troldesh | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Resubmissions

11-11-2024 22:15

241111-16j3ga1mhk 10

27-08-2024 22:02

240827-1x1zmatepc 10

Analysis

max time kernel
180s
max time network
182s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-08-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoMoreRansom.exe
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4296-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-107-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-153-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-170-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-245-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-598-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-628-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-792-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-850-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-894-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-920-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-941-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-1052-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4296-1053-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4296	NoMoreRansom.exe
4296	NoMoreRansom.exe
4296	NoMoreRansom.exe
4296	NoMoreRansom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	firefox.exe
Token: SeDebugPrivilege	3216	firefox.exe
Token: 33	1820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1820	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 1404 wrote to memory of 3216	1404	firefox.exe	79
PID 3216 wrote to memory of 3336	3216	firefox.exe	80
PID 3216 wrote to memory of 3336	3216	firefox.exe	80
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 1468	3216	firefox.exe	81
PID 3216 wrote to memory of 4976	3216	firefox.exe	82
PID 3216 wrote to memory of 4976	3216	firefox.exe	82
PID 3216 wrote to memory of 4976	3216	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.0.664353480\1667917001" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3379e5c-8e57-40dd-8660-14b5dbcb06fa} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 1768 1c73032ba58 gpu
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.1.903394196\1623673927" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32d85ef9-a7c8-4e72-9a49-4be368a0a78c} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 2120 1c72ed45858 socket
    3⤵
    - Checks processor information in registry
    PID:1468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.2.949293093\914038490" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2936 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {755d6473-c06c-44d6-abf3-3a0c57c2f08f} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 2912 1c7331f8558 tab
    3⤵
    PID:4976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.3.27155965\1622991130" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74da36a0-e2da-4d03-a322-2280315c799a} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 3584 1c724163b58 tab
    3⤵
    PID:524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.4.2051672160\2032284178" -childID 3 -isForBrowser -prefsHandle 4272 -prefMapHandle 4280 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be53331b-9a93-4efc-b1d5-f33a5843f7f5} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4296 1c7343f4e58 tab
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.5.202582983\1335224983" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4892 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c5e758-4ff7-4557-9dce-c20e5cfc0181} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 3764 1c735ad7758 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.6.1293712243\1615935437" -childID 5 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f8d53f-539b-4584-90f0-0fa3174a6346} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 5036 1c735ad9858 tab
    3⤵
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.7.1010199315\961421869" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f5144f-8cce-47dc-95ad-896180e1f187} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 5232 1c735ad9e58 tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.8.1323409370\1480656162" -childID 7 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f940eb5-9ca0-4030-83a4-037546dbc8b1} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4496 1c72f4e9b58 tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.9.807320695\1907877005" -childID 8 -isForBrowser -prefsHandle 2588 -prefMapHandle 2576 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5cddc7-75fa-4693-8561-452d72d1d8fd} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 5564 1c72412f658 tab
    3⤵
    PID:164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.10.787311716\910922430" -childID 9 -isForBrowser -prefsHandle 4520 -prefMapHandle 4380 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22c625b8-9e58-4465-9edf-62edeefee646} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 5512 1c73649e858 tab
    3⤵
    PID:5988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.11.402985070\147656272" -childID 10 -isForBrowser -prefsHandle 4848 -prefMapHandle 4460 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc5d918-e18f-419b-b9b1-ccb011170468} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4604 1c7377d1758 tab
    3⤵
    PID:5196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.12.1772324780\2069280624" -parentBuildID 20221007134813 -prefsHandle 10244 -prefMapHandle 10228 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4bde7e3-8130-49d5-9551-0c14ef7087a5} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 10220 1c7388bf258 rdd
    3⤵
    PID:5608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.13.1342205948\1361350731" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 10200 -prefMapHandle 10204 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd335775-e813-4788-9f5c-e5f1cc36aa26} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 10232 1c7388bcb58 utility
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.14.1983277247\58239598" -childID 11 -isForBrowser -prefsHandle 9892 -prefMapHandle 10236 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b604721-4a35-4ea9-b90d-513e0017b7f5} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 9772 1c7391b7e58 tab
    3⤵
    PID:5160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\20627

