Analysis Overview
SHA256
9a28b37b1a41ec52993017236dd78e7259b95395bfa50227d93234d6248e3edf
Threat Level: Shows suspicious behavior
The file z.txt was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Checks processor information in registry
Modifies registry class
NTFS ADS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 18:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 18:43
Reported
2024-05-27 18:45
Platform
win11-20240426-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\thunderhack-1.6.jar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\z.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\z.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.0.1357979792\1430122300" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {493e540f-76b2-485f-88b7-5760d500dd43} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 1880 28a43311758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.1.1654601226\97864980" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24611308-16da-4401-a9d0-3981b12d4582} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 2404 28a3648a558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.2.1293404583\933925410" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3052 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5296b6f0-2109-43bb-a64b-575a0ee8907e} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 3164 28a46023858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.3.889474825\1371103440" -childID 2 -isForBrowser -prefsHandle 3356 -prefMapHandle 1256 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {527f057a-74fa-4faf-87c4-e710eb742c4a} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 3636 28a3647ae58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.4.1611652508\1689788875" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5152 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7d570b4-77b9-40ee-a896-5f37c5a75647} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 5188 28a3643ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.5.365002468\1736590111" -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6aad79-f62f-4f1a-8f59-257c4492eea8} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 5316 28a4b866e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.6.1446537821\1870224624" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5552 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dba2b565-5cc9-43f5-98c0-e2afee444623} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 5536 28a4b866858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.7.1984582266\675003607" -childID 6 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5b61a7-8fb9-46e6-800e-e3053072e0f4} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 5940 28a4cd32858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.8.1980604921\445835876" -parentBuildID 20230214051806 -prefsHandle 5716 -prefMapHandle 3940 -prefsLen 28175 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f22130-3e7e-4266-9e91-6c466153e50d} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 6204 28a426f1758 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.9.524363899\1950042168" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 3936 -prefMapHandle 2756 -prefsLen 28175 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a21f03c-6722-46b0-9b18-54cb9b5fb090} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 6224 28a478e7258 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.10.964091804\834649439" -childID 7 -isForBrowser -prefsHandle 10212 -prefMapHandle 6348 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff3fdd4-c074-4a77-9484-aed5e66af836} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 10320 28a48850258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4184.11.376798737\273097528" -childID 8 -isForBrowser -prefsHandle 10132 -prefMapHandle 6448 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa7c95dc-7b6a-43cc-8e6a-872443db0814} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" 10348 28a48851a58 tab
