Analysis
-
max time kernel
298s -
max time network
305s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-03-2024 05:20
Behavioral task
behavioral1
Sample
AuroraV2/Aurora X.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
AuroraV2/scripts/scripts.dll
Resource
win11-20240221-en
General
-
Target
AuroraV2/Aurora X.exe
-
Size
1.2MB
-
MD5
e05be86ba63e832615a317b86835a5b7
-
SHA1
b49041b0fa9ac8befc69656488223b39175df8e9
-
SHA256
3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d
-
SHA512
886bb8eefbaf8b050455cdc032e57e47c8c96ebfd73fc05e68b6235b33fd666d75d666a5a8f36df44668d8fb5ae85f795a90b375faa690184003f496ca1c0b94
-
SSDEEP
24576:ezb5WDTsy3Hi4lalYItHmy53anD6XWvLXzcnQveFWCe1v6Ltnq:ehUtClljK6mLzcnUeq6Ltq
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Expressions.pifdescription pid process target process PID 4292 created 3232 4292 Expressions.pif Explorer.EXE -
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe -
Executes dropped EXE 3 IoCs
Processes:
Expressions.pifRegAsm.exeqemu-ga.exepid process 4292 Expressions.pif 4648 RegAsm.exe 1108 qemu-ga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 3720 tasklist.exe 2408 tasklist.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Expressions.pifRegAsm.exepid process 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4648 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Expressions.pifpid process 4292 Expressions.pif -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exefirefox.exedescription pid process Token: SeDebugPrivilege 3720 tasklist.exe Token: SeDebugPrivilege 2408 tasklist.exe Token: SeDebugPrivilege 4648 RegAsm.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Expressions.piffirefox.exepid process 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Expressions.piffirefox.exepid process 4292 Expressions.pif 4292 Expressions.pif 4292 Expressions.pif 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4172 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Aurora X.execmd.exeExpressions.pifRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4052 wrote to memory of 2996 4052 Aurora X.exe cmd.exe PID 4052 wrote to memory of 2996 4052 Aurora X.exe cmd.exe PID 4052 wrote to memory of 2996 4052 Aurora X.exe cmd.exe PID 2996 wrote to memory of 3720 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 3720 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 3720 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 4540 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 4540 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 4540 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 2408 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 2408 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 2408 2996 cmd.exe tasklist.exe PID 2996 wrote to memory of 756 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 756 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 756 2996 cmd.exe findstr.exe PID 2996 wrote to memory of 3460 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3460 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3460 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4200 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4200 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4200 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 1316 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 1316 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 1316 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4292 2996 cmd.exe Expressions.pif PID 2996 wrote to memory of 4292 2996 cmd.exe Expressions.pif PID 2996 wrote to memory of 4292 2996 cmd.exe Expressions.pif PID 2996 wrote to memory of 1384 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 1384 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 1384 2996 cmd.exe PING.EXE PID 4292 wrote to memory of 4648 4292 Expressions.pif RegAsm.exe PID 4292 wrote to memory of 4648 4292 Expressions.pif RegAsm.exe PID 4292 wrote to memory of 4648 4292 Expressions.pif RegAsm.exe PID 4292 wrote to memory of 4648 4292 Expressions.pif RegAsm.exe PID 4292 wrote to memory of 4648 4292 Expressions.pif RegAsm.exe PID 4648 wrote to memory of 1108 4648 RegAsm.exe qemu-ga.exe PID 4648 wrote to memory of 1108 4648 RegAsm.exe qemu-ga.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 1256 wrote to memory of 4172 1256 firefox.exe firefox.exe PID 4172 wrote to memory of 3688 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3688 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1912 4172 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3720 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:4540
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:756
-
C:\Windows\SysWOW64\cmd.execmd /c md 242524⤵PID:3460
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Nuclear + Plasma + Proper + Merger 24252\Expressions.pif4⤵PID:4200
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Practice 24252\z4⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24252\Expressions.pif24252\Expressions.pif 24252\z4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24252\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24252\RegAsm.exe2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
PID:1108 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.0.1844635289\474230183" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e563bb-9943-4061-a60a-01a67636896f} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 1840 24acf2d9358 gpu4⤵PID:3688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.1.1281739237\157830156" -parentBuildID 20221007134813 -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49923c68-8f3c-4d2e-83d7-81939f51777c} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 2216 24ac336e858 socket4⤵PID:1912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.2.635755705\1958367633" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2816 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cede4a8-2419-406d-9d20-8bd4ced75c1a} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 3084 24ad467c858 tab4⤵PID:3912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.3.1245031193\362683044" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a6fe025-2da7-40cf-9083-b0e3b5daf5bd} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 3448 24ac335e858 tab4⤵PID:1808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.4.2035101338\1817017129" -childID 3 -isForBrowser -prefsHandle 4572 -prefMapHandle 4404 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {942cfc6d-6144-446d-9c54-1099ea56d0dd} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 4520 24ad68ab258 tab4⤵PID:1832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.5.1804937244\1747850425" -childID 4 -isForBrowser -prefsHandle 2944 -prefMapHandle 5100 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f03e2c5d-66b0-421c-9071-217ced9eae7b} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 2720 24ad68ad058 tab4⤵PID:2072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.6.280464918\214849193" -childID 5 -isForBrowser -prefsHandle 2588 -prefMapHandle 2572 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f897f28d-853f-4f40-83d4-7f54a183296b} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 5140 24ad7ecab58 tab4⤵PID:2232
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4172.7.2128142249\112814475" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5140 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {209ad811-f4e9-42f1-8e50-bf4b2115328f} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 5356 24ad7eca558 tab4⤵PID:2968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C
Filesize13KB
MD552313373fcac6836b68a7e4a9d3d919d
SHA1a3910a50a721dac7e454725e4570439580c8121a
SHA256da24be381aa9c6669a802009699305091e2df294f20d1c9af498ddacc0af3b6b
SHA512004dc9f75d0c8a6bc609cd139d83b56748f55e5d5be856579fd635449203c259d3754433abeb7a1697ba437d854d2c789fb86d4ebdf7e476a1e39040059b252f
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
63KB
MD542ab6e035df99a43dbb879c86b620b91
SHA1c6e116569d17d8142dbb217b1f8bfa95bc148c38
SHA25653195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b
SHA5122e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5