Filesize
7KB

MD5
5bc173bcbce2f4229806c5872139b873

SHA1
9d4a63a7987b2435e8d3a8b03a1c0814c043683e

SHA256
ecb569787196c5055263c5648b79761a84d660202626cc9128b008df50c8bffd

SHA512
cc80535491a1bcd4fda688902d8886e4c2ad18c97ba684a1855dfb85a386e9c6cd449611c19765e08e561f48c1cc771f4d572d614626ba8bded46109a0c0026c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\BDFF1FB931CFF5DF6C4A1DDD6599FF8145148BC4

Filesize
226KB

MD5
17d9c149f37b422f150d33a8b8c679d1

SHA1
0e69053e61f48c6eead555f161502cd13d7116f7

SHA256
7776ac1f33e368eafeabccc6b5361d12d706fa391ce3b621fae0364b6c46a42a

SHA512
d64acd9c9288e588c59b1e81972bb90bf4f9cbc148e394695a0af8d35a5519d8c93e080c0c27256fd426ed52eb65866bc64ff6158a3f4564fdb3f9d7ca17d5e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7b7ee2a812191900e84cdfc36597ad58

SHA1
ba9005f7a516007f9b9d19d13e302ff2417e16c2

SHA256
ff523ea66e59fa7312946428070addc592dbd52fc33bf202135724eb7d24fbbe

SHA512
f1fb68dba6627620e68b1bae8fdbe2809effe73d5e66739502dd08586f231b6834194cdd6a008adad2b84f42f6ec13323391c3ed99e2b01db9e08d59cd499f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\5a2b4acb-944e-4e99-82fd-4ebd3a4a2584

Filesize
10KB

MD5
2eedf82dca606a53d72bf0faa6d7a373

SHA1
43a6e36cdd98f4a0a1488f571de8ace33d0a0cbd

SHA256
a357f1c50b9b1470cd72e5f5933513a388c789268b71302123b1cb91119d1094

SHA512
b5ed3329367e5c54eb8f23003e8910907a1ba2905ef71ea8238aefcb2b3a3acc47cea15d4ed9cea9ae276edaacecfef7b7fb7804e9f3991d8b3d756778fa2846

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\eea3346f-ba4a-4704-8f16-7f3a9db1613d

Filesize
746B

MD5
16dfb06e34f07cd66a0bc344d4f82c19

SHA1
3436c89cdc60b4cbc250d13fb47fa1f27fe42090

SHA256
fd651bd07fb75e258fe503ca4958a7d1ad16583121d38cc65d48f5ccf1e2e23f

SHA512
54b211246b71f24efaf1d26b490abf329cf36b9b9658da912fdfae1574b19b2802cd9065e9732d40a5da69bb2f0deaae05f838cac7d6fc94b4dbc36e9adcda90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
46f6d134d1b3b6aecffe2643832dbd06

SHA1
2d2d042ea9bf43a86dd3403120cccd10b858b3e3

SHA256
73088162d820fba7fb51ab2fded434ca889fc0ab1e58ee87f81fb2140ca48155

SHA512
92fdd7a04828cf7295a54a1e3edf5d984bf9b9a85f2f457735c2f720e091ccae73cf38311932d462fd50803cc1cbd4b286a9eb5cbb7635db085b3d1217bc43a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
68d95070796e0ce615f55fc63af629dc

SHA1
293f7c2d27352ef9297ae4cf067118374332b3fa

SHA256
1469fee7357ffc7eaf98126d778d3c1cbc6591216d8886624402bae84d1a2d38

SHA512
e8270fda29728ebdc04017f33254571c1978ec6e1b94548975ff964db98d124fff9833ecf0fdd2da6de18e3bd87670f95f3909aa5100b7709f43ed23a16feeb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ac4314c3d19e5b94eb3b19f2bbe2a48a

SHA1
adfca318ea1028abe0e5832ccd88c6b1c122bd83

SHA256
bb36e760951ecf904d072f35ba44111485e3817e3c50d8f7e774ea80bf5d6866

SHA512
6cdc7109df161b6985abe6632e8bcd1d546bc24301fdb43d059b85724bbe4ed3b8f348f0b759205f886f12f548acee26dfbd34d1444fab4f21ffa86252ef7ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1b97ede9f0322a44c90fa2e2d851d626

