b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Resubmissions

18-08-2024 19:35

240818-ya273azhma 8

18-08-2024 19:26

240818-x5x16azfjh 8

Analysis

max time kernel
124s
max time network
123s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-08-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin.sh
Size

132KB
MD5

a73ddd6ec22462db955439f665cad4e6
SHA1

ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256

b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
SHA512

92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa
SSDEEP

3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 3 IoCs

Processes:

cmd.exeOpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3732 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2452 powershell.exe
2452 powershell.exe
2452 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exefirefox.exe

description pid process

Token: SeDebugPrivilege 2452 powershell.exe
Token: SeDebugPrivilege 1776 firefox.exe
Token: SeDebugPrivilege 1776 firefox.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

NOTEPAD.EXEfirefox.exe

pid process

3732 NOTEPAD.EXE
1776 firefox.exe
1776 firefox.exe
1776 firefox.exe
1776 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1776 firefox.exe
1776 firefox.exe
1776 firefox.exe

pid	process
3732	NOTEPAD.EXE

pid	process
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1776	firefox.exe
Token: SeDebugPrivilege	1776	firefox.exe

pid	process
3732	NOTEPAD.EXE
1776	firefox.exe
1776	firefox.exe
1776	firefox.exe
1776	firefox.exe

pid	process
1776	firefox.exe
1776	firefox.exe
1776	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
1776	firefox.exe
1776	firefox.exe
1776	firefox.exe
1776	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	process	target process
PID 760 wrote to memory of 3732	760	OpenWith.exe	NOTEPAD.EXE
PID 760 wrote to memory of 3732	760	OpenWith.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1776	1880	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1492	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1492	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1172	1776	firefox.exe	firefox.exe
PID 1776 wrote to memory of 1612	1776	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin.sh
1⤵
- Modifies registry class
PID:3408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bin.sh
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.0.1780455824\111047936" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82143766-de36-4273-9733-a43d8d9ce430} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 1796 2348efeeb58 gpu
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.1.132655418\1121440531" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1350478-f035-4af4-a082-7666b84b014d} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 2152 2348ef0ae58 socket
    3⤵
    PID:1172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.2.1620096057\673636889" -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 2740 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee554b69-7197-4300-b404-9fe1b71eee0a} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 2924 23492fc6058 tab
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.3.1102251523\1710509384" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {022fefeb-9ce1-4a0b-9b1c-b3f88c2b2566} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 3440 23483f71958 tab
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.4.1567930711\541141761" -childID 3 -isForBrowser -prefsHandle 4140 -prefMapHandle 4132 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {879d72f5-09b5-4570-bcba-5707a9ff3e7e} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 4148 2349511eb58 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.5.757312172\2102020053" -childID 4 -isForBrowser -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e102c7-0a22-4b64-bc57-339b1c8474d7} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 4932 2349564e958 tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.6.436869332\272917982" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98bc386c-08e5-4d6a-990a-e713daf455af} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 5056 2349564c558 tab
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.7.1476399619\1569939254" -childID 6 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14930bf1-572a-4a17-8392-745404bb60c8} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 5260 234963d4458 tab
    3⤵
    PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.8.2084089249\1120228214" -childID 7 -isForBrowser -prefsHandle 4740 -prefMapHandle 4132 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a4871c8-8372-449e-8240-2eaf75938d1b} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 5312 23491832458 tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.9.2063176132\348049279" -childID 8 -isForBrowser -prefsHandle 5028 -prefMapHandle 4208 -prefsLen 26565 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4128b756-139f-4ac7-a52a-9b41ef202add} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 5016 234963bba58 tab
    3⤵
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.10.1172595731\381773541" -childID 9 -isForBrowser -prefsHandle 4460 -prefMapHandle 4480 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3f7f6e-3a56-4f64-b79a-4060692e065c} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 4260 23497035558 tab
    3⤵
    PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1776.11.1488055218\799207922" -childID 10 -isForBrowser -prefsHandle 5948 -prefMapHandle 5968 -prefsLen 26830 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3964fdac-dbdf-4201-b536-895c95075e84} 1776 "\\.\pipe\gecko-crash-server-pipe.1776" 5964 234977bd758 tab
    3⤵
    PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\28148350696576B9132A4D0C663A3004486E4351

Filesize
218KB

MD5
36b54209cebe4e966f91ea7d0713e1eb

SHA1
df908771bdd639e44be5347d0b96411e905fb22f

SHA256
8c4c08981e7e32901f504959d0016907aadea326fa90c76184b5054beda0077c

SHA512
04167f956efcb89c7e29bdeae2fb875bd8ca7532c8b795a295cee82fd424f81c9970fb2c8e30eee835f0ac1b535956a90768bce765393452d7dd754c7413f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xx4lxr4.y1s.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4509bbac09cb079f276e30ed22c15ea2

