db6ac0be8ced916d34d90ef3ea25bbe3812527c1e48f3e39087bc9a42bb91e06

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/09/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.ps1
Size

49B
MD5

41bfb7092c47805a9e7ded61918ef827
SHA1

822c5dc1401fdc87f5b87ef3e66382fc4d8a5861
SHA256

db6ac0be8ced916d34d90ef3ea25bbe3812527c1e48f3e39087bc9a42bb91e06
SHA512

0a32998d9f45d088142dd905a28bc00b16dfc439ea16d586a29d5b4bd0ec283f9813e94f0d44eca1c6f3b299de6ab913ced13d79cba4b4c6d92ed0b99cffece2

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4592	powershell.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1880	WINWORD.EXE
1880	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2056	firefox.exe
Token: SeDebugPrivilege	2056	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe
2056	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1160	MiniSearchHost.exe
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
2056	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 4976 wrote to memory of 2056	4976	firefox.exe	91
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 4620	2056	firefox.exe	92
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93
PID 2056 wrote to memory of 2728	2056	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2772

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UpdateSync.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2bf73e9-6fbb-4355-a7b9-2390a85249fc} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" gpu
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5869ebeb-016e-4017-bf47-9319e7a2400b} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" socket
    3⤵
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2636 -childID 1 -isForBrowser -prefsHandle 2728 -prefMapHandle 3004 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91a5b345-9e01-43e6-a15f-ec4c4d99f1cf} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:2544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3348 -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3540 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f32e469a-4d65-418b-8df5-246ad4af04fd} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:3164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {404e2aa5-e20a-413c-bd62-c3d6c61c3be8} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" utility
    3⤵
    - Checks processor information in registry
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 2788 -prefMapHandle 5464 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70fa510f-46dc-4980-b890-deb61f195d0a} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:1264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5572 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67a27c4e-553c-4458-9452-59faaccdc41e} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:1004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {636d7918-9951-49de-955e-a0833edff4e5} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6124 -childID 6 -isForBrowser -prefsHandle 6116 -prefMapHandle 6112 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5741fa4-788c-4f39-b57f-59ac82f16539} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" tab
    3⤵
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

Filesize
34KB

MD5
09e0c305fd1d57a71000562ce4425814

SHA1
35b95348ed52e0383fb78e9b1792a3dbe2bb8016

SHA256
79073c23f6362758bf5e48cd46f16718ee5c3d4bd6ae362badb48692becc17b1

SHA512
f89e0c202c004b25bdfbcd6267d35ff2841bf208a2f9f78cdaa571964928bd7f0ac3128c40c570934c9f15521a4bb4a9d22307c11d73bc1a9507578001bb6b47

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4d52399020a24c1f6b4254cc7252504b

SHA1
2afe0c8994c64898d5fe16ca68811438ef19b0ee

SHA256
e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

SHA512
a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
f065a39d7e06597189e073755a0c1719

SHA1
f2ce3c9d697f40ab82ec0fecce46de6b354b4c54

SHA256
5ce6608613c37cdb3b66ddee4db699f41b06bb3906301b29c5f5039b8ce6356b

SHA512
c361ae3950de1fb738ef9b18d58786819ae246c21631bdfe4c392a41a859e25fabbdfd473d42d875846cb4a1abbbe798b29512264f9aa3f9558e067795468e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmgg2ffk.cks.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
309B

MD5
706c5833e772dfccc3e16e6070e3920e

SHA1
ad1f03f1d0dd26436864c50ca9c6d099e13092df

SHA256
05c69705f55e62fafdd415aca3e5aa91ff722d11c2b5f1cf021ba912abc398c2

SHA512
07ce6c049d33c6f94776b542ddd8e5fe48309aac684e40b393c4f0f195ec1c3cd22d8d0f88baae06aef1d47fabf1bbaec2f862509e92c3b848a475d431145402

