Malware Analysis Report

2024-07-28 07:17

Sample ID	240612-s99tas1aje
Target	https://egirl-paradise.xyz/tlg
Tags

score

10^/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score

10^/10

Threat Level: Known bad

The file https://egirl-paradise.xyz/tlg was found to be: Known bad.

Malicious Activity Summary

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Privilege Escalation

Defense Evasion

Credential Access

System Information Discovery

Lateral Movement

Command and Control

Resource Development

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:50

Reported

2024-06-12 15:52

Platform

win10v2004-20240508-en

Max time kernel

58s

Max time network

73s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://egirl-paradise.xyz/tlg"

Signatures

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Suspicious behavior: LoadsDriver

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 920	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 968	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe
PID 920 wrote to memory of 3120	N/A	C:\Program Files\Mozilla Firefox\firefox.exe	C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://egirl-paradise.xyz/tlg"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://egirl-paradise.xyz/tlg

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.0.862565384\88434801" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b86c51e5-3e1a-4bb2-8e2d-0d224ee2caca} 920 "\\.\pipe\gecko-crash-server-pipe.920" 1848 255db929b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.1.1437121611\677762223" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9463453-a65e-4d25-b101-c7e930e28126} 920 "\\.\pipe\gecko-crash-server-pipe.920" 2420 255cec88758 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.2.1969124455\887243228" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2912 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9875256e-300d-4a2a-865b-a41609d5ab2e} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3204 255dea35858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.3.1522041184\1617676978" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3624 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b4e4dd-797f-4637-bd59-415388109912} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3632 255e04cf858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.4.928360958\1883847891" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4984 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2848201-202b-442e-b296-1ce7b05504f0} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5008 255e1ab4a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.5.434513597\666252834" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1127b35b-a27c-4bcf-9c0f-a563afa546b2} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5144 255e1ab5c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.6.1789682792\1192979530" -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5356 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403d2049-9581-437c-92b5-3a46331316a4} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5400 255e1ab5958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.7.1857341696\6224105" -childID 6 -isForBrowser -prefsHandle 3596 -prefMapHandle 3516 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f34bd1-0415-48da-b8b0-80401af246b2} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5596 255cec81058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.8.1365475691\355259634" -childID 7 -isForBrowser -prefsHandle 3228 -prefMapHandle 3216 -prefsLen 28036 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {644cb13f-a19f-4148-929f-efd3b1c23f18} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3312 255cec83e58 tab

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
N/A	127.0.0.1:54683		tcp
US	8.8.8.8:53	egirl-paradise.xyz	udp
US	8.8.8.8:53	contile.services.mozilla.com	udp
US	8.8.8.8:53	spocs.getpocket.com	udp
US	8.8.8.8:53	getpocket.cdn.mozilla.net	udp
US	8.8.8.8:53	content-signature-2.cdn.mozilla.net	udp
US	8.8.8.8:53	shavar.services.mozilla.com	udp
US	8.8.8.8:53	push.services.mozilla.com	udp
US	8.8.8.8:53	firefox.settings.services.mozilla.com	udp
N/A	127.0.0.1:54689		tcp
US	8.8.8.8:53	egirl-paradise.xyz	udp
US	8.8.8.8:53	contile.services.mozilla.com	udp
US	8.8.8.8:53	content-signature-2.cdn.mozilla.net	udp
US	8.8.8.8:53	spocs.getpocket.com	udp
US	8.8.8.8:53	getpocket.cdn.mozilla.net	udp
US	8.8.8.8:53	push.services.mozilla.com	udp
US	8.8.8.8:53	spocs.getpocket.com	udp
US	8.8.8.8:53	push.services.mozilla.com	udp
US	8.8.8.8:53	push.services.mozilla.com	udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

MD5	b018913aed6f993ebe55ccc11a342b9a
SHA1	5455f7b40113a4254982d09bbf0006f7401ad68a
SHA256	29fb25b0151d1390508eb27e596a7fbd5c126b5eb7ae380f5fe8fcd1a9fbbc15
SHA512	e54c681a0bbedc89a0f1751acfd4de681d233cdaebe23c0997213b4291e33a24d0a29bf3a503d747b06c59f9902b9c49c733f680408efd7527569278d1b7d352

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

MD5	ee1e292a972fed798ae1d163628ae012
SHA1	6b58d7a8acb857a21b520827bc88d3e6f03cf656
SHA256	9e40a0711c4c7f987170c8df0517fa656721a34efde7911de65e21d9c8e827e7
SHA512	a23ce4911c50d068220393797c44bac098e86d1c8f934a63c67316b65bd2880d625dfc82147f60e8b444a1d0e1e93ef06bf7286033e2ce49a7a0ed05d5d54e7f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

MD5	0cffff6e312deaa9d3794f6eb1576bcc
SHA1	df81d8e28278e02a4906abe22165f15ff92aa2b1
SHA256	baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc
SHA512	e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

MD5	acdf2535417e9a9b1b67bf3379ddff08
SHA1	773a646f554bc3e892999b4850c48281536867d1
SHA256	fe1f80780f03d3f65adfe9bfd00adf865550d9e6cb45a2148df518c5fcf45bb7
SHA512	6a159e5ebf3b46337abbac61aab70fb1c4b3334a45048fd58b2e5a3f0f955f877409f93971aae1b41addf6c5ccead64b14c3bd7bd2a446c27c6b4e82b5a42c35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

MD5	ce0c8a88790b35aa110903b6f9965c40
SHA1	6e8487e3927222cc078495b84b82deb66b4df45a
SHA256	d9bb1a483f669659942b9ec574bd78b1e44fcd315a899036495a4a33de8e8e09
SHA512	a8eb7b71a4fb496a6304822e6b14d90ec2d52e52beca328fc67a088f5e79907cd39718dd2e829a0f1347decdddc78006e249279176e80641022e351264d8a458

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

MD5	357b226595d83235f36595479629fe68
SHA1	655c744a7df1d0293cf0dec4f9ef594048998998
SHA256	46180e2170e3f9e2ff1ccdcbe70477fd509f63898bb19cae70d637f344c76f48
SHA512	1c9e0e7d8128fb1552e8e684ccc895519bf108410fb9c9cc6b7baa53034f53ef02e0be43b738863f49c61aacb1c10f0ab77ca0b96a6088025d15bc6591e5b154

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

MD5	22dc1d216418b6db0e5945722b300865
SHA1	6582aa49ffdd60d7a78fc3b0c2f60ec6ce31b42a
SHA256	4320ba919ebb2f0847a81d81524696e45d24c67b89118932bf55d139c3dc5230
SHA512	294c0433622fc811237d2c0c4853ae047c637c3cf8bb42d6223508d6ad1d3d911215aa6b49fa1e75b937077672ae766387048a56d5cdfe5d17aedfda54c8b2ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json

MD5	e6c20f53d6714067f2b49d0e9ba8030e
SHA1	f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256	50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512	462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf