HackToday atau yang lebih dikenal dengan Capture The Flag adalah salah satu cabang kompetisi IT Today 2019 dalam bidang keamanan teknologi informasi. Dalam lomba ini, peserta diharuskan untuk mencari celah-celah keamanan jaringan sehingga peserta mampu untuk menembus target yang disediakan oleh panitia. Lomba HackToday yang diadakan IT Today 2019 bertujuan agar setiap peserta mampu mengembangkan kemampuannya pada bidang Information Security.

Berikut ini merupakan pembahasan dari beberapa soal yang tidak sempat terselesaikan pada sesi kompetisi

Resource dan writeup lainnya dapat dilihat di sini

🔗 readme-pls

readme but jpg

https://drive.google.com/file/d/1iyskiuGalnv2kgGrAgLjOPNry71mGYg7/view?usp=sharing

author: deomkicer

Diberikan file attachment berupa ImageFile readme-but-.jpeg sebesar 15.8 Mb. Adapun penampakannya ialah sebagai berikut

preview-1

Mengingat besarnya binary file yang diberikan, Kami berasumsi bahwa terdapat extra data yang diappend pada JPEG Trailer. Untuk itu dilakukan pengecekan dengan bantuan binwalk

$ binwalk readme-but-.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
1266          0x4F2           JPEG image data, JFIF standard 1.01
2532          0x9E4           JPEG image data, JFIF standard 1.01
3850          0xF0A           JPEG image data, JFIF standard 1.01
5148          0x141C          JPEG image data, JFIF standard 1.01
6414          0x190E          JPEG image data, JFIF standard 1.01

$ binwalk readme-but-.jpg | wc -l
12404

$ foremost readme-but-.jpg 

Hasilnya, dapat terlihat bahwa terdapat 12400 JPEG File yang tersimpan. Adapun untuk setiap JPEG file yang ada berisi satu buah character yang satisfiable dengan charset Base32 ([A-Z0-9=]).

preview-2

OCR, huh?

Dari sini, Kami mulai berasumsi bahwa perlu dilakukan operasi Optical Character Recognition (OCR) untuk mengekstrak alphanumeric character untuk n-buah image. Untuk itu, Kami menaruh harapan pada python module pytesseract yang dataset nya diambil dari Library Tesseract. Setelah beberapa saat membaca dokumentasi, dilakukan scripting sebagai berikut:

# attempt-1.py
#!/usr/bin/env python2
from pytesseract import *
from numpy import *
from glob import glob
from PIL import Image

def crops(img, offs):
	w,h = img.size   # Get dimensions
	x  = (w-offs)/2
	X  = (w+offs)/2
	y  = (h-offs)/2
	Y  = (h+offs)/2
	return img.crop((x,y,X,Y))

Iopen  = lambda x : Image.open(x)
result = ''

for i in range(0,12400,5):
	imgs    = map(lambda x : crops(Iopen(x),40), glob('jpg/*')[i:i+5])
	part    = hstack(map(asarray,imgs))
	image   = Image.fromarray(part)
	result += (image_to_string(image).replace(' ',''))
	image.save('dump/{}.jpg'.format(i))
	print image_to_string(image).replace(' ','')
$ python2 attempt-1.py
77MP7
YAACB
FEMSK
GAAAQ
CAIAM
AAGAA
AA777
AAO2D
KJCUC
VCPKI
5CAZ3
EFVVH
AZLHE
B3DCL
RQEAU
HK43]
NZTSA
SlGG
..
..
preview-3

Skema di atas membagi masing-masing image ke dalam quartet sebelum akhirnya dilakukan proses OCR. Namun, terlihat bahwa tingkat akurasinya belumlah optimal sehingga perlu dilakukan pre-processing pada gambar. Kendati demikian, mengingat besarnya computational cost (baik waktu maupun memori) yang dibutuhkan, Kami pun mengurungkan ide tersebut.

Welp, they’re identical, huh?

