asyncrat | 1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380

Analysis

max time kernel
57s
max time network
51s
platform
windows10-1703_x64
resource
win10-20240611-uk
resource tags

arch:x64arch:x86image:win10-20240611-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
08-08-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

175KB
MD5

d26f580a002f00b4d5a855c07039d5c2
SHA1

6822685b1e1c57952c19ba9dc01ef9f94301ceb6
SHA256

1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380
SHA512

b48930243c189ca1be64acfba838683882a5bb687db4e2dc09fa39e511138448818845edc78c60b503b6f00624c7cc1f47efc27985e71953c573bb83153cb2c2
SSDEEP

3072:Fe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTXwARE+WpCc:J6ewwIwQJ6vKX0c5MlYZ0b2Q

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6494429721:AAFZ5aGg7XGnRClTicbjFHgBuAWHYq2zITI/sendMessage?chat_id=6234857847

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4368-1-0x0000000000AB0000-0x0000000000AE2000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	pastebin.com
13	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
364	netsh.exe
1272	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe
4368	Server.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	Server.exe
Token: SeDebugPrivilege	3460	firefox.exe
Token: SeDebugPrivilege	3460	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3460	firefox.exe
3460	firefox.exe
3460	firefox.exe
3460	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3460	firefox.exe
3460	firefox.exe
3460	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3460	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1272	4368	Server.exe	71
PID 4368 wrote to memory of 1272	4368	Server.exe	71
PID 4368 wrote to memory of 1272	4368	Server.exe	71
PID 1272 wrote to memory of 4028	1272	cmd.exe	73
PID 1272 wrote to memory of 4028	1272	cmd.exe	73
PID 1272 wrote to memory of 4028	1272	cmd.exe	73
PID 1272 wrote to memory of 364	1272	cmd.exe	74
PID 1272 wrote to memory of 364	1272	cmd.exe	74
PID 1272 wrote to memory of 364	1272	cmd.exe	74
PID 1272 wrote to memory of 3720	1272	cmd.exe	75
PID 1272 wrote to memory of 3720	1272	cmd.exe	75
PID 1272 wrote to memory of 3720	1272	cmd.exe	75
PID 4368 wrote to memory of 2260	4368	Server.exe	76
PID 4368 wrote to memory of 2260	4368	Server.exe	76
PID 4368 wrote to memory of 2260	4368	Server.exe	76
PID 2260 wrote to memory of 3904	2260	cmd.exe	78
PID 2260 wrote to memory of 3904	2260	cmd.exe	78
PID 2260 wrote to memory of 3904	2260	cmd.exe	78
PID 2260 wrote to memory of 1484	2260	cmd.exe	79
PID 2260 wrote to memory of 1484	2260	cmd.exe	79
PID 2260 wrote to memory of 1484	2260	cmd.exe	79
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 440 wrote to memory of 3460	440	firefox.exe	82
PID 3460 wrote to memory of 3348	3460	firefox.exe	83
PID 3460 wrote to memory of 3348	3460	firefox.exe	83
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84
PID 3460 wrote to memory of 1800	3460	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:364
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.0.1218536573\1753954514" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1696 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6adf61-28f2-4b2a-87b1-24c007ac44be} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 1796 225ff0dd558 gpu
    3⤵
    PID:3348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.1.157385489\1461042933" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2903282-5dd4-4695-9aae-51d1cb7c76d0} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 2152 225fb971c58 socket
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.2.514188841\2044967124" -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 2840 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8c79129-4541-4a0f-ba97-b971b841f484} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3016 2258abadc58 tab
    3⤵
    PID:4892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.3.869631027\2103091711" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea9ac86-df54-48b4-8eb9-daa97d947e02} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3532 2258ba21b58 tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.4.1966176498\1886670980" -childID 3 -isForBrowser -prefsHandle 4044 -prefMapHandle 3828 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {006f9d45-38cc-42fc-90a4-83167453644d} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4056 2258bebe758 tab
    3⤵
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.5.1266405280\1138692174" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5032 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {387ef80f-711a-4de3-95f4-80247bd018a5} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4948 2258ccd2058 tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.6.1471543359\826457425" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4888 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79b8dfd-7fec-4644-b5bb-f81db7d908ba} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4832 2258ccd3b58 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.7.1354349508\1983092733" -childID 6 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb87000b-bdc0-46af-a127-987ab2281a74} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 5248 2258ccd2c58 tab
    3⤵
    PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\231608184e03f43a514548b074a2ab7b\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\System\Process.txt

Filesize
4KB

MD5
c1091e96896e3e91848810cd8493630a

SHA1
f3ee038ce38de1555fbf90241f8a4083c83191d0

SHA256
0b41061107ab7f9b92dfee320f5991574479ce6666e875761fa835c3bd43cfe4

SHA512
7c44575ce1177b9a7c5a50111af9905eaa84073badc0db60ef3e989ce36e4b7efb02417ac6926d2d7ba68bed647fdd2893f9d9c7f6988a93251bf45179f8b79b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
3deabc6c8e1a2846276bb27abaed37cd

