Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
b0abfe65f6de9238e3b03b6d5e115706.exe
Resource
win7-20240704-en
General
-
Target
b0abfe65f6de9238e3b03b6d5e115706.exe
-
Size
1.8MB
-
MD5
b0abfe65f6de9238e3b03b6d5e115706
-
SHA1
217ab85c40c8b968fd5193eaba20b841bb09e891
-
SHA256
64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
-
SHA512
87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
SSDEEP
49152:Zy/ZdetC0vIdbKfBe/k00cvmp566B2Bi:A/ZdetCdbKJeBp+p566Ik
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0abfe65f6de9238e3b03b6d5e115706.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0abfe65f6de9238e3b03b6d5e115706.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0abfe65f6de9238e3b03b6d5e115706.exe -
Executes dropped EXE 3 IoCs
Processes:
explorti.exe1d2537331c.exe02187977b7.exepid process 2884 explorti.exe 1920 1d2537331c.exe 1084 02187977b7.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine b0abfe65f6de9238e3b03b6d5e115706.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine explorti.exe -
Loads dropped DLL 6 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exe1d2537331c.exepid process 2304 b0abfe65f6de9238e3b03b6d5e115706.exe 2884 explorti.exe 2884 explorti.exe 2884 explorti.exe 1920 1d2537331c.exe 1920 1d2537331c.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exe1d2537331c.exepid process 2304 b0abfe65f6de9238e3b03b6d5e115706.exe 2884 explorti.exe 1920 1d2537331c.exe 1920 1d2537331c.exe -
Drops file in Windows directory 1 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exedescription ioc process File created C:\Windows\Tasks\explorti.job b0abfe65f6de9238e3b03b6d5e115706.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1d2537331c.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1d2537331c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1d2537331c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exe1d2537331c.exepid process 2304 b0abfe65f6de9238e3b03b6d5e115706.exe 2884 explorti.exe 1920 1d2537331c.exe 1920 1d2537331c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2336 firefox.exe Token: SeDebugPrivilege 2336 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exe02187977b7.exefirefox.exepid process 2304 b0abfe65f6de9238e3b03b6d5e115706.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 2336 firefox.exe 2336 firefox.exe 2336 firefox.exe 2336 firefox.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
02187977b7.exefirefox.exepid process 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 2336 firefox.exe 2336 firefox.exe 2336 firefox.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe 1084 02187977b7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1d2537331c.exepid process 1920 1d2537331c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exe02187977b7.exefirefox.exefirefox.exedescription pid process target process PID 2304 wrote to memory of 2884 2304 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2304 wrote to memory of 2884 2304 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2304 wrote to memory of 2884 2304 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2304 wrote to memory of 2884 2304 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2884 wrote to memory of 1920 2884 explorti.exe 1d2537331c.exe PID 2884 wrote to memory of 1920 2884 explorti.exe 1d2537331c.exe PID 2884 wrote to memory of 1920 2884 explorti.exe 1d2537331c.exe PID 2884 wrote to memory of 1920 2884 explorti.exe 1d2537331c.exe PID 2884 wrote to memory of 1084 2884 explorti.exe 02187977b7.exe PID 2884 wrote to memory of 1084 2884 explorti.exe 02187977b7.exe PID 2884 wrote to memory of 1084 2884 explorti.exe 02187977b7.exe PID 2884 wrote to memory of 1084 2884 explorti.exe 02187977b7.exe PID 1084 wrote to memory of 736 1084 02187977b7.exe firefox.exe PID 1084 wrote to memory of 736 1084 02187977b7.exe firefox.exe PID 1084 wrote to memory of 736 1084 02187977b7.exe firefox.exe PID 1084 wrote to memory of 736 1084 02187977b7.