Malware Analysis Report

2025-05-05 21:32

Sample ID 240529-lbag8aaf64
Target docfus.exe
SHA256 5c70f002867b29b543af81320920cf2297ab4f4ed9b42b3b8fc432232fb91100
Tags
spyware stealer pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5c70f002867b29b543af81320920cf2297ab4f4ed9b42b3b8fc432232fb91100

Threat Level: Shows suspicious behavior

The file docfus.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer pyinstaller

Loads dropped DLL

Reads user/profile data of web browsers

Unsigned PE

Detects Pyinstaller

Checks processor information in registry

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 09:21

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 09:21

Reported

2024-05-29 09:21

Platform

win11-20240508-en

Max time kernel

37s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\docfus.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\docfus.exe C:\Users\Admin\AppData\Local\Temp\docfus.exe
PID 3844 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\docfus.exe C:\Users\Admin\AppData\Local\Temp\docfus.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 464 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 2172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\docfus.exe

"C:\Users\Admin\AppData\Local\Temp\docfus.exe"

C:\Users\Admin\AppData\Local\Temp\docfus.exe

"C:\Users\Admin\AppData\Local\Temp\docfus.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.0.2020837802\1509273271" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93182c3d-bea7-491c-9355-1718dcd563eb} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 1892 2207fb08a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.1.2056235015\294578408" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2396 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa5599a-645f-4d10-8ea6-d6fe65319d2f} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2416 22008169d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.2.664488653\474598433" -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa31080-33c9-4034-bd14-909747464887} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2652 2200ab05558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.3.2048874231\1468017725" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 1164 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07fa555-a525-4561-b477-7d0b34e96554} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3576 2200d723558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.4.1898997324\621326027" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e53639f-1793-41d6-92af-25d3c0be0201} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5016 22010081958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.5.1398113370\640719356" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f011463-b504-4f80-a5de-fd041d5eef0b} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5260 2201007fe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.6.1983847479\561608248" -childID 5 -isForBrowser -prefsHandle 5260 -prefMapHandle 5280 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {757b55a1-8e0c-4cde-980f-7fb76544767d} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5048 22010080d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.7.886940304\160881901" -childID 6 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53296d61-09d4-43f8-a038-773bf120f2f1} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5724 22011aa9258 tab

Network

Country Destination Domain Proto
N/A 192.168.207.128:5001 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 44.237.98.207:443 shavar.prod.mozaws.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:49764 tcp
N/A 127.0.0.1:49770 tcp
FR 142.250.179.110:80 google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.179.78:443 ogs.google.com tcp
FR 142.250.178.142:443 plus.l.google.com tcp
FR 142.250.178.142:443 plus.l.google.com udp
FR 142.250.179.78:443 ogs.google.com udp
FR 172.217.20.174:443 play.google.com tcp
FR 172.217.20.174:443 play.google.com tcp
FR 172.217.20.174:443 play.google.com udp
FR 142.250.179.110:443 google.com tcp
FR 142.250.179.110:443 google.com tcp
FR 142.250.179.110:443 google.com tcp
FR 142.250.179.110:443 google.com tcp
FR 142.250.179.110:443 google.com tcp
FR 142.250.179.110:443 google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI38442\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI38442\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI38442\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI38442\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI38442\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI38442\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI38442\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI38442\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI38442\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI38442\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI38442\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp

MD5 a82f25f3000c7b882a5ee4a059a01da6
SHA1 ae52425728036d46d940c623c08590e4a5669cbc
SHA256 7f567a2c121deca1789be85ecea213088d2520711c0038e9ff3c836f3dacf106
SHA512 17426475252347055093b8c522a5ea8de6fb904cfef97af30e32a96148e1e8359b75d3779e0097625454e4a1e92d7bdacf219984a79184748b234776682af27d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

MD5 066ca219ff5004576f614bb5bca2e18b
SHA1 6ac10ce0d099464e309f6fc7e9f498a51ddaf93d
SHA256 97337a621f5ea800f33e184c8b1ad53984f32eb2ef9c3a5aad03b095c10d591e
SHA512 924231d72ba9e9d18656c8b9027d7b93752d6d1bcb8f02b14e89eb7101a19448b8c33747300def40b2c0053030d9ad301823a1179547e5076c0ab8167848da5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 33240623e9e2675ff8f8094cfcde17bc
SHA1 d02d4650b38dcfff3e649a573528d5c088c9a5e1
SHA256 83f3664fe5218eb2c8268f45ad19db542c5a34a5b33ee465b857891493ea6b3e
SHA512 271a0fc6a23d9219ae5504c85a4e4fe2fe517f6e91944460bb3ddcacba6d55e194f420d39aa0c269523ede57703daa58f2505e284022cfad5f9bd5f954dd6392

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\doomed\2276

MD5 3347807aa25a48507ab206902511104f
SHA1 60cf8ed794166497c52648ae3c46980599ee3838
SHA256 e8b6b7c53a7ffed97dc8eaba40f482f97d0282c79bfabcabb1ad0672b96cbbc9
SHA512 40fcc1a4a8b0ae41ac9cdb1e09d2b1b91fbefcac4bf31842d9da62bdafe5a274657592cc4518c281d4c40987700e1b12eeddca16abf0b68e431b34de7ba43890

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\doomed\15114

MD5 e994920cdf8ca670a28855f086209ef1
SHA1 6528836fdfd4617fd096f4475287507cfa50b946
SHA256 5a0fc5247a34b4dc6ed3ce2e249ad45f2ea9305bb61c81da2c73eef0276de1b3
SHA512 ce9820bf8037d45401cd5792118d794c9e4859ec34a107b62d7a866985ed2da29a176d9f9fe5b98c9f875e6c8ecaf4705c8ec74aa47c9ddbe9122e698ce09986

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\doomed\1827

MD5 c333d3609609896a41665da2418d0525
SHA1 67db527592185c4fa580180d89c68ce15dd802a9
SHA256 966748db5face32d9d3a77ad45b630d672047559cc2d45101ce9a9d85b592ed5
SHA512 872de94b6ece4d796c641f949aa78dc91e28bd121bcbd66ea96b6cc4814bc140a32d157ad5455832e1af349cdcf3773386c3b3e77d9254774898aa332a4219c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4

MD5 817fb599dc29313211c0959bf9699371
SHA1 1fcc6f6191dd353ade72068fe1902326bcff0e6a
SHA256 b699dacbeda760d40ec87a00209c421adc19990bd24d471db3a98a1d0707e1eb
SHA512 c97ebfaab6f9974f8aab2d30b167b285315523b441914d6393ecc0b2010b7567dcc3e8133624e57ea2e996b4acf10f9cbe37292a1c12d6ff4ef6d4664163c8e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf