Analysis
-
max time kernel
149s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
OwnCheat.rar
Resource
win7-20240221-en
General
-
Target
OwnCheat.rar
-
Size
170.3MB
-
MD5
3ec0351d0e376c32313da6d78df0c69b
-
SHA1
e9ba4328f5db2af7335b309fd610237481604451
-
SHA256
ddfbd3bdb5abf02dc0f519de669b56b27dd866b2e93193e4958a8b0825bf019c
-
SHA512
9215826453c6643308f141e0a49e4c5c742510cf0d96b6da51f95016fccbab353e19fefa634c73f95944b801eecbde684acf9c8d9422944d9982f64c22dde12e
-
SSDEEP
3145728:0YqAq7qufqcWFu3dprtg46lsl/K3Ov7akh8xpQhOfEKN3gaq1ggTEM8aGp:0YlSquNWFuN3ysNK8GkVhObN3p6BA
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/3424-412-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3424-412-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 4660 OwnCheat.exe 2612 OwnCheat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4660 set thread context of 3424 4660 OwnCheat.exe 108 PID 2612 set thread context of 2648 2612 OwnCheat.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 taskmgr.exe 1160 taskmgr.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 3424 RegAsm.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 2648 RegAsm.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 688 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 688 7zFM.exe Token: 35 688 7zFM.exe Token: SeSecurityPrivilege 688 7zFM.exe Token: SeDebugPrivilege 3424 RegAsm.exe Token: SeDebugPrivilege 1160 taskmgr.exe Token: SeSystemProfilePrivilege 1160 taskmgr.exe Token: SeCreateGlobalPrivilege 1160 taskmgr.exe Token: SeDebugPrivilege 2648 RegAsm.exe Token: 33 1160 taskmgr.exe Token: SeIncBasePriorityPrivilege 1160 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 688 7zFM.exe 688 7zFM.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe 1160 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2936 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4136 wrote to memory of 688 4136 cmd.exe 92 PID 4136 wrote to memory of 688 4136 cmd.exe 92 PID 4660 wrote to memory of 1844 4660 OwnCheat.exe 106 PID 4660 wrote to memory of 1844 4660 OwnCheat.exe 106 PID 4660 wrote to memory of 1844 4660 OwnCheat.exe 106 PID 4660 wrote to memory of 2032 4660 OwnCheat.exe 107 PID 4660 wrote to memory of 2032 4660 OwnCheat.exe 107 PID 4660 wrote to memory of 2032 4660 OwnCheat.exe 107 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 4660 wrote to memory of 3424 4660 OwnCheat.exe 108 PID 2612 wrote to memory of 1288 2612 OwnCheat.exe 111 PID 2612 wrote to memory of 1288 2612 OwnCheat.exe 111 PID 2612 wrote to memory of 1288 2612 OwnCheat.exe 111 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 2612 wrote to memory of 2648 2612 OwnCheat.exe 112 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 4472 wrote to memory of 2936 4472 firefox.exe 115 PID 2936 wrote to memory of 2064 2936 firefox.exe 116 PID 2936 wrote to memory of 2064 2936 firefox.exe 116 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117 PID 2936 wrote to memory of 5104 2936 firefox.exe 117
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4400
-
C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160
-
C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\_iyiwy.exe"C:\Windows\System32\_iyiwy.exe"1⤵PID:3152
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.0.1523896926\1384476286" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9ebfde-4f10-4066-9e3d-06eb9148ca1f} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1964 1d7781d9e58 gpu3⤵PID:2064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.1.1673832774\1652749943" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2320 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d39ae0-af40-4fcb-b06e-049c5d9c3189} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 2364 1d777b32958 socket3⤵PID:5104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.2.9210831\650279896" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cbec7b-5441-4673-b20f-5def090e8d5d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3320 1d77c118258 tab3⤵PID:4728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.3.1792019170\44276428" -childID 2 -isForBrowser -prefsHandle 3896 -prefMapHandle 3892 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694cc34b-2ade-4120-8ab3-314595e3de66} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3868 1d77c67d158 tab3⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.4.1512588561\135234127" -childID 3 -isForBrowser -prefsHandle 2964 -prefMapHandle 4076 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eb01344-ace3-4174-ab5b-178116150bd6} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3892 1d77aaa8b58 tab3⤵PID:416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD560ad21e008a8447fc1130a9c9c155148
SHA15dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA51242a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6
-
Filesize
21.5MB
MD5dada5d3d71d97009275fe266381bd52b
SHA1be421b5c86767be813811869acf569a1ad1dbf3d
SHA25663c3d033bfd95795a555e1ad0b9233c1547cfd7682cca803b31c2a985615d91b
SHA51299d5fb30378029dac8980a902848bbbd0f638b0a5bf058537aa27a21a64dafa9c39674273af4a0d15793065c543d358f1a75559ab9c354d9f7754ca03fde4c51
-
C:\Users\Admin\AppData\Local\Temp\7zE0B27E258\OwnCheat\Addons\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5ecdc05e0e4a7f574f5bb4a56b195838e
SHA14cfa1a0689a1f58d3506a535c15a5b939a946955
SHA256890a2b8adfbde47da41f5194eccd7b5baf19bc852b5bbcc0c9cfc6a32bffcc52
SHA5126c8343a71d6ee908f59f0e49f37318725cc1af68ffb1533a1464e0587f7a2d71d2d0437b0bd0cc2857e05b98449da431d675bcbbedec9314bc61c31a0d39639c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\9229c7c0-1d97-4521-86e8-d9d208676cb6
Filesize746B
MD50812c1f37fe590c53ab998755d6948fb
SHA1079dcffa7f674f6bdaeafb9448d95b3a6d1de9f6
SHA256593c5ff01e7f604cda2fb7d6f54d93b47f6912a332d780fa1907911c5622392a
SHA5123845a5d813bd2c3ef51ae452100b22ea05f5c294cb5b937539585401023ac8a43ac520af877ed6e8718fcba82abd539f307e12aa74421b21cfe55082e21ff616
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\d7618f18-8d39-4eea-9d84-786f28dfe9ed
Filesize11KB
MD55b0e0bf6ada858462704a75f51a2653e
SHA1c89145488f52a34f255c5bb302a53d4d9e81982c
SHA2562ea7541c6dd6427d463787ca229a5eef0f8341f06bcb7a69135b18589a4e559d
SHA512e19ece02ab7bb2209f7293bcc40ac81d420687219545cdb660e4eeb09199a28e0d5951ee8721526ee514de853c916bf674ef281370657b14a5e44f1fe284f548
-
Filesize
433KB
MD57e46d11cc986f86dc1210adfc6f51248
SHA189823c4faf48f75c9578c2e31367bd2d0fd7225a
SHA256af8c537868eae76c5616f69dde5d25fa0ac00d9ac60d3afc0eff574830f5c123
SHA51261f4e103115ae908a68ac001d7e73d600ea727646c6daeff0474a6f18102ee70de67e145875827a70a0f7a47138eb55724c266252aa792ef514994328a8aed4d