Analysis
-
max time kernel
514s -
max time network
516s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-06-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
run
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
run
Resource
win10v2004-20240611-en
General
-
Target
run
-
Size
740B
-
MD5
1e49c49df1e9bb5a3646fbdd72fff72d
-
SHA1
ca3b2f92797030ad96341c5551812e679e9746d3
-
SHA256
df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
-
SHA512
b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 14 1076 powershell.exe 16 2392 powershell.exe -
pid Process 2392 powershell.exe 6516 powershell.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\run_search:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6720 notepad.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 5456 powershell_ise.exe 5456 powershell_ise.exe 5456 powershell_ise.exe 6516 powershell.exe 6516 powershell.exe 6516 powershell.exe 6516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 5456 powershell_ise.exe Token: SeDebugPrivilege 6368 firefox.exe Token: SeDebugPrivilege 6368 firefox.exe Token: SeDebugPrivilege 6368 firefox.exe Token: SeDebugPrivilege 6516 powershell.exe Token: SeDebugPrivilege 6368 firefox.exe Token: SeDebugPrivilege 6368 firefox.exe Token: SeDebugPrivilege 6368 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6368 firefox.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe 6268 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 5972 wrote to memory of 6368 5972 firefox.exe 87 PID 6368 wrote to memory of 5864 6368 firefox.exe 88 PID 6368 wrote to memory of 5864 6368 firefox.exe 88 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 7112 6368 firefox.exe 89 PID 6368 wrote to memory of 6872 6368 firefox.exe 90 PID 6368 wrote to memory of 6872 6368 firefox.exe 90 PID 6368 wrote to memory of 6872 6368 firefox.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\run1⤵PID:5000
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2736
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\run.ps1'"1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\run.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6368 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.0.1075939976\1986084064" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87dcf8e4-c2c0-45de-bf8e-bef1db0c814d} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 1824 1e30aa04158 gpu3⤵PID:5864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.1.1083235422\2123931745" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2326a3dc-6ade-4805-9db4-c2f01e797e71} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 2184 1e3097f9558 socket3⤵
- Checks processor information in registry
PID:7112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.2.926008302\1970154815" -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 2716 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba1f41f7-e10a-4068-928b-44f7118b29f5} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 2932 1e30985d758 tab3⤵PID:6872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.3.331099790\925302317" -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 2696 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81f85832-9249-4cff-8f1d-25ab0b039ddb} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 3544 1e30dec8958 tab3⤵PID:2716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.4.1909247757\38610076" -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47d7d8e3-ed70-45a2-9b35-b4754741d01c} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 4280 1e30faac758 tab3⤵PID:2708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.5.854573748\1821245983" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e13be27-63ae-44b7-8199-02c634e4e1fa} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 4896 1e3101aac58 tab3⤵PID:6168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.6.784454047\1252231059" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97ea802-74f0-4397-8a8e-7a333e763767} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 5024 1e3101ab558 tab3⤵PID:6176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.7.1541593855\1665274930" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a34cc7a-b35a-4423-b1a9-392e731008ec} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 5216 1e37e765658 tab3⤵PID:4340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6368.8.1295164404\955192560" -childID 7 -isForBrowser -prefsHandle 4712 -prefMapHandle 4660 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa7832b8-3f76-4a3b-9642-28bc818b69ab} 6368 "\\.\pipe\gecko-crash-server-pipe.6368" 4692 1e3101a9458 tab3⤵PID:2072
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6268 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\run_search2⤵PID:648
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\run_search.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:6720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\run_search.ps1'"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51d9704e1909d7fcd33601b86e6924192
SHA1f4dbd119becdbc407457b8b142db69a18b4111ce
SHA256711dd947825710a8ce8e1927e0e06c6a49fbd6f6e1bcd58d6ca42c1b6104cb82
SHA512346ce944a50b66217bb0374112ace6f88b979ac0876a518a9fe74420fc8fce9e16bab835de879ac8c0c8634866cc2e565ac6b6b51094387c40ac1516a18c4b36
-
Filesize
50KB
MD52e5f40998d824b5f8da94c1e1bea72ba
SHA1081a1b41eaba76cb4a9f43cdd15777deac80bde5
SHA25694afdcc508b8395f04a5f62fd421acdd0cad034ebd5ae0cf012e6af672ee628b
SHA512eab4836a53a64f748e1278cb08d0dd7715ab2d0bb1fb86d8623aa287df990af8c6cf9bca0ab1cb1e2404ae046a63eff6c2fad0d6cab9068c1103eecdfda99205
-
Filesize
50KB
MD586787931773e102b05e80655b3a7724e
SHA1e17a434f1a07950d43aa9cd8d33dfb0dd7be45bf
SHA25633dcffec2e7b334b248e49a6d1466cb4b275deb353b201b6bcce93237e34f0bf
SHA5120e9975f2e7032ce8ef9f7d8711a12ae7f44e1e5e85b0fbde167996a519f2b78f04fb1919c58c179fe778dd48e7bce3c54deab6741273d9e95e7e1f812458851f
-
Filesize
1KB
MD5391c2a0323c7ccbea51be3e2e15a0403
SHA1184efd92cb4b1cc99115e9b3ff2e196dc3762412
SHA256e08a104e84453030e24be06ed51029bd2ae49dcebf83c48deb142a066289200d
SHA5124cb8ee193a98c7a4073c9046a0414cc655be755c1baf93385b8cea7e71600de5122653814e13341dd24a45d45073ccceb4c8e7e126963f676b74aea0391e2aff
-
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\tlthhovj.tmp
Filesize795B
MD57e301dbca8a0639a0ff0afabbd01a6c6
SHA1f608dd2b1575d641b7201a2ee970b4dbe0098440
SHA256b771083d6f77117233bf7d0a9100ecbc5ba2f1d271361be4c13e1dc9383b2c8a
SHA512d589de14d0847b73a34a8011b2dcf118393f2d1dca9c365dcba1d72e05fcb2524f65640c4369e3b66a2ef32bf13d8e8dd3108b1a812f4eac682be0d0258c3102
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD56125442264a87c5bb84579528e376c87
SHA1bf755857d8571a395853a49a5a2889740dab08d5
SHA25626ead8a3f862e2a30d5edf4cee23a9349a4803369c4c962f781dc9e390d873e7
SHA512cd093a4e35516e2ae38f8bd2a8230bfaa32623d1a088080a4c1c5aa66469444fd41d9a8efb0326a97e02d762dec247fef421c8b4df4b23df25231e05a6ed4b4e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5b0c88f6f8deb7d629b62fb8400f418f3
SHA1d4d311fdda05d34be371288fd7d5278b3617c724
SHA2568da9815402520b3ad035330b5dce0d9743acdb28035d917fcabd02fead2cade8
SHA5120142dbeefda4cf23d6c992195a40daf25e170b5a9032774dd89f81c542b332245e30223680aae937d09725119e3d00550b26fb5597dacdf04389ec2edb7ed6a2
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5dcd3fea8cd34f32388fb54d937bb8593
SHA173e14309553515a423c0a7057670deb6ff6272b3
SHA25695bb548e2af954ff2cb96869819fbfeda5fa6e86742cc8377613c644afd352f7
SHA512579e84f24b4bf9f326faaa2439598cf3751c480ddff623a8cf008acab1d812049e7ef4d9a8bcec09dc83d0121e28414999f23080d8320aafe9c197c7a19e6f4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5ad472aab2a0e1a0c7fd459bf3cf0f027
SHA18c0cd0e5a2147c4454c79fc608de68c5a29d48ee
SHA256f02f75c3033165d844ea23116a3066c2fd56f9603e206957b0c435382eab8d62
SHA512830506aedbde4dad0c5608e6630f205d5d21470364725e03ce76e983d88a1758fbd2d45c08f94df00cdf218073df4382628e60b08ad2308f04a2c82e62585ec9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5304860c753ea99c06fd9c27b1f87b266
SHA1ee501b8da029b8c39820c196ad8bae0ed7b26e62
SHA256deb7e310a11256cb39aa89fb55fd682745ee9b2ca898304c8f05505d01637e7b
SHA512fbce499d263be48e671f87386f6aa2af4a18857c105ea3319e498648e079d18e01c7da5533fee8d4c950a3476ee04663a1d938455e15ab09657d1bd719323d6e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\6120724e-0391-4933-a128-ca3064ec8a3c
Filesize11KB
MD5baa7828c6788a8189f270cf4eef501e4
SHA1b415a5522433f86d28d61d6b0a3c4108f8656deb
SHA256bb57519df7abaf69b5be768e5d8e2f96bf623ced99af9d659024c871fea45dd0
SHA512616fabfe96111731e33c87725efec85e36a17ec765658979c8e4814b79d487365324372b4014b6b9f17a341ff1b66f32f8fd6497a1ed22bf6669a5299e95750d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\64caae49-4e78-4989-b395-6f0665245a3b
Filesize746B
MD585734649a4b091dffa787da4b1ed6033
SHA17bc3ae77892bffa8f08b25ff71b17f7f43dca865
SHA2563fa1e6b10577713126f47960fd068ab07a01df93d5c1f4132484d8ce879a197e
SHA512ad1401b08fdc309df4788ead9c198d5e59900a39777d0178c3d7cefd9d3dd744d01b6713ec33b0a77d8c814bc7ab8ba27420a0f64cfa53ca1090beac83cf40be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD528d450ff04b5f8942d229a3e43b177b6
SHA102e57c8e7eb0c154463d901cb5da45b23c32cf5e
SHA2564514dba0750329ec7fdde8e66de994d2c3f24f96b62c0302dc13b12d6a39d973
SHA512c0c277bf2de0bba976d27468885be1e463c0d6e81526c4abdfb1192f8dee51af8adc9e62f5bf5b478436bcd2390a46939ae275617f7cba771279e9f6c1c5007c
-
Filesize
8KB
MD52f8c62a8eb77fda94d233756965e022c
SHA157078fd57b0924ef8608815eb8994967fac623ef
SHA256531d11dbd27a9e24f9b0c7838fcc5189572412d45e1029153ffed72d174baabb
SHA5121b299953dff94465c500034c9a3aa43640d09d70114fe407a0eb13adb5eb61b71f8fd38119f4ae96891cc7f166eee724b003e08c528171c8b6679e7a65af5acc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD504f0e979eac2192dfbe7459e36bbda97
SHA1498f889d4bedb4e9abf3d03d1f3f724f6a7d4fc1
SHA256012a71539e22df94699303950131cef6ed621e5d65e90611b71ba76bf920d57a
SHA5127e0162d15fe18e25f0e03a3395d131dfbab8d4121333a9f2a2e6b2e5584c97b12bd65933dd8717e287f2ab68e0f496b3331e86492ff1239805ee6502dd671a8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD59a067871e11c087ef9b2c5e78fd2d1a0
SHA1960b985995c353caee39307e7561829e2a2c9a4b
SHA25662e23eefbce64ebd343fa8d24459dd477c5862d324651375b0f40e44f346285f
SHA51284dd7e44b4733d79d82f684e88d7f2141c0405c98d730230a497ebae82bac0b7c8fb10f2b03d3b3cbd2073fc801a205e82b50a02853566449c652c6fdb246bbe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b35554dc17a02c1757792a58649b8107
SHA1e69ce7400fda975cd4c35b9d24f164337f56e7ad
SHA256a0c279fd8271b82eafe3e9a0f8e1df19bfb08ac085d6bea926fd9ec3a5ef3a32
SHA512f63f278bb832e135b674a00b4ca26b66ad5536a63686d4680136efd6269827da96c1473a1d42f64749035807dc747d2ada91975393fdcc079a5437c008e08d20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD51e206514c3fd57e1b1a3ac4f24fbf431
SHA1b83b6d0f2e1a4f58b25a2fcc655b5fbe25992cc5
SHA256e5622435b4165615c8c5681e58dfc07748e14eaeca245fbd534964affe21a417
SHA5120d889e60f0c91598cddaf13c1b1a995203677c6476392200b67486a1219899356379772fe934e2df5f3d638c6117b126479ba230416433f03dd1534d463880ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5220d291103d7f4a82bf0b5c463774c9b
SHA153c38a02aa4be9a2a65f7a9dafe0c346a8f24def
SHA25643b554c19735fc490160aa0f82bcf8e4aef62c89a9f1ea4ff04d5d9b87fe979c
SHA512831a6f6c8939bcfcadcdf19c737926e9d89242c30bb9fcc9bbbb55c443c5efa58feb4f11bc4d046742bacf5426e5076c3fe24a2dff90eb845b48c2506cf4f581
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
Filesize1KB
MD528a68d07d960a560cd691b92dc66ad58
SHA1506807029b48cf91f81357a21ad10dfc9eb3a9bd
SHA2562b1cf1b0c833f547ea2862328af179e06e7ea3045ed8092db1f096943a761a60
SHA5124fadb5d6c456e4198767ec4634f7d4e6033a7117081bd2024c6f4b0690b733c87c5aaa6fd524506ec03de66207270715a202dccc6efd1de8076469fa92d32f51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.7MB
MD5b2cd50eb5ff92105e50e921a98f75cbd
SHA198e1dbea61f2d8a21d18ab805355404f55fdb40e
SHA2563387ab487fe3f5b1ffcf78e350e717bf614b1f7648e25ceafb72bd09690b5f1b
SHA512cee05605e06ebf9bdb912c1f60946117a674f6af9448f0d17468ef40725cf2b763a5114c5cc06f9c4ed7bdf170cff7e4dfaef3c9c439b1a050fb6701db6322da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5731c0e733fe1e3123d366af7c8e578ae
SHA19756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA2568f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427
-
Filesize
1KB
MD5c7ebc5d75138ad496280b5bf60d7aff0
SHA1c6c538d3de2f7d38759fd0933381b4276c8dc043
SHA256bf6adc78d7a9dc38bdd9ab629c111ad4912000722282a589623a18eee3ede18f
SHA5124a715a113fdf6d02e11f45186308255f323c1a54a12381c99b0286cd53b6d6ac8e7e2b1e6a0bfd3dd600713f3356129fa3af72c59e9e12089d627052ea9131bb