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
8KB

MD5
21c1828126ac974734170ff53090cbb5

SHA1
cfd8b8e8ab6169fc5399a8e08e1a0bc816ae7063

SHA256
7f081e6a034d247caf4dfbe896011d06e0027866c3e13ec620aa245850c6fb70

SHA512
dfce0439e3b6030b274043895c432a95edc101652416b8a18ca4063baf489e0ec6a77021993736b44dd40818b5d7aa994ec5017a38a6b11755a03036a7974b53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
12KB

MD5
de4ad2913ef34fce421efbc3b3d96526

SHA1
edb965539c608e5a71aa1cb1de9a8dc69c6d0264

SHA256
471157acd77814c0cb08b48b3873b5db9ec9a749919d0c2bba533932d2e52aea

SHA512
4f16d87bc342c969925614fda2c50a4d93f33cd919b17e9e524f70617b3346bdb86583082b964fef813ac5b0f851cab8d2124a6197c2090e484a105ca099d10e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c9e02483daa6ed523c1eb945231ffed0

SHA1
10aa7d3f9bb083c147ab658167e4355336e75845

SHA256
b3e638e1d707e656b32f6f358fd9ae4adeb9845e5f0f29d33e2ad74c5aa4ee3a

SHA512
3cf335b0c4fe5c924a1134b73f6fd7fd49b5ff95d0b38d09f29a6eddce12c67999faef7134b3c7021798451aa924178157c3f0ba6e7e694302fa37e394646d59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1e97f56e61bd91f92275832328bb808e

SHA1
a86c5055d071fc4b8d80a646c09543c49cec4b87

SHA256
6bba8e079a76ec45ae48748e7021268053dcefed4af00a61a0575aaa5824bbac

SHA512
e7c958954453b7da2cfbc66bf18cb5c410b77495a0fe3b3114f8ea3861a5c84545286555b285bf82f815a14f9dc8db8dfec23914c3892149405546de9e74161f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a2628d71ff55cee99a20dde43a3f7931

SHA1
70b623588e205a57af12a2fc9f0c7bbf2611c4c1

SHA256
c30f4a143902dba427c1256ace4d6de679ecc700370431920ce7a9c6487fb138

SHA512
8f56f2929ae7901af91aed7ba14ae67813d6a2f0c18b65b0dfcc290e98c9cb15485ecb7b33b103ac2c53e50ff35bdb2f54df9f17b13a6eafb92d3ea9e904ee46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\6237d55f-00c0-4bec-813d-540a6b0f70c9

Filesize
26KB

MD5
5a0b447c4ca25dd4079df350435ea54b

SHA1
c439e2018450faf093c100a1259b7f2f4d055f22

SHA256
94b4b3ace58b97e08d4e72dbe0a2a5534a52a46b9153738576adb421ec22ee14

SHA512
4fb490a80ecab37ccf222f3c622e735b1dfe25f2c6969165100ff2b110e33bfa9213ad6e596430709a3536c0f7e68e4f4159e0ba36380cf3d791c92f8b0df568

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\685e2533-346f-4d6c-a1ac-4d1defbde321

Filesize
671B

MD5
c9d02d90c90f985caa52789636d7b522

SHA1
def39ad65fcb814dcd3a67f6c3da0839ad179be7

SHA256
1ec7daba9754d83cb6ca8dbc36b18590d5eaaf6ea8c4cb269e29100a2d75f451

SHA512
a91a4b6b8432930637b2d84b1a4a146c9dd3ed7b3fc79aec172ec971afac6a708b86fc5512f5d96a875f7050380ee85c5294ca60d0b29738aa9ee2c77dde73ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\f1d9405a-a40c-493c-bfd6-5e1eafe5b733

Filesize
982B

MD5
feb91e5332c64cc76104d42f71746d28

SHA1
564df6288558951b70bd48f43308b725f611d84f

SHA256
e09284f36c569fd06720c7370304f83d9dd4c7fccb140a534d029c5a0028e4de

SHA512
221a3a37420bb6791b6ca182f0406692dcb06f7a872443fc07ee19beaa527e417796cb16c32bd57f0609f01f9aab5f00a5a776dcd8bf3e8ceaa994fef4ae62f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
11KB