-
Filesize
11KB
MD54849b374e88e174f9b35b5e5e9269ae6
SHA16199bff5bad3b5088685aeb08686ad303f4f6c29
SHA2561deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073
SHA5121c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9
-
Filesize
191KB
MD57196d7109e4b363cd13654db907ffea4
SHA121f016d6c8e5bde1c23e48e9cb811dce3227eb7b
SHA2569eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4
SHA51241ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02
-
Filesize
188KB
MD562a7e75d1df779e6169adb0cfa905694
SHA13f855dc814432bd0cd6e793c5a5bb2776b838602
SHA2567fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
SHA5121f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698
-
Filesize
253KB
MD565b274e03e99948cbb03a0464e66ba89
SHA1129196df7c9cc04f868f66e0f8fad494a6c4e379
SHA2564bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d
SHA5122fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4
-
Filesize
1.2MB
MD502c12a95e4fcbadc9cd8c35c8a6b5b45
SHA13f9f0e5680497727ff7f6a3a3a245087ec668a79
SHA256d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72
SHA5125cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c
-
Filesize
292KB
MD55047c62efa1d3a7319f3495137cb8224
SHA10d0d3d840d2d484d8e4db23fd72aff6a0c514aed
SHA25676c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a
SHA51266cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
4.9MB
MD570e04a4dbbf107e041089857e81b76d9
SHA10a53fa1bb0f4435bfcc85f4cfda3a3d5cc10cd5e
SHA256ae62c3d82c5762d5c601376abeb2d082dbac4a71babe8a35bc5b12e68049a6ed
SHA5122048229652bec6a09b972224fc49d0f3c6c8a9cebcdcebfd690487acfe12e16a0967fc3a4d54a922dc96bdf2f32c19bee29bb25960bd022eed9b801f5aa3ed97
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD50af622e932df1e7e6fc47bc4f492f587
SHA1ec2cbe411991e23bd66182d92851403acff4f6b1
SHA256abe28bafdb98d844bd8984b4dd0eb36c521c6cdff9c093085560305f42b1d3af
SHA512b877d05b40f16d224a27f1e47efc3c55c3839831546d7735620f324194c17e2a80a9e6b82a491b3b14723c0d33e1560c69f21a7dafae805f25b8f2976061fa36
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\236f4082-6a2b-4316-8585-201990d2f1b7
Filesize12KB
MD508f755cbdf1677ced27487e175d27257
SHA170f5c598c4c12c72517178f0736cafb96b96e4d1
SHA2569d9bb22e736e269e3711787340343f379c6592c6001bdfca5d4d02859360eca2
SHA51288612a5ce38310ade58177edcb83c0d6a9a8bd3278e0ecad8961cc89261226eaea71c98f7ecc2dc72d718cb0b316d18d81f8658cec0d0c0e97c77f1aa76dae68
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\86b1ecb8-0ddf-48a4-93ec-03f6e9040372
Filesize746B
MD56b940b60a756d2c95b223d19bbcdfd69
SHA18d15f55babad4a41c155b07399fd09883b067a55
SHA25653b42f37e2b463349eff2e034ba4afa1cc4d2ae0cd9689a72cd5713bde194e53
SHA5129e6c0498fb8e4c90d0dcd65685110734590f61348c0eb3184d08b2aa9cc79ccf1b641614a029475d6910c31b41db6fec1aabaceb1e29dc2035656726432db379
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize4.3MB
MD5304a31b460365fa382886de3282a6fd2
SHA12beef6cdfbdbbb1fcbae6bb92036a11815085160
SHA256bdd90bfedd51310f94e851876b2773e927f160fdc73b03eb423b7d7e2aa7506a
SHA512e2651ce0e1af68ee6aa4f0cadaad57f1be849d722d7391bf9cc3e89ee4b47cbfaca71f8527d23eb0ce0834c135d132c1d3e90e0090d140ed44272510005ecf43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5a4d515a5d68dc409c013bbe6df0c82d5
SHA1183049b71f138db57c8fdbba91c2c84c45c03ede
SHA2568ebe51f2e8d051f440520507c73b98a1946214ce5102b6a63d85da2571e81654
SHA5129389c5f5951174d1233b0bc30bfef624cf8b74dbcbda30b16d836af68269c555f41f9943dba7a52d2da15be0c3ccca30c5a0b2c943870110cee8e7844ccf1d35
-
Filesize
8KB
MD55917509aa83e833dc264b392f35c6673
SHA1d6885a7f1c36e1dfd180fc2e2cb1e47d8124b912
SHA25684cf04077971649b1a6f32928c05f98aec42833fda0e32f9e47f91f5e7c51438
SHA512e7b06e867bfc43b7124d8640e71a5eea9959d2a83e76de74240b68683de853d48168c395b78a0f843964640eea2a341c4d91011750d7a980b0d425e8909db91e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD52bc6e144f6d23b377d79ba76c58842d2
SHA11d2408abad245dbe18a1ccb16a59992cf311d645
SHA256154e649c4a8507ff053c1da3c221e2e47590bea295d54c0f419aa89fd9f79a9f
SHA512c82618f5ab09e4f043dfed77b673b349613483e21e4dc86849d1e1a15c918c1aae84cd602c349aad1c9222e9246c13a30fb128cd0ce7ec96a610ae364421b51f