Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 07:46
Behavioral task
behavioral1
Sample
Valkyria.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Valkyria.exe
Resource
win10v2004-20240426-en
General
-
Target
Valkyria.exe
-
Size
8.2MB
-
MD5
1626922cadeeedea404cadfe628d7e16
-
SHA1
9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
-
SHA256
202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
-
SHA512
80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
-
SSDEEP
196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
Malware Config
Extracted
njrat
0.7d
SvHost
hakim32.ddns.net:2000
rates-alfred.gl.at.ply.gg:39912
07fe81bb92603a7ba50e57049dc09693
-
reg_key
07fe81bb92603a7ba50e57049dc09693
-
splitter
|'|'|
Extracted
blackguard
https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3004 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 3336 zkzkzkz.exe 2996 Everything.exe 3604 Natasha.exe 556 server.exe -
Loads dropped DLL 5 IoCs
pid Process 3604 Natasha.exe 3604 Natasha.exe 3604 Natasha.exe 3604 Natasha.exe 3604 Natasha.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 2 freegeoip.app 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Natasha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Natasha.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2640 vlc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3604 Natasha.exe 3604 Natasha.exe 3604 Natasha.exe 3604 Natasha.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 556 server.exe 2640 vlc.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 3604 Natasha.exe Token: SeDebugPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: SeDebugPrivilege 3424 firefox.exe Token: SeDebugPrivilege 3424 firefox.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe Token: 33 556 server.exe Token: SeIncBasePriorityPrivilege 556 server.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 2640 vlc.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2640 vlc.exe 3424 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 3336 4812 Valkyria.exe 73 PID 4812 wrote to memory of 3336 4812 Valkyria.exe 73 PID 4812 wrote to memory of 3336 4812 Valkyria.exe 73 PID 4812 wrote to memory of 2996 4812 Valkyria.exe 74 PID 4812 wrote to memory of 2996 4812 Valkyria.exe 74 PID 4812 wrote to memory of 2996 4812 Valkyria.exe 74 PID 2996 wrote to memory of 3604 2996 Everything.exe 75 PID 2996 wrote to memory of 3604 2996 Everything.exe 75 PID 2996 wrote to memory of 3604 2996 Everything.exe 75 PID 3336 wrote to memory of 556 3336 zkzkzkz.exe 76 PID 3336 wrote to memory of 556 3336 zkzkzkz.exe 76 PID 3336 wrote to memory of 556 3336 zkzkzkz.exe 76 PID 556 wrote to memory of 3004 556 server.exe 77 PID 556 wrote to memory of 3004 556 server.exe 77 PID 556 wrote to memory of 3004 556 server.exe 77 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 5112 wrote to memory of 3424 5112 firefox.exe 84 PID 3424 wrote to memory of 1260 3424 firefox.exe 85 PID 3424 wrote to memory of 1260 3424 firefox.exe 85 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 PID 3424 wrote to memory of 396 3424 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:3004