MD5
08a17b8aae9b5654471109041def398b

SHA1
e72bee70ae08f3c1f41815deea1f65cff521a7f8

SHA256
c95462fcd096f940cad76e45a2ae0e9c074de58923fb2390c359b95d5d3690fd

SHA512
daef9d8861705827f3c794aab382b092e5dfc1a79077928c7b5e7163e9eb5e2877520e14efca44087c588e8271050c9a71d4a1fe58f53779050164d403ddf06f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
10KB

MD5
64097cf582b68f37cb196a56edd774b6

SHA1
10ae95492f2ce55ad911666ef8baeca85903ea39

SHA256
a45b9c3dc073ef7e19c6a69b6b2a0984c4e8ca8629406ef982e867103be1b967

SHA512
5eddb41bcfbdbed8cb16cff076e730724b303907c51b23cf4e0a9a12616d9ee0b476c942260803e917bc3fa51fc8ec4ddc11c900ccdc836e2503159ac82693b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
11KB

MD5
9021840fe5c871ffe3ab0a2b8ce37ce7

SHA1
bfd6f90cd178d9d7b8eb0aea6e92f35b6fa463e0

SHA256
9ca71f6cc34429eb525550b4f46df7c7e883535a9cb428532b33370de722fd49

SHA512
dcc767798e151befa7d2d0e903380ad0423541706942859bbbdfd458d570c74ba3f81bb35de1229aff69cbc57f37c49380537ff0054b3cbc42e78f22adc4e402

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
36976297dabdaa429a9186102f92b3d7

SHA1
fae3e8aadd281ff002082d6281d52e7f58b6f89f

SHA256
84936dd0285e8d87a3c6ddc2b99895f94b55a2e4a6fea4d026c015fbf678b1ab

SHA512
7f7a4f1ec39d6dcc66b2cf4434c8274b7e755213182e4a6b4c5e5f8681de3b74655546ec20bac17801764a31c7448b153b117eea750cdf4cf46754d0326f41ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
8775c3d305b55dcdb576a67724dbca33

SHA1
c7fb01512fe29c1ebba5ecdbd0d64bca7b2ae26c

SHA256
7df8984d129d9906628bcbfd0e8f012ff91d28891b6154c83b23d1a16b27772c

SHA512
ca1302c7b657b622dbe1bfcdc9de0d32e99b1f73e6c47307e62f2366901e43440e40080f91377bd34082d9c1f847a504ef3d4083d303464ba726d42656f8f129

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
4a10625127eb08a03e36c40bca883f4f

SHA1
97d9b342be1b8a9fe3a1f74ad16e19ece7da6e02

SHA256
18c65f0365eaba0ef67e0b32e0b5c92f63518ddfed1007c87eccd4059148c452

SHA512
6c4b868c7e27e6a878d34d226e300edb20884225f9b0d9ca2d3e6047bd90ac9d7c8897f72149d7cbb7b92dc42849a83af1abc1439ed49a12e0ef18eb065b8e78

Download Submit
memory/1880-38-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-82-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-83-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-81-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-80-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-42-0x00007FFB64BF0000-0x00007FFB64C00000-memory.dmp

Filesize
64KB

Download
memory/1880-41-0x00007FFB64BF0000-0x00007FFB64C00000-memory.dmp

Filesize
64KB

Download
memory/1880-40-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-36-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-39-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/1880-37-0x00007FFB675F0000-0x00007FFB67600000-memory.dmp

Filesize
64KB

Download
memory/4592-0-0x00007FFB86213000-0x00007FFB86215000-memory.dmp

Filesize
8KB

Download
memory/4592-16-0x00007FFB86210000-0x00007FFB86CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-13-0x00007FFB86210000-0x00007FFB86CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-12-0x00007FFB86210000-0x00007FFB86CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-11-0x00007FFB86210000-0x00007FFB86CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-10-0x00007FFB86210000-0x00007FFB86CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-9-0x0000021EA0D60000-0x0000021EA0D82000-memory.dmp

Filesize
136KB

Download