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\thunderhack-1.6.jar"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\thunderhack-1.6.jar"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\thunderhack-1.6.jar"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\thunderhack-1.6.jar"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49728 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 44.237.65.238:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | udp |
| N/A | 127.0.0.1:49734 | tcp | |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| FR | 172.217.20.163:443 | id.google.com | tcp |
| FR | 172.217.20.163:443 | id.google.com | udp |
| FR | 216.58.214.182:443 | i.ytimg.com | tcp |
| FR | 216.58.214.182:443 | i.ytimg.com | tcp |
| FR | 216.58.214.182:443 | i.ytimg.com | tcp |
| FR | 216.58.214.182:443 | i.ytimg.com | udp |
| FR | 172.217.20.174:443 | www.youtube.com | tcp |
| FR | 142.250.74.238:443 | www.youtube.com | tcp |
| FR | 172.217.20.174:443 | www.youtube.com | udp |
| FR | 142.250.74.238:443 | www.youtube.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| FR | 142.250.75.226:443 | googleads.g.doubleclick.net | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| FR | 142.250.201.170:443 | jnn-pa.googleapis.com | tcp |
| FR | 142.250.201.170:443 | jnn-pa.googleapis.com | tcp |
| FR | 142.250.75.230:443 | static.doubleclick.net | tcp |
| FR | 142.250.75.226:443 | googleads.g.doubleclick.net | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| FR | 142.250.201.170:443 | jnn-pa.googleapis.com | udp |
| FR | 142.250.75.230:443 | static.doubleclick.net | udp |
| FR | 142.250.201.170:443 | jnn-pa.googleapis.com | udp |
| US | 140.82.113.22:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 140.82.113.22:443 | glb-db52c2cf8be544.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c73f5cb343416423917d8745a12a15ad |
| SHA1 | 3de11bc36221232d1272e5596876440eae08f998 |
| SHA256 | f92fc60a3e98ae1961187ee57751d740679f462dc70d7dfbbeaafc8b574c3893 |
| SHA512 | a41eec673c462e807e3dc9f8d415b53ed42ffc1372408f08e655909893c6da553991445035570edcd56540dfbedb3b1846e6474cb12714a14e8344ebfdf23e3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
| MD5 | a2feff1d5e19d861e9bebafef80f14e1 |
| SHA1 | a7023fe693e5efb6a792327fe6d707f3ade43655 |
| SHA256 | 1d3dcb69dd67b4d5b11785923c8ba529e149ec0b0fd34016a7e1c5effdaee81d |
| SHA512 | 92632f742705a974d43f8c2f2def7bc72f98e1994dbffad5c49a5d71d65276e52b53c963e6651a837138e2a516cd23920186faaa9aebea1899d83887b0ea4692 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | 57a8e5ca0e846ec5f5a947aa54fc6988 |
| SHA1 | 5868dcd8c5d7bb4a069ce7db4bd8cb5cfbb3b291 |
| SHA256 | e1989966e8b4f3f21e635599bded42ed3b05bb2f1424e642ff77a0fdbc50add1 |
| SHA512 | 34f2c9cb0d7a8047f52bcbda0c5b42761b7915f84e43a8231e25ba8469bb1f699fd8a0d881941c8f016ee4c89f835403b758e22fd30f6fb3f5d370ce28d19e09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6ba73caabd2eefbfa34c41aabd1463a2 |
| SHA1 | 15306813951b464cec4fb42985451aeb735344db |
| SHA256 | 04caac7380d4a191c64114ff20ac66fab78f282b627a9db9e5ce93ae1f1e3678 |
| SHA512 | e40bfcd68f401a99cb43b4376fea80a1889b5be63c55461515f4f8b77a13645f13f199b645a89634df32d9145ae5274c86f2e658df8637445b1851121a68540e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1b77221033a694fb06501b5bced51053 |
| SHA1 | c03571b70730590cca9ca735131fe3b901e3aa29 |
| SHA256 | ea7ae3c79c3700fbbe8e090474cd3aabaaa68759cd39db18b1efccdaf6800337 |
| SHA512 | d10e2b8468dabd08422b0ec59a484c84d2381dc4f033878cd0fbe9b9e8f7a8b41634c95276e3acbf521b617186bfe734321a31ca08d5caa5bc77ff4a43aeaca0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | d45c6c143114aa21bf2ab0eac9a6fc97 |
| SHA1 | bd9a2c29a8bfe1dea5d1af2939224ae850b273a5 |
| SHA256 | 541fdff8a496a04a2578c756790e7320add8baf2d953160e185456c856dee726 |
| SHA512 | c5d06a8a42c6e306e097e52e502356478b8e0fc3622a7daffcd87ebbc6edfe310dce81a6e822372417847e0d6955828f1fcb9a8d1749d7a747e7df0bc1fb1614 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\1158B341543196B1FFC5BA8A0B593ABD33165001
| MD5 | 4587c19a67f2a6ab0ee766b2b0d2e1ac |
| SHA1 | bd03deaa9bb8c9b35fdef9c71469b235b08f4e19 |
| SHA256 | 9ca970cf4202a1a15c811ba96074c3b31cb39b0fea468546855fe9a89eaa590a |
| SHA512 | ade981b7037c49d8cbc676d6590f57ac0ce5c490b983db0746f71e28c3538f01088016d7d76824e2ec9424edd2551b0f8265b0de8d09c9a870e43a192880ea57 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\5354