Setelah penantian panjang, akhirnya kami menyadari substansi yang sederhana, namun dapat menjadi kesalahan fatal dalam pengerjaan soal. Apabila kita cermati lebih lanjut, terlihat bahwa setiap charset yang tersedia memiliki checksum yang sama untuk setiap karakter alphanumeric yang bersesuaian.

$ md5sum * | cut -d' ' -f 1 | sort | uniq
07d43a27dd5c31cb5430c8619355b0fb
0c4ca2231d286691d5384a4bfb7fc413
1285e76e302ff53cb90d73b8820d1220
1b2c22627b94f7902ae9ab265494e746
2001c122673a9079f40b195e646fb7a6
28ee4a5b91db662f614fa0e193eb9268
2bba1ecfcb009e434acb58aa4d53fecc
303cb70a9c58728c39ab0f1cb94eaac0
34925cd283851dc0c9a75bbe5c07fed8
3894536c0dde41677dced0218bcfc7d1
4a02cd1f10fe661735b178acf3523ab7
4ec8294a752ab2996de1c2edabaa56ef
557af721889292bc11bbdd70fc247e77
5595c4b6d1190dbc8aa4da5169c8404c
55fed2a36f9573d7c5a9867df63763c7
56e15629e5734e5df1ef552de2d664fe
598b2e1e7fac09fc90f5997b9993b259
65057428b030d7361c6c0b3f41673a9c
6979a8fbe0f92164931a2e80fadf44da
7f5baa3ba5ce5f494120edf11691be12
8fdbfa855a0d1e52341032c0779297dd
90158bb783cfb59076beb7c0bdb777c8
9e932f4d78738606ba18a7c511f97cb6
a1a782b8a46a4e3bec4b907a8be4484d
b694ec395835e24bb2cf6b16180a970a
bdf446be1f5e262eff1bb91036b251cb
c5a0b1796ba4b379bb0f5febb1ad30f5
c664c4bbfc61840da46f4ab57015c431
c7d30bf5e73c569da7736f71c27f9c05
df62dc479ad582cd5edd651055bf5803
ea748dc714440eb1c8d14e0d328eaff9
f296b1696a2501d1f959fef26ab28ea8
f476ad1d3457c0d88ae6071dad8cf21c
preview-4

Merasa tertekan dengan realita yang ada, Kami pun menyusun skema baru dengan mengklasifikasikan tiap-tiap charset secara manual. Barulah dilakukan proses mapping dengan acuan dictionary md5sum yang diperoleh. Adapun proses ini kami kerjakan dengan script sebagai berikut

preview-5
# attempt-2.py
#!/usr/bin/env python2
from base64 import b32decode as dec
from hashlib import md5
from glob import glob

hashes   = lambda x : md5(open(x,'rb').read()).hexdigest()
identify = glob('ocr/*')

md5sum   = map(hashes, identify)
lookup   = {x : y.split('.')[0][-1] for x,y in zip(md5sum, identify)}

res = ''
for file in glob('jpg/*'):
	res += lookup[hashes(file)]

open('flag.jpg','wb').write(dec(res))
$ time python2 attempt-2.py
python2 attempt-2.py  1.14s user 2.03s system 97% cpu 3.262 total

Hasilnya, diperoleh flag dari hasil base32-decoding

preview-5

FLAG : hacktoday{pl4y_smart_n0t_hard}

🔗 haha

https://drive.google.com/file/d/1Gn6KdW9uVwgPvVp_vulJ3J4bgZi2kFEP/view

author: moonhack

Diberikan file attachment berupa memory dump haha.raw. Sebagai acuan awal pengerjaan, dilakukan pengecekan OS Profile dengan kdbgscan.

