Analysis
-
max time kernel
209s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2024 15:49
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/uqwklSAB#8RZu11qt83wQ1lLSx08ZaA
Resource
win10v2004-20240802-en
General
-
Target
https://mega.nz/folder/uqwklSAB#8RZu11qt83wQ1lLSx08ZaA
Malware Config
Signatures
-
Detect Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5516-1037-0x0000000000330000-0x0000000001518000-memory.dmp family_vidar_v7 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TradingView Premium Desktop.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TradingView Premium Desktop.exe -
Executes dropped EXE 1 IoCs
Processes:
TradingView Premium Desktop.exepid process 5516 TradingView Premium Desktop.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exetimeout.exeTradingView Premium Desktop.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TradingView Premium Desktop.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exeTradingView Premium Desktop.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TradingView Premium Desktop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TradingView Premium Desktop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5768 timeout.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\TradingView_Premium_Desktop.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
TradingView Premium Desktop.exepid process 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe 5516 TradingView Premium Desktop.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
firefox.exeAUDIODG.EXE7zG.exe7zG.exedescription pid process Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe Token: 33 3588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3588 AUDIODG.EXE Token: SeDebugPrivilege 1432 firefox.exe Token: SeRestorePrivilege 2108 7zG.exe Token: 35 2108 7zG.exe Token: SeSecurityPrivilege 2108 7zG.exe Token: SeSecurityPrivilege 2108 7zG.exe Token: SeRestorePrivilege 3788 7zG.exe Token: 35 3788 7zG.exe Token: SeSecurityPrivilege 3788 7zG.exe Token: SeSecurityPrivilege 3788 7zG.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
firefox.exe7zG.exe7zG.exepid process 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 2108 7zG.exe 3788 7zG.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid process 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1688 wrote to memory of 1432 1688 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 2396 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe PID 1432 wrote to memory of 560 1432 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/folder/uqwklSAB#8RZu11qt83wQ1lLSx08ZaA"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/folder/uqwklSAB#8RZu11qt83wQ1lLSx08ZaA2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2347fe5a-f672-4738-9b9c-b3991aaff874} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" gpu3⤵PID:2396
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd7200e-30ca-4f24-bf7d-b758b275a434} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" socket3⤵PID:560
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2880 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3128 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b99cecb-5c79-4eaf-825f-054ad3e0aef8} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:1876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 2980 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {334d8544-4d47-4d7b-8efd-128422b43f39} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:2504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4680 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0b0ba24-5077-4146-8781-22efcde147a3} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" utility3⤵
- Checks processor information in registry
PID:3404 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b0cbbd7-b788-45d0-b8c3-e6f87af0154f} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:3428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b33688f-87f7-47ff-a95c-9ba3328a6b01} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:4224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73e93d3c-b981-4089-be48-df360d0da93b} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:64