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Everything.exe"C:\Users\Admin\AppData\Local\Temp\Everything.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\Natasha.exe"C:\Users\Admin\AppData\Local\Temp\Natasha.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InstallDisable.asf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.0.1289555340\1773681204" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {641be82a-edb0-4933-86ba-e4f921eb95f3} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 1828 15328bd8858 gpu3⤵PID:1260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.1.1897925343\1888165550" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e3d756-cb64-408b-9bc6-ee50ec0da033} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 2164 153168de458 socket3⤵PID:396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.2.913343356\700088883" -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2816 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65415762-c10d-4d57-91dd-9f06659c3c44} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 2828 1532cd98358 tab3⤵PID:4164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.3.2131736021\1069162839" -childID 2 -isForBrowser -prefsHandle 3344 -prefMapHandle 3336 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfba6966-4e87-42f7-8749-c47735d83dd7} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 3360 15316862558 tab3⤵PID:424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.4.1308533641\2124606127" -childID 3 -isForBrowser -prefsHandle 4424 -prefMapHandle 4420 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88812ca0-41f3-4fc1-abc3-ab1d64d6a70e} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 4436 1532ee2a358 tab3⤵PID:1320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.5.1611207033\106484098" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa562ba3-e1e4-4e47-9f13-a272ac940b20} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 4968 1532ee28558 tab3⤵PID:688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.6.2005987565\1083520679" -childID 5 -isForBrowser -prefsHandle 4752 -prefMapHandle 4788 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71b294ff-3f96-49fb-9763-951cce5644b1} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5108 1532f354358 tab3⤵PID:644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.7.1163635814\51689246" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {869c5273-1c8e-4266-bd0d-9da5b73d89f9} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5216 1532f353158 tab3⤵PID:4620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.8.112266321\2030659036" -childID 7 -isForBrowser -prefsHandle 2876 -prefMapHandle 2848 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af19609-f38d-4cbc-9521-8ba65f7941cd} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 2640 15328e93558 tab3⤵PID:696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD537f6f35584fac7f216e69e813d4b7c10
SHA1ddb093f14e5f2beb0512ac828448ff06d0237312
SHA256cc17414b5bd2db809411f93256535e78d0c97f42fe86b6cc3119aa7c33c6e3c3
SHA512917368e662428827f8477cc5915e41f6a06324f0e49721f807a6003740749261a219a25cd3d9a43d1a5714c73930e4b2da1240d2a9f108a62b11f990dc42a09e
-
Filesize
270KB
MD50ad61d702d2aca6801a833ec1d4bf5f7
SHA1d4117c6c5c0ae71ee0ccd2554ab40fe69796c519
SHA256e4668273e4cafe5a9a083eaa0d4d52ca1ba707e37ecb715c1b97de1dbb67faf4
SHA512a0743430cabc74edb8600c71a4513ab83d21542a8088d230cd15e070d6b2b2d70dab057dd1bbd1968836bc0f3b3aceb90b98024b889503c6a28926475185e6ec
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
93KB
MD5ac79af1c488ed1bc1b289e0eb8d89714
SHA1913ceaaaf7664bb83a496ebe746b6d12bb1e5e9a
SHA256dc8e217ced1f36323ce6c237fdaa330e342063a819c13defe3b248ee84c1d492
SHA512cd09c7c5e60ba946f7c83001876f3d5c48eab06c259324a7941161978531a175d00142cd486ff7cf0d2d461a651745808361e894346259ac079cc90eb42022cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a6130447ed489727f346dde7a66d18e5
SHA1236c0e93b57132ae9e05eafe3667217d7b200e0e
SHA25648be879cf0ca8fc7762e4ba3cb587ae309c7ec8215da9fb6b17ba73a4c1efebb
SHA512cf46c5726de7296492444d79b8005a3c4974a4753757b2a633ec7104533766293abddda36caadb2af00cdb49e957a0ba6aeb6b9d88dcab57c79bfecda921bdd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\05f74d82-6f4a-44cb-9eca-724423b8b1e9
Filesize746B
MD5a9171cbc22113f8b761dc0aec7b22a4b
SHA13eefb54b9cad3828715738ecacf8d5fe88fe47f4
SHA256c2bca4e06c0ca52296a8a6ab4e629a66e0cac7d10bfa58ca2a4c9a006775269b
SHA5122840f259082330109527fb688d01d82da54e0a03352a793f6dd947e525074f248ad73b48938d020080840ef7b68cab056cd3b8cad5923acb561e887b951cf3fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\18fead8b-2f3b-4d60-9307-e1d9d13d2555
Filesize10KB
MD52e50f630340daab280ab90a1395c5fd4
SHA131a344a0c0d4c35819e8b3e03ee56ae80d0eebd9
SHA256efd6699133e57f6420807351f3473f56ad7ac36fec6feb19ccc7b748cae9a122
SHA512df5f9a0ee6b9f82505344bbf7896a484f6c971ca117e8469d6cc08cd451dc4d2d071084a11d7fa0ef019e754ee5fac0f41f739769f3578a9bde05e07a869bdb9
-
Filesize
6KB
MD5aa29a010d9bae626545eeb7c6c9a52b9
SHA12b51abd96fe3c33991aa701d4316821a46665d70
SHA2561acccc3c5174e7319ffe39cf3bc1d778c262939e0f3feb859f78f704bbe93a0c
SHA512e09cdfc118052a1cb659944cedf4c2a3c1ec2785f28dee80a76469ffc31f6f3d057a8031b4d6541ba4d88b977ab9a2605729adee5d20e029350747ffc318f48c
-
Filesize
6KB
MD5713aeee4fb8d920ae2608ce10bc410a5
SHA17748251b78bfbe12dee7d86e28bd112893f6c231
SHA2560406fe6dd7fd13fd1f6855862cceeba66980121844e65762e628dcb60fae3407
SHA5128cee2a2164fc8ca5be422a016b17f98a4da834030cc9c5e97b6bc5619a3a3148c430c6925b8f6dccb79f833a8ca1b869c391a174232db329c85c05b529ec88be
-
Filesize
6KB
MD5cd9146b520ce690187884867311723fe
SHA13d761af99cbe56bdd3c800e25dd83fdafcd3e0cd
SHA256b211bcd8494ba16d265857d7a7c49b92d770d0a23334649a19472a561884ddb5
SHA5123a45df5727b26728054cf430c6537aafa7e12be7cb40badd74d5b3020461325b3f7168f0b00b60b4b706479d3caaf98000dde19e2b8c96f83b4fd7778f282202
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD56a83137b176b882d5c9029026538fdad
SHA1c116767d4cd6bcf5e74adee7a663528665467743
SHA2560f2c96ef11b2f7dfc255fd62b99eedf9d556d3d7c85b3ac66e332cb1b77152e1
SHA512a3c0206d35e82d9b79cee04cd3fb0f176e192ded303afd9b1ba7402155267669390fdd9d0b4dc6d8b35c6bdcfabc4123c073c0e13d9e13c277f1bb72bf6e5231
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a44b7e540f0c35976af22e26a177ddcb
SHA1bd671c06506fc356f828c5e9d8294e9952058f52
SHA256da9454521b16fc2f4e5683faac99d41625216f93bdce71d37c8212afcbf84c8e
SHA5123fe0e36ffb6b139af2a0576142e6a7e87f219a2ffd0685eceb214a0e3b80f0826c3d417018f64a0b8c48502010bf70c0a2830444f9052870de3e5b096cb112e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5da14b42fea1292c9a8682a447cf4112f
SHA1b5f3fd26cc62bcf9b851685373786cf4d58dda1d
SHA25659fd6ca0796a18c4680b086d1c69525b363db3bf0742e907e37c23c36f531301
SHA512b1fb72c069410984613548f5375ac6f2a29f8da40e36d75c34d5f3999a6d3c2e9b9b56a7180ef033f447b8507af9e0dc8cf7860d94ee9d868db4226f308fb1d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5731c0e733fe1e3123d366af7c8e578ae
SHA19756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA2568f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427
-
C:\Users\Admin\AppData\Roaming\VZZHuNLPNTBBuXFZTuJJXyLywNDTNZVHN.Admin\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1KB
MD574761db8e9993515a0f1057444862689
SHA1a06280407b79ac794801c863432f46d32bb6989e
SHA256686625350fb12a9cf583c76cd9b600157260cc2de4838b3485547bd84c0e36fa
SHA512f8e4c3e8f7bc856f197a54388f7661c5e498880de525ab61fc9f5ad9ee63996e60a78ed8f2f6f8a54f660f6cf1509cbbfe7fefb85f17430c7cf9293d7b505ece
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334