SHA1
6ccc5dee32de105dd6005ad1a1b721b2872c2c57

SHA256
1dd98282c25453c5eb9191a3c2fc4a9a709350f02786c3985e370eb4be723e5d

SHA512
d8a87863f2a227a3ada7afb3477466c119dc44deee7be0e3cee623e41eb8133665e72c189218dc14ef6f0907ee6d71d45053184ec42121e379520f71fc08a9b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\02f60065-6b6b-4c2d-b58c-2b87b3c65b48

Filesize
9KB

MD5
149da140f5452621adb892ca353b7af9

SHA1
1f6288f39301f901b4ccd2bbc1d3f71112da2bab

SHA256
5f6c0f079e5e40d2642c525c530b43dde2c25ac85579dab3fb98f1e44d02c60b

SHA512
30f15b7993fae5d894e06d37ef3c6f2ca22caf59baae388b60071e0222824137f58bd6ad572a8fa2afd9e7e9d86b9d03895151aaf96d65159cfa310bb460b572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\03989742-4fbf-4cad-a224-8ca3c502b8a8

Filesize
746B

MD5
fa60f77354e02038c155b71dd48be28e

SHA1
e80a0b2c9bdb57ebff7a1424dae90024c838d5cd

SHA256
f729cd5b6dd26081cc463ba151902f48e7945d51e7c3c9b865125dff01add23d

SHA512
0d2f3ba8d3359051491ab20d99e2a07d654991f7b1573ea94b5d8b5b2c31a3f8589a7a22a29db863ecbc84117bae1a20408e7248b0d782102067e6c96564f89a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
4a4312b0e7fdfe1bcc95bb947b4dba7a

SHA1
440c65ccaaf95b9e83ce50334c82587165db7436

SHA256
4fb0327367e43b0e0b516bd9f09684f4febccdb49f1f2c988cc4255972be8c62

SHA512
53de9389aeb0ba98f7e77445bd22deb325b9fbd0a0cb9b8e183582bc63896a3d2ddf1087eb80028a1f5b899d5d4e2f2f9a7d5e0caca77d6a112c386d5fc90916

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
521667e4d90cce4f113b0920bdbfa610

SHA1
988192cb8b5461963f8b543a021c327659787a22

SHA256
609285cc1d97dda858736d343a4621a7f4b7940ab3250a780bbc02aac0edb3ff

SHA512
f6a787d701d59b3d7884b279a3ed4d1e592bc8b8f683fbb45a0536ce47764b81d9094f65df3a2a1db5065da48cd622ffae29445f8331f4fec05b571457e780a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
2b8d5921b5f4684d1f836f6ead79bfd0

SHA1
6ef6e5b68dbda99148f698109418ee4c78111a9e

SHA256
217435341bc38f2519c60a87b61e4a3837831ac07cdd45cdd3b43fddbac3ee8e

SHA512
2e8e22f28323a2e2a9b68629ad9611391ea39b77d53f73073bb97565b0f13ed9e898ee771e888b51ac2cc5ea6fe6bd731908815b7db44f16dc7e29b6d8784139

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9ca5cfd2e3c9f516f80ac720322a6a29

SHA1
3ad0290a399249a3b790112bb9b8b3c07eb3b3d4

SHA256
d0cc32ab4499f7b07dd4f0f720ed335bd8de814be2ccec02c6cb773d9361a878

SHA512
869bcefd1bbbe9377e7f5c794567c8cb9c03cab27cffa37f75bfa658d6b2ca6e4c54214417183c71fcde14f530f1a901a445613b83f4564f4035d4853c98ed6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
0426276514ba56f2d2207a20046af580

SHA1
7c563de3ad6748d64f487954d5981ed78106269d

SHA256
97c83648346450fa93a8bad60b3426602bc802fac55b118ad18ad929bb07f6cc

SHA512
4b49c42a0f8d71302f36f5d8ad704efcda183697870b73fa3e2c48360353727246c229f591bf3d033cb73a6e546c0d90d3452aa8664356484f4f492d11d9b021

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
memory/2452-57-0x000002AC36160000-0x000002AC3617E000-memory.dmp

Filesize
120KB

Download
memory/2452-44-0x000002AC36630000-0x000002AC366A6000-memory.dmp

Filesize
472KB

Download
memory/2452-6-0x000002AC35F70000-0x000002AC35F92000-memory.dmp

Filesize
136KB

Download
memory/2452-33-0x000002AC360E0000-0x000002AC3611C000-memory.dmp

Filesize
240KB

Download