SHA1
4ce78ce2bd3c8579f30dd0285bbb31b3e004d3c5

SHA256
58e5ba885cd33db9a3c04548860dec39d24b572ad00772990f4c3c366bef6064

SHA512
40553fae4882437b1bdfe00e872873060636b0c8612baf70d8f93532f343e3aa83cbef36c57e93423c13c984f0c79612867f4425318e892159f5c289284e70f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
06e42bfdfe1503d12e9de4222fb343d7

SHA1
a5f9a2d0ed5c74e56b41ecb89649b017b4114f4a

SHA256
48d967f4a635886b98513c2f77423eb2b5923b69d4575cb60abaca932ce6ae2c

SHA512
fe6d0f637f98444c356ffdecb95028b458939457ba2262f3d497eca16a686aa5c4273f10a0f95150d1e0352a0f96c0487be8a9a6ba63b611d0c8f9343b1806c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
bac412008e22bccb8003905381c23bc3

SHA1
c342de24a3cb65fa2a4e4ddcf89e38da0a7a16dd

SHA256
70f2c39629bdbc0e41c074aeed81292f3e03f1fb3b4f42e3f07cce1766d6e98c

SHA512
f574926665e3bccd39f72653efd90dad9e2078977d63e9dd3fedfc54cf3894362ee21ed96d3ff7d34b1b118ce177b918a15623873a8c5fb88577fc13fc17d3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5bf87d136331c4bd199548926d849851

SHA1
7c86eb5bc3a9c515e5063f221ae3bc73132e5ffe

SHA256
5bc4acbfcac2d4bf54d4cb8002247e8754026cc443fab4aeece5e6ed2655f728

SHA512
be15225d8112862c8e2cd0616bb30a33a591c7d7fd0f91587c1f649782d9e39a3532fb3a9274f7e00988487505e55053061a064606cfa6b30f15e4285ec8e50d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
572a7c96dc22ee681f4b73716d422147

SHA1
f62a0bc1a7a39b511bb52a9c177e3bc4541b12e9

SHA256
7e9c2357e60512d7dcb8ec28183eeaf6cad12969853ef0a5896447be3a14eb79

SHA512
bf638d504c090cf235beab391173b20b445b62038e89bed25657596279e1dd102dbf2e65cfb65c6c599c69d36cadbf03258cf26bf2125de8fb87291b4228fd10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
8586c3d7a9ab4e6f4d3c951f98e662e7

SHA1
6abdaaec56104f37f9bff5a88e46325d7d393e6d

SHA256
476c83f638d6ed1e9bf5807cd9ba5aa52a8913ce146ef066868774f755bc30ba

SHA512
193c09568a20829a7f82cb2351f21663abb6d86def63890cf1c12984ab96a1235cad75aadda906c1ae8225ed125fe7b5f577597ff34462d6df635f750d4a4582

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
14KB

MD5
1ef6e8d098c502f89b2d00129da147d6

SHA1
4fec91d0652fb02416d73c36e1017b5c4ea73204

SHA256
3b639f1969140fec8adc5ef13723a9859c24af27138fd9cf2f241c99accfd464

SHA512
72b9538017b06e19ced59433d96d97b2a419340f4c5385b81959b7dc8391f48674f2b343e032d7731fc1f5eb8d17a2133c05821098ddcb9f422398de1f6bb23c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
70b244839592721687ab37d3dcfdb701

SHA1
13b743cf595381a555f567c35e91c4700ed90b63

SHA256
205217047a861b0ca4b06c143a22476f48e59b09da59e65e3618c6670d8c7aca

SHA512
05b8fe865b951e996425851e6235abd0b0d5651ce3180f9b0e7494a90ddddca016e1ed191fae04aa0e26e98fa02b0f3ccea5a3943d90d0e88d28fe44b6d4d9d8

Download Submit
memory/4296-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-153-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-170-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-0-0x00000000022A0000-0x000000000236E000-memory.dmp

Filesize
824KB

Download
memory/4296-245-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-598-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-628-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-792-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-107-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-850-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-894-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-920-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-941-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-1052-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4296-1053-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download