Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 15:30
Behavioral task
behavioral1
Sample
WhatsApp Images - INVACO PVT.exe
Resource
win7-20240221-en
General
-
Target
WhatsApp Images - INVACO PVT.exe
-
Size
647KB
-
MD5
f62ce68dfaa4fedd2fa52462cacfb469
-
SHA1
08b72552d6b1dd32700b2f793c808693a4149709
-
SHA256
d35ce3c05cc9670b5f3f0ec95f63e0ac8d3df6aae8bb2243cda70f9ceb99230d
-
SHA512
a96ce720d33c425f1ff4816b1b715a3843161d301d805d5593f150a419387bf3b1fa16b94e1cdaa6a9c25a018592d127b90d47c19b44a9a080da77826ca81b68
-
SSDEEP
12288:2sHzOUNUSB/o5LsI1uwajJ5yvv1l2HiG84Ol2YK7AP/0oBW4D+:ZiUmSB/o5d1ubcvqgtltOA0oh+
Malware Config
Extracted
formbook
4.1
kh11
theluckypaddle.net
assurelinkenterprises.com
gazpachogroup.com
worxservicesllc.com
bestecankurban.com
cotebrief.com
899173.com
navist.io
metaverseharem.com
genpower-plus.com
drhandgrip.com
jessicachristina.com
eidura.com
cat2000andhope1izfanfiction.com
nywaiverlatam.com
cdlb9twt.shop
j2mjewerly.com
itsmisshodges.com
timeis.shop
santefe4g.com
ongame.cloud
guard-dd.online
rutgersorthopedics.com
rkbengg.com
dentalemergencybakersfield.com
jansirani.com
gadilglobal.com
unitygiftingco.store
enxk-32.com
northcuttmediacompany.com
hyyhldz.site
stripperscontest.com
lexcomtech.com
issndiploma.com
shopynuts.site
shpoifypos.app
gamer24.top
dibujosparapintar.net
healthinsuranceudeserve.com
pampadev.tech
whefgf.club
riversandcapital.com
foroupskirt.com
wocan92.top
onehourbookclub.com
brochuresenligne.site
suv-deals-85472.bond
coalswap.com
tresxop.xyz
juniortrevisol.com
it-jobs-87776.bond
black-loan3.shop
chicprems.xyz
pmheiouassessment.shop
186489.support
88mahadewa.vip
vn90129.me
cattaillake.com
jmknoh1r.shop
attitudedancefitness.com
eventcrrate.com
autonomoangola.com
jollshopp.com
thesimplestudio.io
gltip2le.shop
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2276-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2276-94-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1224-111-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1224-113-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
resource yara_rule behavioral1/memory/1736-0-0x0000000000A80000-0x0000000000BEF000-memory.dmp upx behavioral1/memory/1736-78-0x0000000000A80000-0x0000000000BEF000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1736-78-0x0000000000A80000-0x0000000000BEF000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 1736 set thread context of 2276 1736 WhatsApp Images - INVACO PVT.exe 37 PID 2276 set thread context of 1232 2276 svchost.exe 21 PID 1224 set thread context of 1232 1224 cmd.exe 21 PID 1224 set thread context of 2548 1224 cmd.exe 29 PID 1224 set thread context of 2436 1224 cmd.exe 30 PID 1224 set thread context of 1644 1224 cmd.exe 31 PID 1224 set thread context of 1900 1224 cmd.exe 32 PID 1224 set thread context of 2756 1224 cmd.exe 34 PID 1224 set thread context of 1668 1224 cmd.exe 35 PID 1224 set thread context of 2216 1224 cmd.exe 38 PID 1224 set thread context of 1072 1224 cmd.exe 39 PID 1224 set thread context of 2840 1224 cmd.exe 40 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2276 svchost.exe 2276 svchost.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe -
Suspicious behavior: MapViewOfSection 24 IoCs
pid Process 1736 WhatsApp Images - INVACO PVT.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe 1224 cmd.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2548 firefox.exe Token: SeDebugPrivilege 2548 firefox.exe Token: SeDebugPrivilege 2276 svchost.exe Token: SeDebugPrivilege 1224 cmd.exe Token: SeShutdownPrivilege 1232 Explorer.EXE Token: SeShutdownPrivilege 1232 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1736 WhatsApp Images - INVACO PVT.exe 1736 WhatsApp Images - INVACO PVT.exe 2548 firefox.exe 2548 firefox.exe 2548 firefox.exe 2548 firefox.exe 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1736 WhatsApp Images - INVACO PVT.exe 1736 WhatsApp Images - INVACO PVT.exe 2548 firefox.exe 2548 firefox.exe 2548 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 1964 wrote to memory of 2548 1964 firefox.exe 29 PID 2548 wrote to memory of 2436 2548 firefox.exe 30 PID 2548 wrote to memory of 2436 2548 firefox.exe 30 PID 2548 wrote to memory of 2436 2548 firefox.exe 30 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1644 2548 firefox.exe 31 PID 2548 wrote to memory of 1900 2548 firefox.exe 32 PID 2548 wrote to memory of 1900 2548 firefox.exe 32 PID 2548 wrote to memory of 1900 2548 firefox.exe 32 PID 2548 wrote to memory of 1900 2548 firefox.exe 32 PID 2548 wrote to memory of 1900 2548 firefox.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.0.372657342\2125626032" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {762c97c4-e922-44b1-8fa4-50406b2fabb0} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1280 11dd4258 gpu4⤵PID:2436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.1.627132670\885266092" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf781e3-5d50-4151-a666-2ea0d39bcfd1} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1484 d6fb58 socket4⤵PID:1644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.2.1280230134\618838481" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c52ee0d-74fa-4b99-8520-2959a7a236eb} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2116 19e7bb58 tab4⤵PID:1900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.3.450262673\398843359" -childID 2 -isForBrowser -prefsHandle 668 -prefMapHandle 608 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9806469e-e69d-4ee5-8c3e-4d47a68406d2} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2520 d71958 tab4⤵PID:2756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.4.447108278\1141271293" -childID 3 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {334b5e23-7f1d-4a0e-97b2-9802f0b5db7e} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2888 1b8d6b58 tab4⤵PID:1668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.5.185524218\493553630" -childID 4 -isForBrowser -prefsHandle 3712 -prefMapHandle 3716 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d49ad0eb-e68b-4e90-b1f2-47f7bac31c1e} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3696 19ff7258 tab4⤵PID:2216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.6.413775371\1982450434" -childID 5 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d179b445-78f1-4498-a57c-8df2511b1476} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3808 1dbf6958 tab4⤵PID:1072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.7.930062063\194217996" -childID 6 -isForBrowser -prefsHandle 4028 -prefMapHandle 4032 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef23003d-b5ca-4916-9e47-148c7c9f0144} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4016 1dbf5158 tab4⤵PID:2840
-
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2052
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:1688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1weu80pa.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2
Filesize13KB
MD5244752433a5622b4caac5f91799e482f
SHA1fa7bf564b44b71fbd70f39924b9077316e8d9b44
SHA25688d63cd7b627bec46981d3d8912a0cdc8ff423e373f52907c17b978c9b73fcb1
SHA51293f943835362170a22f78a593b69b59ed20c08aec96de7545f9465520a949de0c6234b08cfc36e1ce324ad1116c46c87462e315d51d9612409caaf9885db5f31
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5c7bd324b91566da56df05bf3d7cf9d7f
SHA1cca98d17c907020c51c873f65bf0bb892f445fa1
SHA25605d4fb0949b43e5a9d367f87f4589ba5ebf3c8345a3f706ed25324c32d1a6ee8
SHA5121bcfa03220028321d74fa1ce39d84847a8e1d7e42ff0cf392d824498fda0ce099a0e232552402b4defc885c3d8d0f523e28612231ddb12c60b4e70e148922226
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\c87cf5b2-0184-4bd4-b20a-991ad1f88c5a
Filesize11KB
MD5b17df747abd3e1bdd99cb5bcd5ce8040
SHA1fed2a13c296c8fe54fa6e67a3acc256c95c0d92f
SHA2565fa762f37e6bebccdf63bfc6efa289e54465e6ca2f0aea2f4fe838700d6db996
SHA512669c661b131d59c62ae335ebbf341dd0ad9d2a0dcfae107abca32b1cfb5144ff5c510a9471c0c1e9498501979b874ef4f1e1e64da1cace14df9088ec1c4bea17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\f0eddca1-2779-4bed-a58b-746801c93fd1
Filesize745B
MD570c7bdda4075111b59dcbd76ad5a5a61
SHA19c1bf170b499ca6218f54027bab13e23202a4b04
SHA256a16cf4cb82a519358cbb2386a69123259cb821f36e3ffe5722e3ecd83c131b90
SHA51296ae1ebbbf092dbb405bb5cddbe8afb94f9e3d8aeb9804462b8f795a250596ee4a56eec8a68fe6f102341da4e45a5a1e14408a84309cff4d18c446c1923eb0da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD5ea9033a871949d9c8942b223724d25b1
SHA18ebf05f8e47b7b5f0588c79572e4cff62da29cf9
SHA256eb97aca51d8c467d66e9eb6afa285c51e192698d62f4a0b00f9aa5fcfa695f98
SHA512cb00f71285e7cbd0c459e1b6a0259e969ef7e718e3cd375dcfbc9dbece1b4783171689058ae68792cd6f58267ad7c3a36eb5a80ea6d0ab2c917e0850eb22ac2d
-
Filesize
6KB
MD5d3545a74016f42fff6de534a6daac5c7
SHA1a97acc2d4b3da26a3d28c1aa9f8e3437c61428b3
SHA25667d8dc8bd40f173240c8145cd0730e5a0580197018ed667d0ec88f349a2bff22
SHA512c3eafd1d432de4173847b10d4c6021b2ae7f55ab33b6ac2a86c16e74e342c55353572c64baf21a80a1c0f16eab11d8db336faaa0bf337d7f06f51fe3b99c7cda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5c2e1cdada9ca0dcdf07ba28e7e296dc3
SHA1f16ad331ff1de20b0af8f745aa0b3e47f757d989
SHA2566f0ba0ff447a24b49127327c22309165e900f6e0932d86e8312bbf0fcacef1ed
SHA512b6bb3af31ebb1542bfd9e45a0a292180c543f865d90b22c3c383cdc3b9ebd7c6c1560e4292cf47608ed7f930bd05f5731855ca34853a4902bdfaba03fd130782
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.8MB
MD5fa9864c81756670205c84a5220fcdc61
SHA11b92afc48acf4e5ca1394063d18a11aea67d1d47
SHA256ec037bc26201e6412ef1d1d02f4f460d49bc8f2336318d82a3c60de8f9c3e25e
SHA512cbbab8adb027e38dc7cb42f1d2c177c21109bf032b56d4cc86bc6369db212b3ef217c719372c40ec300ad3e40f6b509f8b3e76871c34e0aa8eabdc16a3e4c564