SHA1
6142c6bdb3a48dd647eed9ff95b1eb3b2df88be5

SHA256
cac6be3c6012aaac021921ac30d2f91040879564c85b6d2d8a4183a63c6d52a3

SHA512
02ec0d469e1e2567f05bc540ba1be7dab4b23778209d59cea486841ff58d26ba9c413c516e4c73300ef7014eb63f4e7ba395092eb5d59eb5f86c743644f1ec44

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ba5a60828a11fc7f283e549f02d49966

SHA1
2ebc93cb6bf122c233bb5c96690760a538a3f13b

SHA256
f3bc0672de28d6e3acbe3fd62b7d30bbc5bc47c37ec6efcc00fb0574acbe3ea7

SHA512
6976fc179b0fb3d8a032f605881e2d04597e1454eef729f9c4f6e79517bfa338077ae0e1347184526555aadcdb44ef4b90d74a41d421854f14b4e9ad71970282

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e285fac2-53a2-4d10-a91d-d365bad7d808

Filesize
746B

MD5
933fc4cd004171fdbbef0f7a3db2ecdb

SHA1
b955d127aa33bcddb5747c916c057abd60453302

SHA256
a46f393923aa3622aa6f1935004ff8540ebd7b534f2c2ddb6095f3132b7cbf84

SHA512
0cb9ec0d628bbac0191da655bafb5d1c13ee7eaf7eb987e8ff7129ed737373214dfad827775dfcabde969831a3cd61f9db6337f9b123b450b2f0d0f5f5972700

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e78b9ef9-87af-4145-b768-20e14c2e1c66

Filesize
10KB

MD5
93a9c7c74231aa4dacef81a0353bec6a

SHA1
6a709dad6aad40b9e83a49038c8bf73bde271765

SHA256
e876543c5670cc96b6919f22605f0cc99e7992a3550b0e44a6c7933d0d9f5d0f

SHA512
6ab40c30c433baae92914215ff8b1987d2540dc59ecaf0ff98256172fc6ea85c21d0ed1024a34a88164da98a791b755efdc81194d717c9a51c13d3deb199a7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
523becf1b3fd29bba0051ce0d96fab41

SHA1
d52b0825f9b02fc1c56c7ee66a4fa4333225b889

SHA256
bb25d5b2f28158c780fa9ca5e0f894e06cf9bf47e7b308e97ea42fd041169d82

SHA512
3f3666ed69878c45ec0e9615b8b3e37a4722622fc453052845c74e9918d410451623fb038017da350c03e3abe231ffb2946c9ffec797c62d1e083c67a3184cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
85d9cdd76d1032af079a0b9769af7187

SHA1
539936dd575e98d8c3e8c2d9f75803f9343cc566

SHA256
881c2db8111942eaa34e39964872d838a02dc0a91831f3ad297ff795d6a33018

SHA512
6ae78dc13748fcbe783c8289240ece9db4b6026af812e6a236bd8ed8e4687e3780ce30e03c597622d3f4353aee7ecec4a8232b86fab714094f20308afa8f9713

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
4d219f6608474083d6f98d899c6e3010

SHA1
5e7506f39e9ae5f9267186d044e826166194fe35

SHA256
ac4bed6c8d3d78d8177eaaf7301bdf7abe790ca3002fc956c4d8e3a55c93e9d9

SHA512
1b3aee0e5e7a986ff3dd494684c7bdc1b956e42ecaed5beb2b7b2b7aa4574498d04eeeb22651a1100bea6337b4b383e252c8c96464379071dd11e2cda64bf47a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
23ccbcea53ea15ef3326ac197fc24b46

SHA1
a80562bb64b108e5c9ecea69de1052781dbe24fc

SHA256
2d337527d3f08141b098a60f2e43c78d8d78569254c261dc78938c7d1cd0b861

SHA512
899f9a477aad546ff55a9f5a0aa7ac7550808202dd4a68ed6bd674eb3ca521efb10b6b4ae92069dc23d97d0be5fc141e93c7f2deed2d923ed634f8958657d17c

Download Submit
memory/4368-116-0x0000000006230000-0x00000000062C2000-memory.dmp

Filesize
584KB

Download
memory/4368-130-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/4368-159-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4368-129-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4368-0-0x00000000735AE000-0x00000000735AF000-memory.dmp

Filesize
4KB

Download
memory/4368-3-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4368-2-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4368-1-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

Filesize
200KB

Download
memory/4368-117-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4368-123-0x00000000735AE000-0x00000000735AF000-memory.dmp

Filesize
4KB

Download
memory/4368-122-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/4368-118-0x00000000067D0000-0x0000000006CCE000-memory.dmp

Filesize
5.0MB

Download