Malware Analysis Report

2024-08-06 12:45

Sample ID 240614-12mmss1hkp
Target ClydeBot.zip
SHA256 fd415095e0f0262dc3f25e7d5fe00a295115ab33660ad43bac655306c1ef1a4b
Tags
stealerium
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd415095e0f0262dc3f25e7d5fe00a295115ab33660ad43bac655306c1ef1a4b

Threat Level: Known bad

The file ClydeBot.zip was found to be: Known bad.

Malicious Activity Summary

stealerium

Stealerium family

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:08

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:08

Reported

2024-06-14 22:11

Platform

win10-20240611-en

Max time kernel

130s

Max time network

137s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ClydeBot.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ClydeBot.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:08

Reported

2024-06-14 22:11

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ClydeBot.zip

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2136 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ClydeBot.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.0.1083861529\99786807" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83a3ee4a-6d4f-4764-bb13-2b74ccf7a855} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1864 1ed16e10858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.1.2124249818\1958004147" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a25a82c-2a22-40bf-87bd-6046d20f5236} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2388 1ed02b8a258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.2.1615013471\857523605" -childID 1 -isForBrowser -prefsHandle 1572 -prefMapHandle 2940 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a8efe5-10d3-4230-bdd0-b605e0fd996f} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3008 1ed197f7458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.3.1648143366\768048129" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322e4001-8094-4d02-8dbf-0002dac559fd} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3580 1ed1c5e4758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.4.2121097889\966371308" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 4980 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {373377af-f319-469a-a037-87f73e80f82c} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5052 1ed1e862658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.5.1763845298\821598820" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c24f8794-dc1d-4700-b5be-a928143b2a4b} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5156 1ed1e862f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.6.923923019\1208731737" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {019c9db8-1ad5-4d0d-a94e-ca7d1306f732} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5452 1ed1e863858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.7.352022711\1114561562" -childID 6 -isForBrowser -prefsHandle 2944 -prefMapHandle 2924 -prefsLen 27769 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6b0975-6b57-4292-8868-4258661f162c} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2844 1ed02b80758 tab

Network

Country Destination Domain Proto
N/A 127.0.0.1:49726 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 127.0.0.1:49732 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

MD5 b9727e0bd01cd9d67d8e4823754e308a
SHA1 1ace5b47fdd5aad115c7f2f0f2d6f3914b5e31b8
SHA256 b669fc7142c83c3d47d0c1093fc7e28090612800c2d6f4d3a728409d67587d9f
SHA512 30ee965f9a58f09079d409a4e47dd082b3187e008751ef9bfcd6ddaee1bf6c302bfd105761d8d7a4fb00b0ba160461b0277939839e9b38dcbd7fa769bd8093ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

MD5 577bd9aac3ca6fb246103825525d464f
SHA1 909cd2a0b29977bab8bb7b3c474929a12a5c7477
SHA256 b7c7c0e1128670b9d2363a52901a752fde43a47f23b06a714db3e424928398c6
SHA512 7170a0b33881cbd12c271efa20abe0ff3c2a06c348f58734fd55c5e04641be848be4935b0afbeee6a4cc3b1a05ca739e2d05fc818800010d95d8a98ab92c5826

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

MD5 84f964822427298955d979a4bd462c6e
SHA1 ee70ea7ef5b12e9cc23efe74d8786c84b9049a12
SHA256 7f369f3fea3c6b3091d5db6faa5be334523712c57f518705ae53e61719810b6c
SHA512 5e170548ffc15772f949d5325341cec4125ef2d23946dc7c52a702ad24d81f1994585adc120c70b1c7d596291179a8d4e5eb1a130adb97dec750af98ee4f2e24

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp

MD5 585959165a9e9c4d1a89071daedfda65
SHA1 1c838ecce89d4ecae825ec28f6071669de529849
SHA256 bf663c933479357517f7c867cd1edbe7008d7cb3f7dd314eac87a2639b23bd49
SHA512 720352cf70ac3cbb999e4ccde173375d3ade1391271928823cdbe672f6bab55afb1333c56c3ebc522adf8f0170217901af1d8fe9cf61c56769a6ac51984e867a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

MD5 5f106706c45d181e2eddfd56a4de525e
SHA1 18a20c10fde6b33b6d2a89db7877c7e39352b80f
SHA256 6d8696e1b88c5f7be2d291e1aa5e8d285147f8e57bd080f02fa5e1d5a7fae410
SHA512 5a38be40f58f1081436bac08450c93edc650cdb46cc133ec24fe0f94037154198552f839dd4a6f8e17876b997f619064fae90808a4eca8e50a54b7947c4bbdcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b83056b0e59387d066076a6e8dcd79a6
SHA1 2beb82a1e294db8d95cbf57496360387fba0b1c9
SHA256 83521c923aa4a270484879eb8cd040affa3fa2bb9269e10fafbfe5577ba1ad95
SHA512 87add3e097a3eb3056832d7aeb3c7fd7a4e4ea2c81d3a8c0d5b7349ecceb85fc343ce6bd6fb493930290b5522ed2159cd9f6bc39f6f97cc658561ce0a48d4d03

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3962d3a8db5fecb7333f84c9e7482331
SHA1 dc412de4f82c597fef56a0d1b80cde4c4005b72c
SHA256 2802e99302bd1b79af817df72626cf9ec68ced0b8d994f3988e1a8d1e981fcfa
SHA512 809ecaa8ffa998e4c79a836d611f98b1fcc1581fda8d9b4f70088852fdcb99a21ab798fc37809ae4e209296f26979159b9905edb2e84e47c8a102722b55ca2fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

MD5 ee3eeca35738cd6b13973aa2c262bf62
SHA1 18998880f09d16e836fd18ca9fc908af52b351b8
SHA256 2a638441cffe1126cdf236223bfa22bcb3718ac81059dc2941d3048313286fce
SHA512 d705372df7e5272fff5a3ad9fe685974bab526c3d05738ba4492e8bf305c6d1d37bd834a5c4cc64320f3f4296764c4fba77370517cbbfbb993d9588e7b37bb7c