| MD5 | 5e2a3cadedc19c4cb9ca994a4acf1307 |
| SHA1 | 1e6ddd0137a263df09a464f77e87534aae567324 |
| SHA256 | d5a878fd20d8db2c13d58fab9d213f5d88e1c140b9d7f025d78df43f37f70521 |
| SHA512 | f1ce012198834ce09e4d018c4cf0a015ad060e45991be744bbf8a97c9b829d1a4923bd5f96828bb37686818672c9de876db8a55ec523bcc2e55624fb6860d474 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | dccd1e92d1cab09f1c281e0e227a7e88 |
| SHA1 | 71f28bef50bb53aced7b1b1656bf4da5214c50cd |
| SHA256 | 70bf5c56f77468c9359b5805bedfe632a99081bca11f4e6f6172c83118ce09b9 |
| SHA512 | feaff1b7f7c06930297f83a81bc73710f46047eb7e7264a71e52b051e0dd600bf793bc9dfe9d2be1bfcd76c3e132d20543d5eabaea1cdb046bde605c7b4db9c5 |
C:\Users\Admin\Downloads\thunderhack-1.JohE5EfN.6.jar.part
| MD5 | c1e96a07f785f211c7a643f2ee819da8 |
| SHA1 | 78bea77c5c4f8e3040d9733a56430d14140ecd94 |
| SHA256 | fd569f6ec31422cd75fa3851a04e32de703629d6769f11fa71d4497941701691 |
| SHA512 | da0938098308c31f515c7d4a018f2b88b1ad7194e787aedf4e6bf38a71b2176387638c79faf4ad74f16e5f3eaa74acad77a2912d73e9b354b22a36d7d507de45 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
| MD5 | 18eed9ddab8f87a76506d603a17bd0aa |
| SHA1 | 56dd4ac8da11f2ef5e0877e51208fed1cf232a17 |
| SHA256 | 2b970a03deabdf8056c3c78dcc8b99379dc87f1db89b31f699b280cb6e1cac62 |
| SHA512 | 2a4caa7706d841f718b1ff942cbe1660e379b1ef1c7077a32eacae65fc3299bbaf7477bbf531e98968eb0323b250f855e3469e06ded5285e7f1dc8c43a76a356 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 972f2655986a93bc5e5a147b1583c4f5 |
| SHA1 | 1d6f955c1c4d83143393422b927f7fdf1156d888 |
| SHA256 | 38abc7540a594987ff92da703506babbada4e9aa84d1c2c3d54518fac1e9acf2 |
| SHA512 | 4d8ac7c0d0c6804b9cc8aca39fc2d08fcdb32a3234f8b0f10b48ef4da843323cb78ee1439b3852bb40a746ca1874ae6013df347b4a65992a0eadf1ee6d81fa31 |
C:\Users\Admin\Downloads\thunderhack-1.6.jar
| MD5 | d09b08e8a8b4fda3c4bc9fdd7e1d573a |
| SHA1 | 4d2e28b9cc7bab778943e1d51007feb32daeb866 |
| SHA256 | 3cbd5128127ec3e1e2b6c10702175fdd0c2f7a58233673ad4844cfda8441f5c9 |
| SHA512 | b2482b31fa74d57bd63cf18178b70196aeb4e02abcbc3c5949378d4d20e4f7517c81f47bae5f5acc18a7edaaeed2a0e7a29f8e1a1301cd411f0257a667b748de |
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | f8e9141bd180cd418a80d5cb8e6eefeb |
| SHA1 | b3b3c104fedf0570edf3ed6aa52914f4848547b8 |
| SHA256 | bc3aba627a5103d769d094b550a633d262f25ab9cc3b6b523607919484bdf510 |
| SHA512 | ac5e97b9dca1e6368c740b7c195a330738a2b3cbb8932ed67a5f5b1816122bc120561df826d2e718cfe10e890395ecd1ab1b8b171bbccc138af741064bf99801 |
memory/2732-543-0x00000279B30A0000-0x00000279B30A1000-memory.dmp
memory/4068-556-0x0000023DA5520000-0x0000023DA5521000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | fbb31393360061daf059339999f81ceb |
| SHA1 | 03096b781166a551b6a61905cb25a9b8a4049db2 |
| SHA256 | f6e52f528f5e79a80379a47a868c6426d38762660991ab63448a3340957faec2 |
| SHA512 | 530a0cdf6099beef31636ba4ab7801d545aa9810c5b97f56e369540ef3c984145c656a4a898bdb801b4c5815d25fb547de3f35cf886663258cc8246a6594421a |
memory/2332-568-0x000001FD44400000-0x000001FD44401000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3276-580-0x00000167A4A10000-0x00000167A4A11000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4
| MD5 | 75b6208d1976ac8092c82cf53487ec2a |
| SHA1 | c26ea31740775a32209b4f228c3c9b47e7e259f0 |
| SHA256 | 9eab125fef4d14ad8df4411582cee510b4c206e9e54099d72b29a7acad0a89bb |
| SHA512 | f0346ec7c50e5f3e473a6e4c43aeb0e379c6bc1a423694dfbe835a5cc83c8d570547a91dece85d1d081ae9841785e21c843ebb21cc04085d1aec33d3f718a944 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | 1a18fd579503d1b5574c82da84780332 |
| SHA1 | eca0c856cbeb9cdef332fbef9f77ea37b4ba4863 |
| SHA256 | 2b48ec79b99f379d38465777678c9b7284d40779f3256131daf6cca1de927a07 |
| SHA512 | a3fbe4698faebb05249fa2916539246d116d018fc2100b63c33f267222eea7269b349dd3b548ef8dd5a65fe46a0fe95605e5256b3b065d71f921f04e820f3feb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
| MD5 | a046802a086641508226391874157420 |
| SHA1 | a35a5dd0e984aa3bccda356ebdddff70697ccc67 |
| SHA256 | 26e5a153696bc656b91d6b7a879d10b6f2529b6da021803872427ebfacd31d4b |
| SHA512 | 4188d27a34e11f98e91e218564a2fb8a1d4014dc7e957c8e78da8373a098b6112a85f0e0ff595de9b67298f7bf499e5b233e602cb4bd9e1c2a853a17e06ba674 |