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 736 wrote to memory of 2336 736 firefox.exe firefox.exe PID 2336 wrote to memory of 2472 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2472 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2472 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe PID 2336 wrote to memory of 2520 2336 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKECBFBAEB.exe"4⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe"4⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.0.859924486\1388637061" -parentBuildID 20221007134813 -prefsHandle 1188 -prefMapHandle 1164 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67868af6-3adf-438a-9401-2b41c41211f5} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1264 102f8b58 gpu6⤵PID:2472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.1.1539642856\1710237" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a81615e1-c71a-42f4-ab36-478d54471923} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1512 f71f58 socket6⤵PID:2520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.2.1834020037\757549727" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ebbc0c-2bbe-4bb8-9cc1-464c08908048} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2136 19caa858 tab6⤵PID:1140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.3.819176481\384469569" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99c5788-63db-4edc-9989-2909ce3c24bd} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2916 1c938e58 tab6⤵PID:2932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.4.134583734\606470100" -childID 3 -isForBrowser -prefsHandle 3476 -prefMapHandle 3452 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52fae0ef-1e22-4c35-a90d-f2fcabc5d3a6} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3524 1c489558 tab6⤵PID:1180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.5.1807875851\454775329" -childID 4 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c7315e-3e10-424e-82b9-0d33c369300b} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3584 1dab9858 tab6⤵PID:784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.6.1467384971\1417171185" -childID 5 -isForBrowser -prefsHandle 3552 -prefMapHandle 3544 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2665131-a446-4465-bf32-b14d1b8f53c5} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3500 1dabb058 tab6⤵PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD5f48f64e9276eac235b0cf64889bddcbc
SHA1fc05c0a425a535b13ac5cd6e31b2ff91c73114e5
SHA256cf19e90a3a875bfc76e3a7dd69ad8387dfd8eeb0d01f3847d57f039117c8fef2
SHA512e097eb956656e8ca4d0fd10d3f0ab5d9cdb732a3e9eab19aa6386ff18929cf27e2fc456ada5acfc95e0b53aecfe877d26b539d2692847e1d66a964d679e8a5b0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD58438d0e5b5e5b8ce7c32c935d78ea1fb
SHA1fbd9c873a65f53aa5bfc6878688673f868c553ab
SHA256a46e0e08436912ee6cc00dfbaab1f560a98ec90a09a158f1f13caf5535732b70
SHA512332dd1b0b1ad2c6c6919b180dd2588f72f687f8de601c5f48dfed80d158b20c1aa38c797d4a6ffe75a09ab0182615afb132679d7b4d0a0b7b17dd97971b9fb41
-
Filesize
2.4MB
MD5e0525803e9e18b3e3a73b6e999b40284
SHA1f92b719f6e774c35836a582cff902f3f5f54c6a2
SHA25659d115c4f1a0035301f09d9697f988c7f667d0131582dfa7a28990fc02baa086
SHA512dbf56d01de700a74c757dee971b146661c93d284590813b7eba336235eb32aae076060f45467a84eb2541db9926a0cdb66af1b8885f7a9c07420ebc58da2c81b
-
Filesize
1.2MB
MD5ba9b2fddc74af8c0091d45323f0dfab1
SHA1df227f6f8ed7f146376c53286dccd7c2f5e70ad4
SHA2567b4b96aba97bf47462ed86bb7a3dee58092352428a8aa0afc0453d28490054f8
SHA5127f83f5805ac0dc37d71b945732475f239cf56c03ec49a5e0fd759d84d5b545ceff1d9ab845cc33250898246bc14368a7afb5b7b05b9e8ca2c7cab328a5e6b10e
-
Filesize
1.8MB
MD5b0abfe65f6de9238e3b03b6d5e115706
SHA1217ab85c40c8b968fd5193eaba20b841bb09e891
SHA25664d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA51287b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD5ffe5815cdd45c780e2dfacedf1267a7b
SHA136d4e0aa02c542499b3f4b1823b7fd6b53bf3cc9
SHA256661c6907375ad6f7f9ab94be9e7c846c0993259bc070c212d810e0219c8f3d58
SHA512d45abb346deaad4ca3878a0edd2efcd9c47d7b8fde0d3897343781789c77ae8971d33d7f268f0787becfd3b6b2dcd03c22f1e7e1c3e3aa4452b1a1876077f9e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a8102baa61b00eb45d06c8857ec5d2c0
SHA1362971165edd770c6c93150ff105e379f3c78d4b
SHA2562993432dd224ecf07bb7360c9420589fc17642bf62a3f8b1f092c48b089bb435
SHA512bda80fcc2c5fce39e13da498fbc1a1a8018c369c4d325f6ca2e18c3c79b0f6655f4ffb040fa6da30fc3aae435512d0891b4521d359f103a9bb4a7fe2e086e302
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\36fae0be-1250-4c30-a7cf-1af3f0c10602
Filesize12KB
MD5ec5ab54403f3bfd8dfbe0bedb293187b
SHA14c528d9ecf196ca77f45751aa2b74fc3824c0e22
SHA2560f987553bea0419ef24ba6e0641d2c89504e989c2218c2fbe9240933ac822c87
SHA512c9c7fba877cb212945a5d874f2ba5ace93145c8070ff9fa6039cb6aef428d1c173b5ebce77990daabaca23be0f9f72ff88d73b480f2a0c15e7e2d6bf7e0fe7db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\6045aeb0-fa86-41d2-aae3-2061eabfe717
Filesize745B
MD5189e41ad6ff78ce0675301f13b23cc69
SHA126e66b018655ce19721ee0e4bdde3012b5a1fc24
SHA2566e422f9b2be90b7580c6efdf43818ef5bed75f66271648fb1096a8bb8c44c1ed
SHA5121d995a0ba560bdd7db0c5bbb03e925686851416fbc9906fd18a5855cc110a2b6159fae577b3a25639227e7db98d6063bb1f20b5582c92e70a9c6f683ef003d39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD53f4ef6c2a489549de0f46b35bc7db8f8
SHA100ac4040dc5e060c818b144c109067f57fa95ac2
SHA256609cab703ed579ba4f595ad9c1ee56406bb788e5c8e9607df16c8b66fa9812dd
SHA5122d1fd115d7925ba739228902ebc962753b837696b42a4f64131ed92fc11cc0fdae9394dc1bf3d2d6384198ca1833221564e23aa275346b2ded3f11409b4e8cd9
-
Filesize
6KB
MD52aa2428eb089b23ebdb179c5a15fba56
SHA1018e0685a8681e4c1063f333fc696141db0b74ba
SHA256f166105f1daec4ba2cdf1ed74bb3dc19356aa01b59514e3d0a99d14af6982e5b
SHA5127bb97688e5de86b6e2fc3b3f69fb41e135bc5fc78af0d1ce161d20064f870c3a5b4d7730ae1349b82363b66c25ef844ad664bffb5962ab365df66bb05ce9ac97
-
Filesize
7KB
MD5f9b9d071000bc5216f69e19bc3375185
SHA18b0c85697b473dea14a3d041474e6016059bc649
SHA256705490497d23b2b172371c4e8163d16eb6a4f50e9f9116eae2c7712c33d9b402
SHA5122cd5aa7e64414bbaed890b07704d686d330df787ea19072fe23a8beb7050cad06b23202a9ab8e2696f9d9fabeff50464a864a52ca816e543b1c17fa35b50d33c
-
Filesize
6KB
MD5471b1d431934a79c64c61bdf4aeb7327
SHA1107620a5562c69d6d0ab2012e4b38a146bec893a
SHA25656730906c9a359f87ab06f2fd489722dbb69db07c665e8ad70266114a21b7711
SHA5127c509531d198c413a5334f157b81af2c0c371321ad0d6a52f086bd8538fdae0f59cedd076c2c48ee631bd8c97a5926a7ccf388d2696c9a51397b2fca01ea0410
-
Filesize
6KB
MD5d25ede32c8ecdc8e98ae673eeac4fca8
SHA1fbb13a71995596ca710ba6562fcd40c8c6a7c5a8
SHA2565fe9b9ab5366eaef025944ecc0e65e3c38d58a7b5a1a61b094c3e605eab76c59
SHA51253b3dab4ac9c0b570e61c26524ff0572b0980ea6e21018f939a7cdd25a34addeba01a4d2d4b7d50a1ecf2c5d6375e13f8491d44ff6c925aac69501ba24960d61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55fa903dffa2dd5a80748025ffc24e312
SHA1861334b04858a17183f7cabed78af4ee762ba4ab
SHA25699626f46294b113a8323adcb209548d2c126c9d2a99f18cf6b56a729c1f919f5
SHA5125fbd53231736807dccb2567828f25b9cb2ca1ab35e30b9e78ed96e42927774ba26e19f90b5f57637ccbaf8a431b38ecc5936b3b8ba6de422ddd18f1fc23ebbfe
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571