$ volatility -f haha.raw kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP0x64
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64_23418
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

**************************************************
Instantiating KDBG using: /home/shouko/hacktoday19/haha.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x283f0a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64_23418
PsActiveProcessHead           : 0x2875b90
PsLoadedModuleList            : 0x2893e90
KernelBase                    : 0xfffff8000264e000

Dari sini, Kami memilih Win7SP1x64 sebagai base dari OS yang digunakan. Selanjutnya, kami lakukan pengecekan terhadap process listing dengan pslist

Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000c3f740 System                    4      0     82      515 ------      0 2019-08-23 18:45:05 UTC+0000
0xfffffa8001c309e0 smss.exe                248      4      2       29 ------      0 2019-08-23 18:45:05 UTC+0000
0xfffffa80024b1060 csrss.exe               324    316      9      321      0      0 2019-08-23 18:45:07 UTC+0000
0xfffffa8000ca7060 wininit.exe             372    316      3       74      0      0 2019-08-23 18:45:08 UTC+0000
0xfffffa8001c87290 csrss.exe               384    364      9      362      1      0 2019-08-23 18:45:08 UTC+0000
0xfffffa80024ec590 winlogon.exe            424    364      3      107      1      0 2019-08-23 18:45:08 UTC+0000
0xfffffa80024db2c0 services.exe            452    372      6      180      0      0 2019-08-23 18:45:08 UTC+0000
0xfffffa8002512910 lsass.exe               468    372      7      706      0      0 2019-08-23 18:45:08 UTC+0000
0xfffffa800250c620 lsm.exe                 476    372     10      137      0      0 2019-08-23 18:45:08 UTC+0000
0xfffffa800258f8c0 svchost.exe             592    452      9      352      0      0 2019-08-23 18:45:09 UTC+0000
0xfffffa80025df890 svchost.exe             656    452      8      254      0      0 2019-08-23 18:45:09 UTC+0000
0xfffffa8002656570 svchost.exe             776    452     20      513      0      0 2019-08-23 18:45:10 UTC+0000
0xfffffa8002692b30 svchost.exe             832    452     21      408      0      0 2019-08-23 18:45:10 UTC+0000
0xfffffa800261cb30 svchost.exe             864    452     33      927      0      0 2019-08-23 18:45:10 UTC+0000
0xfffffa80026c71f0 audiodg.exe             932    776      5      146      0      0 2019-08-23 18:45:10 UTC+0000
0xfffffa80026e3b30 svchost.exe             984    452     23      441      0      0 2019-08-23 18:45:10 UTC+0000
0xfffffa80026b56c0 svchost.exe             320    452     14      457      0      0 2019-08-23 18:45:11 UTC+0000
0xfffffa8002746b30 spoolsv.exe             284    452     14      262      0      0 2019-08-23 18:45:11 UTC+0000
0xfffffa8002749b30 svchost.exe            1036    452     19      290      0      0 2019-08-23 18:45:11 UTC+0000
0xfffffa8002750630 taskhost.exe           1384    452      8      146      1      0 2019-08-23 18:45:12 UTC+0000
0xfffffa80028c2b30 dwm.exe                1436    832      3       69      1      0 2019-08-23 18:45:12 UTC+0000
0xfffffa8002900620 explorer.exe           1476   1420     30      736      1      0 2019-08-23 18:45:13 UTC+0000
0xfffffa8001ba0740 svchost.exe            1896    452     20      258      0      0 2019-08-23 18:45:16 UTC+0000
0xfffffa8002a6db30 svchost.exe            1280    452     10      341      0      0 2019-08-23 18:45:22 UTC+0000
0xfffffa8000e42060 firefox.exe            1968   1220     63     1032      1      1 2019-08-23 18:47:27 UTC+0000
0xfffffa8000fb4720 firefox.exe            1840   1968     10      236      1      1 2019-08-23 18:47:30 UTC+0000
0xfffffa8000fb4060 firefox.exe            1220   1968     28      374      1      1 2019-08-23 18:47:32 UTC+0000
0xfffffa80022f24e0 firefox.exe            2200   1968     19      311      1      1 2019-08-23 18:47:35 UTC+0000
0xfffffa8000f5f320 firefox.exe            2544   1968     19      309      1      1 2019-08-23 18:47:38 UTC+0000
0xfffffa800100db30 TrustedInstall         2844    452      6      251      0      0 2019-08-23 18:48:10 UTC+0000
0xfffffa80010cc150 WmiPrvSE.exe           2532    592      6      109      0      0 2019-08-23 18:49:13 UTC+0000
0xfffffa8000f20b30 firefox.exe            2996   1968     19      310      1      1 2019-08-23 18:50:31 UTC+0000
0xfffffa80010c2060 firefox.exe            1364   1968     19      310      1      1 2019-08-23 18:50:35 UTC+0000
0xfffffa80029cd060 firefox.exe            2024   1968      0 --------      1      0 2019-08-23 18:50:38 UTC+0000   2019-08-23 18:53:49 UTC+0000
0xfffffa80010ee7d0 firefox.exe            3052   1968     19      298      1      1 2019-08-23 18:52:36 UTC+0000
0xfffffa8000f46460 cmd.exe                2484   1476      1       22      1      0 2019-08-23 18:54:56 UTC+0000
0xfffffa8002922870 conhost.exe             796    384      2       50      1      0 2019-08-23 18:54:56 UTC+0000
0xfffffa80010d95b0 DumpIt.exe             2780   2484      5       45      1      1 2019-08-23 18:55:09 UTC+0000

Terdapat beberapa item yang menarik untuk ditelusuri, seperti halnya firefox.exe dan cmd.exe. Sebagai permulaan, Kami lakukan pengecekan dengan cmdscan atau consoles

$ volatility -f haha.raw --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 796
CommandHistory: 0x13e840 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 4 LastAdded: 3 LastDisplayed: 3
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x132d60: cd Documents
Cmd #1 @ 0x13d110: ls
Cmd #2 @ 0x142c70: cd ../Downloads
Cmd #3 @ 0x13d410: DumpIt.exe
Cmd #15 @ 0x100158:
Cmd #16 @ 0x13d1b0:
**************************************************
CommandProcess: conhost.exe Pid: 796
CommandHistory: 0x1435a0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x88

$ volatility -f haha.raw --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: conhost.exe Pid: 796
Console: 0xffc46200 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: Administrator: C:\Windows\system32\cmd.exe - DumpIt.exe
AttachedProcess: DumpIt.exe Pid: 2780 Handle: 0x88
AttachedProcess: cmd.exe Pid: 2484 Handle: 0x5c
----
CommandHistory: 0x1435a0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x88
----
CommandHistory: 0x13e840 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 4 LastAdded: 3 LastDisplayed: 3
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 at 0x132d60: cd Documents
Cmd #1 at 0x13d110: ls
Cmd #2 at 0x142c70: cd ../Downloads
Cmd #3 at 0x13d410: DumpIt.exe
----
Screen 0x120cf0 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>cd Documents

C:\Users\Administrator\Documents>ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Documents>cd ../Downloads

C:\Users\Administrator\Downloads>DumpIt.exe
  DumpIt - v1.3.2.20110401 - One click memory memory dumper
  Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net>
  Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com>


    Address space size:        1073676288 bytes (   1023 Mb)
    Free space size:          16085004288 bytes (  15339 Mb)

    * Destination = \??\C:\Users\Administrator\Downloads\IK-PC-20190823-185509.raw

    --> Are you sure you want to continue? [y/n] y
    + Processing...

Hasilnya dapat diketahui bahwa user berusaha untuk melakukan memdump dengan DumpIt yang kemudian disimpan ke dalam file IK-PC-20190823-185509.raw atau haha.raw. Akan tetapi, informasi tersebut belum cukup untuk menyimpulkan apa yang terjadi. Untuk itu, Kami lakukan proses filescan dengan filter firefox

asgama@komatik:~/haha$ volatility -f haha.raw --profile=Win7SP1x64 filescan | grep Firefox
Volatility Foundation Volatility Framework 2.6
0x000000003e0317e0     16      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\firefox.exe
0x000000003e06ef20      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003e0b2c30     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\7B24CE845E65ACE3BC727C59E4336AD26CE6E85C
0x000000003e0d32d0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.pset
0x000000003e152650      9      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\mozglue.dll
0x000000003e18f3d0     18      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\content-prefs.sqlite
0x000000003e193670     13      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\softokn3.dll
0x000000003e2d8f20     14      0 R--r-- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\firefox.exe
0x000000003e311310      1      1 RW---- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\parent.lock
0x000000003e323c80     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\3481CC5408793DFE9A349F452D823EE36E12EE8F
0x000000003e37b440     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\0F7F13353A960FFC382EB85C1F68CDCA47E5A9FD
0x000000003e502f20      1      1 R--rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\features\{e914780d-3597-4e41-a69c-ca91eb3af5b9}\webcompat@mozilla.org.xpi
0x000000003e580e20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\8E95C057141001C0F34F428220B38774D882B68B
0x000000003e5a3690      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003e5b06c0     16      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
0x000000003e5c5070     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\8C98F893C7DC5F2C401AD1482A81572B54197408
0x000000003e5da850     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\88D99CCD27B274BFA2107670A5C77A0DB170D3ED
0x000000003e5e2070     15      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\features\{e914780d-3597-4e41-a69c-ca91eb3af5b9}\webcompat@mozilla.org.xpi
0x000000003e6d6810     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1E0D744C2270FD32106208F149EE4E0A6D6ED701
0x000000003e719b50     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\48A9CC1C5FD730FC1E1AE5F1207D89B3B81ED393
0x000000003e77cf20      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003e8d0dd0     32      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cookies.sqlite-wal
0x000000003e8d6520     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\EEA38ECCC238F8EF225233A2715A12F5DC2EE32A
0x000000003e8e7780     12      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
0x000000003e91c750      2      0 -W-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\jumpListCache\824y_cMtX0Q7rQrNynrq+w==.ico
0x000000003ef0b590     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\19E7C9CA9963B5810736C078AAAEC83A19D020C7
0x000000003ef48410     15      0 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi
0x000000003f800790     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1C8E310A8B8B5BE3993B058E09F3E49CB6A8483B
0x000000003f840960     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\412D29622F5BBBF8AA5F306D2CA9E83E95C058B8
0x000000003f844f20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\BE7972CDC75A44727A5A58EC0AB300EF10F1C5E3
0x000000003f848f20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\70D86CB31D29686582067A0C8851F17F31DD5BC3
0x000000003f853e50     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\C67A8D54335D1ED14C78A73CD860386E3A51364A
0x000000003f854890     16      0 -W-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\default\https+++www.youtube.com\cache\.padding
0x000000003f85d070     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1FE9D3A82A19CDFC2D1E9A56D3BF9D1FD65EC9A7
0x000000003f8c1370      2      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\default\https+++www.google.com\.metadata-v2
0x000000003f8dde50     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\F3F731561D3454E3A89E31B7D52056F52754FFFF
0x000000003f8f4f20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\97D66402EFA333728488514DC3DCF4D668C27A96
0x000000003f8f6f20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite
0x000000003f8fc5d0     15      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\default\https+++www.youtube.com\cache\caches.sqlite
0x000000003f8fd430     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\3C1037A7E2B2743E128CCED67B8E5D623860EA5F
0x000000003f9049a0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\19B6FB161440E34F1F5605202B22FE07BED5518D
0x000000003f904af0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\54FFC4C21A5E75F3D5D4DF412BFA00CAC159130A
0x000000003f90d680     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\FDE3AABC3DCD6D89273D829AB5F6D14A1E822E69
0x000000003f924a70     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\82C2CDC7341645D8035C00A63931E6CB71F0420E
0x000000003f926540     15      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\mozavcodec.dll
0x000000003f9407b0      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fa02430     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\0408183E10ABE9680350F5CA521840D46A772FC7
0x000000003fa0e070     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\626C19FDE6ABE980C8D6F9FD7C2961BF0748D6D3
0x000000003fa6d440      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fa6df20      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fab7f20     16      0 RWD--- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\fleg.png
0x000000003fb3b910     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\64EAB041202E749E89D455A5D17726579376CD96
0x000000003fb65d30     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\CA790B9C747C204D7850A7AC3CC947495E79D6DF
0x000000003fb6b5d0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\11AECDCAE9C02DBA8FCE94776407F3609EC0BFBC
0x000000003fb70750      6      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\mozavutil.dll
0x000000003fb71a80     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\3B30CEEC5AC1062800FB214C1F1019437C6F71EF
0x000000003fb7e7b0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\FD36F082DF39F80E1B4A9DBDE45C7B0CB4D3E9B7
0x000000003fb8f9d0     16      0 -W-rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\crashes\store.json.mozlz4.tmp
0x000000003fbd7c40     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\BB300FF8A747ED026BDF274B9C10E91DBAF09F4C
0x000000003fc00430     17      1 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\browser\features\fxmonitor@mozilla.org.xpi
0x000000003fc05420      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite
0x000000003fc077e0     10      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite
0x000000003fc0d3d0      8      0 R--r-d \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\freebl3.dll
0x000000003fc0fa90     17      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cookies.sqlite-shm
0x000000003fc18070     14      1 R--rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\extensions\etp-search-volume-study@shield.mozilla.org.xpi
0x000000003fc18760      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite-wal
0x000000003fc18f20      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite-wal
0x000000003fc1a560      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite-wal
0x000000003fc1df20     16      1 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi
0x000000003fc1f070     15      1 RW-rw- \Device\HarddiskVolume1\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\3UVX3K~1.DEF\key4.db
0x000000003fc1f2e0     15      1 RW-rw- \Device\HarddiskVolume1\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\3UVX3K~1.DEF\cert9.db
0x000000003fc26a30     15      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\C063A274EBD072C1A3F7D8BDD7995F2AA6F0C262
0x000000003fc26b80      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite-wal
0x000000003fc27070      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fc34b40     13      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
0x000000003fc37850      2      0 -W-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\jumpListCache\47AwypcuPKEzKtaT9BwpWQ==.ico
0x000000003fc37dd0      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fc37f20     17      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cookies.sqlite
0x000000003fc3af20     14      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1382DB4F12413FCEE7C32D52281FB5A30E7210C0
0x000000003fc3bd10     18      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\OfflineCache\index.sqlite
0x000000003fc3dce0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\8F637D48F2FACEFD5FF5CB7F6D9C6CA1B0C30A56
0x000000003fc3f070     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\0FA561FDEDEBBA94C74CFCA3072E9C1A804DF189
0x000000003fc42f20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\7B3B8DBE7AB8215F98BFDEEFF76BAC11D0202ED0
0x000000003fc542f0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\6DB60E7EC85FB5EB0FA962556A7CDA12139E0D2A
0x000000003fc55e60     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\D764BDAE8ADB137C4C90A8CE8E5A1A2314D2B2D7
0x000000003fc56220     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\4C0BF90C9194CE59F14C9B3489C45E838721B188
0x000000003fc56610     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\50C055B15B7D48A814DB9BDF07F0E1FA0C4D9D9D
0x000000003fc5ebb0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\block-flash-digest256.pset
0x000000003fc5fc70     32      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\webappsstore.sqlite-wal
0x000000003fc628c0     18      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\webappsstore.sqlite
0x000000003fc64930      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite
0x000000003fc64f20      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite
0x000000003fc67b50     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
0x000000003fc69dd0      8      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
0x000000003fc6ab20      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\webappsstore.sqlite-wal
0x000000003fc6ac70      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\webappsstore.sqlite
0x000000003fc6af20     17      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\webappsstore.sqlite-shm
0x000000003fc6cbb0     13      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
0x000000003fc6eae0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C
0x000000003fc73d10      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite-wal
0x000000003fc745d0      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite
0x000000003fc7f630     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\4C863284CDA7F859EB300BED16DBCEF9517F1824
0x000000003fc81a20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\4CE8EBD79487F2A052AE7B54D1C13283C396AA6D
0x000000003fc84c00     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\CC4ACF2FF7DEEBBDA3E2DCA7BA9D340955D5F23A
0x000000003fc85590     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\A92D4D47C667B014A85E62476EB0DCCE1B94AE0A
0x000000003fc90e60     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-block-simple.sbstore
0x000000003fc9e8c0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-track-simple.sbstore
0x000000003fc9f4c0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\mozplugin-block-digest256.pset
0x000000003fca2820     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-track-simple.pset
0x000000003fca2b80     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\A6092BC5B08BA4ABF1808F944E443DC818358092
0x000000003fca4d10      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fcaf070     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\AF3D286772C601B77184DF2DDA8ED91D1624DFDF
0x000000003fcaf4a0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\B4A08873AEFF516E32FB856C12DCBD9F2D1A8DF4
0x000000003fcb8500     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-malware-simple.pset
0x000000003fcb9d10     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-phish-simple.pset
0x000000003fcc0f20     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-harmful-simple.pset
0x000000003fcc2710     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-trackwhite-simple.pset
0x000000003fce3790     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-harmful-simple.sbstore
0x000000003fce3f20     15      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\EABBC06F0B0639604C2197C5763A544B7ABA518E
0x000000003fcf1440     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-malware-simple.sbstore
0x000000003fcf1590     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.pset
0x000000003fd00b60     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstore
0x000000003fd049f0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\content-track-digest256.pset
0x000000003fd04c00     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\analytics-track-digest256.pset
0x000000003fd05cc0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flash-digest256.pset
0x000000003fd0c4f0     14      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\11ADAD807B167B66D2CF05E48D60917DD5BFD91B
0x000000003fd14e60     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\base-track-digest256.pset
0x000000003fd19d00     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flash-digest256.sbstore
0x000000003fd2dd20     15      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\startupCache\scriptCache-current.bin
0x000000003fd2ed90     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flashallow-digest256.pset
0x000000003fd30b60     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-unwanted-simple.sbstore
0x000000003fd3a9d0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\55544407CB681E7B989088EEDE075406AC2D80D5
0x000000003fd41dc0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flashallow-digest256.sbstore
0x000000003fd43ab0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-unwanted-simple.pset
0x000000003fd43e20     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-trackwhite-simple.sbstore
0x000000003fd45cc0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\0425196CA9F67AED48CD1BAD6BC6C6C32E50635C
0x000000003fd485d0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\social-track-digest256.pset
0x000000003fd52430      2      0 -W-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\SiteSecurityServiceState.txt
0x000000003fd54370     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstore
0x000000003fd54f20     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.pset
0x000000003fd57820     16      0 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
0x000000003fd5a7e0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\2256AB5CE23B425BF459151AAFEC7DBD306901AD
0x000000003fd5cf20     17      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite-shm
0x000000003fd5daf0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\47B4121AB2B4D997E733F357FB15891B426D8510
0x000000003fd5df20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\506DF665909F3FB85C33CBF8D3F4EF8824CF1256
0x000000003fd5e670     12      7 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\startupCache\scriptCache-child-current.bin
0x000000003fd61bb0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\2E126832A1EF24E140433861870AEB947A4959B8
0x000000003fd65f20     16      0 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\manifest.json
0x000000003fd68070     16      0 -W-rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\startupCache\webext.sc.lz4.tmp
0x000000003fd682b0     15      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\CC93E20733476F9184F5763FBD52D8A70EFAA774
0x000000003fd697a0     16      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\permanent\chrome\.metadata-v2
0x000000003fd69d20     13      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\startupCache\startupCache.4.little
0x000000003fd6f5a0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1A6D0AC0D2198FADBC4C58E0FB5B020505413D2F
0x000000003fd71a20     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\2F277B1470FB2CB920AE974087BF2432A8FF748B
0x000000003fd751e0     12      0 R--r-- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cookies.sqlite
0x000000003fd7d070      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fd7eb70      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fd87850     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\FCE02426B3D2DE3092374717C284485BEFA4183B
0x000000003fd92660      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fd94a20      1      1 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi
0x000000003fdb2ae0      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite
0x000000003fdb9a20     15      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\thumbnails\0cc8fdf9edddca2b1dac0cc687826cce.png
0x000000003fdba720      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fdbad20      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fdbcbb0     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-phish-simple.sbstore
0x000000003fdbcd00     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\test-block-simple.pset
0x000000003fdca4b0     17      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite-shm
0x000000003fdca7c0     25      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite-wal
0x000000003fdced20      2      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\storage\default\https+++mail.google.com\.metadata-v2
0x000000003fdcfa20     16      0 RWD--- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\safebrowsing-updating\allow-flashallow-digest256.pset
0x000000003fdd0f20     16      0 -W-rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\sessionCheckpoints.json.tmp
0x000000003fdd3610     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\7A8A5CE7B49916E7469989309868C53EB58B216D
0x000000003fdd3760     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\1A605251D8442859B6972FBF298F778C34211355
0x000000003fde6730      1      1 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite
0x000000003fde7430     15      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\227536459C0A9F998F695E4E90C5B7A4E706E959
0x000000003fde79d0     16      0 -W-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\startupCache\scriptCache-child.bin.bin
0x000000003fde9ea0     14      0 R--rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\thumbnails\e2acb49803cfed8a01aa9bddd1639971.png
0x000000003fdea1e0      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fdecd20      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fdee2f0     18      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\permissions.sqlite
0x000000003fdeea70     14      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\2655C208AD0BC3DA4BACBA37EC1874A986DAFEF6
0x000000003fdeebc0      1      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\places.sqlite-wal
0x000000003fdfc580     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\CB5A4F33D4F9F4B6BA8DD50F46634FF3303B0DF1
0x000000003fe1c6f0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\6DCBA13E6AEF6664A5A0A7C33D695298936A6A72
0x000000003fe20340     16      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\omni.ja
0x000000003fe21e60     11      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\browser\omni.ja
0x000000003fe27810     16      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\fonts\TwemojiMozilla.ttf
0x000000003fe5b200     11      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\nss3.dll
0x000000003fe5b860     28      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
0x000000003fe5bcf0     16      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\dependentlibs.list
0x000000003fe5d2f0     16      0 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\cache2\entries\8F43299B2BBC180803AAE2295F17077D2C87FC5E
0x000000003fe651d0      3      0 -W-rwd \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\broadcast-listeners.json.tmp
0x000000003fe6a790      6      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\xul.dll
0x000000003fe6ac20     25      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\lgpllibs.dll
0x000000003fe82b00     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\mozglue.dll
0x000000003fe84400     18      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\vcruntime140.dll
0x000000003fe84930     26      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\msvcp140.dll
0x000000003fe85930     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\ucrtbase.dll
0x000000003fe85e60     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll
0x000000003fe86070     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll
0x000000003fe86610     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll
0x000000003fe86b40     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll
0x000000003fe87070     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll
0x000000003fe87610     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll
0x000000003fe87b40     12      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
0x000000003fe89070     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll
0x000000003fe89610     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll
0x000000003fe89b40     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll
0x000000003fe95070      1      1 R--rw- \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox
0x000000003fe98070     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll
0x000000003fe98610     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll
0x000000003fe98b40     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll
0x000000003fe99070     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll
0x000000003fe99610     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll
0x000000003fe99b40     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll
0x000000003fe9af20     27      0 R--rwd \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll
0x000000003febfdd0     16      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite-wal
0x000000003febff20     12      1 RW-rw- \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\3uvx3kmv.default-release\favicons.sqlite

Setelah dicermati lebih lanjut, diketahui bahwa terdapat PNG file pada \Program Files (x86)\Mozilla Firefox\fleg.png. Dari hasil temuan tersebut kami lakukan proses dumpfiles sehingga diperoleh flag yang diminta

$ volatility -f haha.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fab7f20 --name -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fab7f20   None   \Device\HarddiskVolume1\Program Files (x86)\Mozilla Firefox\fleg.png
preview-6

FLAG : hacktoday{finally_m0nhack_c0m3back}