d219355364ec213be0b79d2c28991122b053e89020e31723f0af1b70bb39a73970771a204f1ffcfc753bf791282af0835bc7ef1b0729cac4812f82ba68371
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5bc5df771d44ddbe8ed0544fc03436117
SHA1c6e2f1d929e684ec06d722145518ee422de1d279
SHA256fb7da4a3d111266458376e85a1c947d436ce890cf7a6fd605a8dbf9936e09eb4
SHA512af4594d5addd48ae388c31939af68e001c1c3889ac50a7b8611bfe432ae2b08d3a7e18498ff25c9dee17356970f9c84bc2a7564721601eda10b0b91b57429b89
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD5543ddc031a7945abb6f5425f3fe40c3b
SHA14cc533fcadf8115f51aadd283887b05bf78dad67
SHA256e3d7fe808beb5a6ad8964fc4511e8912376cec3272c999c4b27eeef592e0d434
SHA512661fda58393d917b220a911665d1e35c903dbac37124eb0f425544a0d75e0411d9aa3b8ecb395602cf72575e6c8dffa4847dcd06ddbd30d1dca04e2e172b40c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore.jsonlz4Filesize
7KB
MD5064a6052be990731f276ace4a1a6ed0b
SHA101ebb5d0564a148ec53ec6f2589aff448ecf3a6c
SHA25610c6f858337c1f704272f114869a92c77a19fe9d446a74a6e2af135476b74cf0
SHA5123f6b29b0ad697af4a5540574fb681dead308ed452bf9fa862115821460246e9272ff7f1ddb41aa926b7f41b4a49bf716bd49a6fe68b15daa7105753a3149cd42
-
C:\Users\Admin\Desktop\gg\log.txtFilesize
29B
MD54b5f792671a611c8d1301f27df618fcd
SHA149e6e59026b575be0b32681f2a202fd10bdbd6f8
SHA2569f302f6fd13d88a665fa613a7b16ee65323f238a83c6e78cc305eedcd9b8961d
SHA512f3e14c52079a2458679b65f280ec563b677f77bd2fc9c431587fd11e1aa8bfa180065006acb1087c946f58e0a2025b91dba96606cc1f65ff4fb7440ef7d38219
-
C:\Users\Admin\Desktop\gg\log.txtFilesize
29B
MD5e3af8581b4f1a2e06a132adc6de90bc0
SHA1d4ded4d2926a76ee6c5b8f6068fcc8d9b91e1a43
SHA2566624bb00954e91355b9e380e922f921cc36ab6335da7d1703d826f4831dc61b2
SHA5123e2378082f2d3bd1103abc3ddbc327f399e4c025b99ae51c7b9674632901bdbbcd23284ec64e9c26dc8b8b428522e4fd0ba6989c3943bde76c967eea2749e02e
-
C:\Users\Admin\Downloads\3DS0006 - StarFox 64 3D (Europe) (En,Fr,Ge,It,Es).rqjiUfAS.3ds.7z.partFilesize
15KB
MD56d1e71d6f256edece9d143ad7b06ece9
SHA19cfdbc25b6a6ffb5b9bdbcff7d6f103b60c26fd8
SHA256f4cec34411679721cc198a808ee0120750e86633b6e3923ec898df0772cc1e9d
SHA51266d0dad8345a498f8dc92326973df621866f1ef6a7cf64ab9688d970fe2b37b2b01d5af6dd6ca956c7944c73cf35dffa7a7afddf3c3974e23b0220c324d5396e
-
C:\Users\Admin\Downloads\3DS0007 - PilotWings Resort (Europe) (En,Fr,Ge,It,Es).KdT-Txww.3ds.7z.partFilesize
95KB
MD537d24e8a94d00c64521b4d9c79e05ba1
SHA17947700879af5f5a3e038937fa913f5af03594d6
SHA2566a2cb4a47a7c3508e15ce19006ff115b3b713bff3d40ce69dcb92f7b2e72c663
SHA512a528d43920c2251d21fbfa1566ce9cbf092313759b6915a2ebcb0f453415240d9c116623e6ff9a719a75d16941ef5592fe18568a4c2382bf9340f5a808e7147d
-
memory/1520-2631-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2684-2639-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3512-385-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3780-2605-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3900-338-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4820-2597-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5848-393-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5904-346-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB