redline | hxxps://drive[.]google[.]com/uc?id=1ce4BUteJGHZQo4hEklnGiJbmpf38bxYT&export=download?usp=drive_link

Analysis

max time kernel
217s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18/02/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1ce4BUteJGHZQo4hEklnGiJbmpf38bxYT&export=download?usp=drive_link

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1552-3149-0x0000000005550000-0x00000000055AA000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
1552	Setup_x32_x64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com
2	drive.google.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Setup.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	firefox.exe
Token: SeDebugPrivilege	240	firefox.exe
Token: SeDebugPrivilege	240	firefox.exe
Token: SeRestorePrivilege	3356	7zFM.exe
Token: 35	3356	7zFM.exe
Token: SeSecurityPrivilege	3356	7zFM.exe
Token: SeDebugPrivilege	240	firefox.exe
Token: SeDebugPrivilege	240	firefox.exe
Token: SeDebugPrivilege	240	firefox.exe
Token: SeDebugPrivilege	4572	taskmgr.exe
Token: SeSystemProfilePrivilege	4572	taskmgr.exe
Token: SeCreateGlobalPrivilege	4572	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
240	firefox.exe
240	firefox.exe
240	firefox.exe
240	firefox.exe
3356	7zFM.exe
3356	7zFM.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
240	firefox.exe
240	firefox.exe
240	firefox.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
240	firefox.exe
240	firefox.exe
240	firefox.exe
240	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 4988 wrote to memory of 240	4988	firefox.exe	16
PID 240 wrote to memory of 2996	240	firefox.exe	80
PID 240 wrote to memory of 2996	240	firefox.exe	80
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4264	240	firefox.exe	81
PID 240 wrote to memory of 4484	240	firefox.exe	83
PID 240 wrote to memory of 4484	240	firefox.exe	83
PID 240 wrote to memory of 4484	240	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/uc?id=1ce4BUteJGHZQo4hEklnGiJbmpf38bxYT&export=download?usp=drive_link"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/uc?id=1ce4BUteJGHZQo4hEklnGiJbmpf38bxYT&export=download?usp=drive_link
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.0.824501108\575085560" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9bb608a-4e7d-404b-9c11-665d0774a735} 240 "\\.\pipe\gecko-crash-server-pipe.240" 1852 13e98b04e58 gpu
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.1.1452838269\1956725734" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2260 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97721469-d8a4-4445-a9f3-e92706f5f77b} 240 "\\.\pipe\gecko-crash-server-pipe.240" 2284 13e975e4758 socket
    3⤵
    - Checks processor information in registry
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.2.606855991\732165340" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2944 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1044 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1d3dcaf-9b91-4897-bb84-6f6737790a58} 240 "\\.\pipe\gecko-crash-server-pipe.240" 2976 13e9cad6c58 tab
    3⤵
    PID:4484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.3.1527548360\1698051653" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1044 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72ab8837-f07a-45ff-b40b-2df7423dc287} 240 "\\.\pipe\gecko-crash-server-pipe.240" 3528 13e9b5c8b58 tab
    3⤵
    PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.5.72059919\1861498008" -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1044 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1021f3dd-1902-4b11-880a-d86f4b6735ad} 240 "\\.\pipe\gecko-crash-server-pipe.240" 5240 13e991ac858 tab
    3⤵
    PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.4.588056173\1141847039" -childID 3 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1044 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91bbc810-93af-43de-943a-6def8e8efc8e} 240 "\\.\pipe\gecko-crash-server-pipe.240" 4872 13e991ace58 tab
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.6.1169326167\462356967" -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1044 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {997eb662-6209-49cf-aedb-d84448324335} 240 "\\.\pipe\gecko-crash-server-pipe.240" 5524 13e991af258 tab
    3⤵
    PID:3788

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Setup.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4680

C:\Users\Admin\Desktop\Setup_x32-x64\Setup\Setup_x32_x64.exe
"C:\Users\Admin\Desktop\Setup_x32-x64\Setup\Setup_x32_x64.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
0fbb98b655f3f3bbc1b1917235028bf7

SHA1
350d11101a3428e3b390ed71eaf4e62dbe402a19

SHA256
265e3a0c66ce8b7c51ac81ea21e45f177bd0088ae1826b0fc4f30a361cc06956

SHA512
f325e7629dbc9b528794c7d86d6b4490c344ef223e7561f7354204143a7a76626d83f031e73763a1a7a1a8154cfffc64c670b30b0faeb29e43a0a5e62b8d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC1D44A48\Setup_x32-x64\Setup\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ba17376ed6a8671ca08665611c24f5fe

SHA1
2ff7f1e0daac576d3e0c542de9a67a4e93275e86

SHA256
2109bbfaa078dae0955ebe6b473a5accd984fd2e5a8cf23938b5e9a51f77af66

SHA512
ea6ec12dd22c8734a96cdd012c3d26e7dedfe89ca4a975f6033740848dabea074d72192006e8a42c402fa64f6dbf55ec1019fbe4809740d92412db3e878c66d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\0e3261af-1465-413a-9e29-a93221e841ab

Filesize
746B

MD5
e37c68b898f2079ab1e8e5838269b6b8

SHA1
f1d7a36ec7d18d5a4d6c6acf4d0f4743645824a8

SHA256
1898237db67cb2e03f8fadd2388fb798f55a759aeadcbd567a6f39fb2c8ab144

SHA512
3c6d1ed8ee37d24a7a88e4b16da305781cf02b100e6a8d267ad974e41e40bc05518e9d6813345f9369c5ed04b674f8db4eb09770e9ae53088da874d887abd8fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\12f32bfd-3750-4350-990a-c4c23ce470a6

Filesize
10KB

MD5
c39d136d30e1ba9b51e5a97ec5b34bce

SHA1
449f36034426f79ba905aa2294cd2737599ff52c

SHA256
99d3cefa71288e4e7c5b85e032495e4a3c6e1f3a7c7fc2fb9478999896a8301a

SHA512
33b59cfff6f4f1c19a53b35245ffd23d336e17a37d026e174ffd63bee55e0d3613f99cfc9d76d7e14632f71df3a35fc130caada6e6a33c1c13e2d8f9538c4686

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.1MB

MD5
440beca2dc363abb3621b98cad375ac8

SHA1
62272a9cdc53f354de8f0d11a2c4ff0b1486a214

SHA256
a6898a7d9dac3cad9dd84f88fcee92cceabcbc9c1503d1b2d5322477fd5a07ef

SHA512
42b5b9d23836b0525a8c07ad0998d94af4d9c99c8688f6d7e57c9b66669ab54cdb1e8467a7b7caf31749ed3fb610ac8a0555a9b5f816d533b2e9c6c884ec617c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
8KB

MD5
1fafde1958499eae2187a5897ca74f89

SHA1
08731e9bdc708e94d5d12f7ab2864bbd6a7420d9

SHA256
db9fa076427cf14ef2d8c5fe8660529a7a7d39f2fbf84bde0b42c425f7a5363b

SHA512
6e8c67f27b4e4ab2820a4d1be2a4dbac823d82d26180c151e3779f2c80b5fffbed6b8da314fd2cbd419e7daedcddb234003dc80a60db535b94c180908e823eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
9KB

MD5
1e3e85d6119b577d8d37d0fac0e9aaed

SHA1
5eb33569cac49151b7655440191fa526cadb184f

SHA256
c9c00867a92a5ecde014008dccd46b8b9a09e0e32bc0a10991af1e7b5ed29896

SHA512
83db200089e0fc218400d57280f53d7a1d8fcca284d38c2aa4f7605117cf5c14af1c4a8e6ebe06d480dfadefe676d40e685bb93623bff54111e6fbaa35045646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
9KB

MD5
23e21c58ed545d3a55c808791c33e5c0

SHA1
1f3198b000cbfba9e2ac4a5f6fefda8b75b780c9

SHA256
79a420259f3346269ffe423db1c56a6f01b095352854d663a31bda372014bdee

SHA512
14ef1c27a82426818eba38d1ae9e3d5ac48ef9acb382fdb75b0d191bd68b5b68f9ccca6cb588e92d6896a876622112295859d9dac47ea70d8c73700dfdc2cb94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
56e1c314682ca2d909410ce7922c67f7

SHA1
621df147c12bcbb635dd2183661e41aefa0a4ff7

SHA256
51e828220b0ae0ae2c84f6c574f71f4fb4af410729868b34471dd9a9240d69dc

SHA512
86d68f2189fc676f1f70c169ce75ca037ee6342355274982996869e98bc11f10aae4bbe5556560705dc151de3d1e4658535d5d2061a6003e3d40f07e3fc762e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f96779fcf47582703016f8da7404dab7

SHA1
d2754434396bd0050e8bf5b0d666112f21b0a99e

SHA256
7b7e97fab04c76ace8f7d0c992c20eecd03144378acb1ac83c927e3a66870e86

SHA512
71fd13059ca12360f68940b029520756e4e3914d07f68560db8d462872b749ca642daf036abd7308026cd1676f6de363d86ca32ff50e755cedd3763963adc288

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
671d8c552998abfd397f29a955a1b924

SHA1
2dbbe9a1da04e8efd9eab9249145dc60e46e61bc

SHA256
ebaa2816caa999287b06a3b749b41798ecf8eb25af3f9ab06765dbdc1ad3d26e

SHA512
d6227b99c977a234c779879c27ccd2ddd8ed8a882398525bb55a9fa9d45cbcca7445116263dc4aba7b7d88d169d9de5152e60374259ea49dce42a4ae67be53d9

Download Submit
C:\Users\Admin\Desktop\Setup_x32-x64\Setup\Setup_x32_x64.exe

Filesize
29.2MB

MD5
244dd87ffb2964f77a68bc881bff30d7

SHA1
6a130014ddba0ae9dd6ca2bfba476911f05a8d29

SHA256
f3f47046e3a6c104efd1e3287757fc134ed4a488b1c0e2637848100f97506ee4

SHA512
6d41ad63a4f0e96320f8bdbd9b029819e3d18909ee74852ea9be105f4b3dc73b666e06feb151880f8604c6d0da47432f5b8ab9aebb66eb50e41e4a76722fe10f

Download Submit
C:\Users\Admin\Desktop\Setup_x32-x64\Setup\Setup_x32_x64.exe

Filesize
36.5MB

MD5
3b8b63acca0f21ed3bd2d0aac5b47bfc

SHA1
31308a10bfb1f1a8aad1e6a34597f168bfbcb659

SHA256
e8ff164c5e729b4393f532a4171e297451067e7a0ad974cbb2f915f7bf4561a0

SHA512
0be0d1de5d9da22b7f4d1190e6f34a2ac42d0a1f516cfee7081ca0e458c4cf178c4bc1bb82d799b682b0c4dd2b639a374c532fff11eb67afaf4ade1b9aa2c5a7

Download Submit
C:\Users\Admin\Downloads\Setup.Z1pRV3c2.rar.part

Filesize
39.5MB

MD5
e8814f7928990d6e864f7573917a0fc3

SHA1
e6da8060a2883ff2f34633d54572c70cb6c44628

SHA256
a753412190d48bf8dcbeac766d6331c86d6d5615dd2d7000cef2b65f4b90cb66

SHA512
1061739a9292d3c0b54bccea1106b44114acb87810b0f8ad9ea9e3f0c757471f9575d9a2338880e5cce4e14c348953f539fa99be51783c0ef9ec349c9b97261a

Download Submit
C:\Users\Admin\Downloads\Setup.rar

Filesize
10.8MB

MD5
c346487a4eda1abae681e374e0bc1a10

SHA1
c50e359f418347556acc5143f2471539e9018290

SHA256
e5ed4293cc50fef7b473bfe4917773f227519d1c3aa69311312f1e59d2594074

SHA512
a6b9e09668ef5e52214a0f4307d1c402257e78ec7599e2bc92bbb5561d862a699dba101ff45a3eaa30bd5c123070b9869581cb7627ea8aeb2ff630eeeaf208b2

Download Submit
\??\c:\users\admin\desktop\setup_x32-x64\setup\DotHelp.dll

Filesize
370KB

MD5
f029f981996c94bb47a3b39d31aaaf2b

SHA1
b586a3fde00e202eadfc5fea756eb64a3687f291

SHA256
c1b9eecd893603eacff7ca405b4da41f7c5dc7a8d0ac82450b68b6404d342014

SHA512
cd4d4d58357617bfb91712cb43796bfadffd1b2acc810736a2fd8916030944bd3752951b8f6343f555bb771906487b0e479c4fbe662353d6247ecbfc3eb46f57

Download Submit
memory/1552-3149-0x0000000005550000-0x00000000055AA000-memory.dmp

Filesize
360KB

Download
memory/1552-3170-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/1552-3148-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/1552-3150-0x00000000081A0000-0x0000000008746000-memory.dmp

Filesize
5.6MB

Download
memory/1552-3151-0x0000000007CB0000-0x0000000007D42000-memory.dmp

Filesize
584KB

Download
memory/1552-3152-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/1552-3153-0x0000000007E60000-0x0000000007E6A000-memory.dmp

Filesize
40KB

Download
memory/1552-3154-0x0000000008D70000-0x0000000009388000-memory.dmp

Filesize
6.1MB

Download
memory/1552-3155-0x0000000007F20000-0x0000000007F32000-memory.dmp

Filesize
72KB

Download
memory/1552-3156-0x0000000008750000-0x000000000885A000-memory.dmp

Filesize
1.0MB

Download
memory/1552-3157-0x0000000007F80000-0x0000000007FBC000-memory.dmp

Filesize
240KB

Download
memory/1552-3158-0x0000000008000000-0x000000000804C000-memory.dmp

Filesize
304KB

Download
memory/1552-3168-0x0000000074AD0000-0x0000000075281000-memory.dmp

Filesize
7.7MB

Download
memory/1552-3147-0x0000000074AD0000-0x0000000075281000-memory.dmp

Filesize
7.7MB

Download
memory/1552-3171-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/1552-3143-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/1552-3146-0x0000000000EA0000-0x0000000000EFD000-memory.dmp

Filesize
372KB

Download
memory/4572-3174-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3178-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3179-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3180-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3181-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3183-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3184-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3182-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3173-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download
memory/4572-3172-0x0000019DFB620000-0x0000019DFB621000-memory.dmp

Filesize
4KB

Download