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 6 -isForBrowser -prefsHandle 5636 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3399ac12-33c6-4bd5-af0f-1acdc32678b0} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab3⤵PID:3648
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1752
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TradingView_Premium_Desktop\" -spe -an -ai#7zMap12122:116:7zEvent238131⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2108
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TradingView_Premium_Desktop\" -an -ai#7zMap6399:214:7zEvent114591⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3788
-
C:\Users\Admin\Downloads\TradingView_Premium_Desktop\TradingView Premium Desktop.exe"C:\Users\Admin\Downloads\TradingView_Premium_Desktop\TradingView Premium Desktop.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AECAKJJECAEG" & exit2⤵
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5768
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json
Filesize39KB
MD5c8cf084b0ed8749c22fa4c50622ff4d7
SHA16838ace3a9187263b0fca1922e8ddfe2fc866b31
SHA256e034442075714f5b7f677b940e0dc658dd75b9eb079107107a7a679e21f89f13
SHA51260f5640a88a9a324f08ccb253bf97a1b8866d672faa1c625d29bc02028fbf5c414ceef6b25f1f3d2eab262f3e7ad459f20c5c245554fcaa41e8162c7efe60401
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\5E3F231055825CEC7AE91E91A990320D4AE9B0A7
Filesize29KB
MD504be7e6715b57df420ebd308e72a7b52
SHA13a8b6d6d7684248251494bef91a851435110a557
SHA25689349f32883dca2423131911439a3587524031b98c9115d3a0b64255d46618a0
SHA512e74ba5a9f5133a2b870e92aa91af82333768d0d21c5b7473c287c8da1e0e9a97d05a7bd9a9a9dd76fc05a95b0f29c52bef338975a1e5008984d08d8aa4638c68
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin
Filesize8KB
MD5b6342c602749e0e40a73ba4ff07feedc
SHA135e81473592ed878080a4068b57b4c8521f828de
SHA256f30d5c021b7fa21f7af1d4c6218ff1423b036d833405e9c25b416534a2e3719e
SHA51277f2d17492e6e16b0b93ca0653fea2f373e3bf6517bd036893c99959c2a0409904ddf32fe7eb55bcec44e01116cdf59df159500d0bf2650f37885e0c3e901c91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD59a7237dd8893bc1662d7a71b7934f5a4
SHA13ae18502c69d8d5359e46fe700d122e6ba64b865
SHA25619475a175587adf4965785dea2fbf1cc84ea4be7b72c6a10e65e632f6a89d5cd
SHA51281dff28e87132eced161d1844a7a5c2cb1fbdd03f2cd2719ec2162e3d955af6cae8409fead5e621a8e242d2ca55399759c92cbc9a1d80722363e9afa90c54149
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD527d43d0265dbc582a01adf6709a03192
SHA1be473c015b654e2eb778ccc6a4221d6e40492ab4
SHA2566a3910a8b12fc3d44a0318c6c0bc27e21424ec5852b57ca30e424e314e3f0bca
SHA512066d2c594c277f07da74f84e07574edb379666974255a76f63b4ae37fe430623bb5ee6113d1b6bfc20d4427f824a30b79f4343f6b63f7a722090b159e42bf625
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\0e5ec53b-bdce-45b7-ad27-bcbd01c3f22f
Filesize982B
MD50a68f407973d299b3d44c557c38c933a
SHA16f3778d381a3420cc13965617011ba8fbdc580ef
SHA2563fad32131193e9ee5825b1e16c634dcffcbb4e1c80e27c1b616ba874eee5dd14
SHA51210af749a8d9f2408c431ac40d7d4008b4d1bc0c5e28ae28d3ac3189b439429a1870ce1403ab3989704cbae344778a0cfe605e194d1b30799dee298be7c7ce497
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\3a221062-f947-42bd-b5cd-ede27edf2973
Filesize26KB
MD513534da3d4226995be77910f39e45a4d
SHA1d3f5b87d2f73f026c62607e19705ac38150e4b05
SHA2562c50851d6b06decc64f640d43bf21bf319ef9d1a78187f9a34eb7b8c81162332
SHA51210dfec31769cb8eef70de6735f8a08a53b347cf073cb29f462ef615bb43f892757acf2ae9489035cb31d04e48373cac17cbe080dcae791958321fcfdfc0ee340
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\d0bc7e4b-1b4d-4802-9c90-7f5976cb1ba2
Filesize671B
MD558740dbc27702bedb6f4a53de579f017
SHA1fb0b293cf45cf630c76b5c2bdf3f3d6bd7991f63
SHA2569671d497328e8dd3806764383f51dfe911894dbe749ef41a9e2f4191ec75581a
SHA5123c95087642a4f0d8181d3e1e18f15392826f3b4a9f9234b6db9d089b5fe0d9a1f2e20835513591babdf6cecc206b38d198193a9eea4200efd9ec636c1ef4ec90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55612d58a7716daa23bfa7a1689da95f7
SHA1e8d6788959fafcbfa103e378ee0357e7c327abaf
SHA256a055425cb4ec1f7f648848b5815bf5446973f0e63d713407b4247d8d087a4713
SHA512ac6ed2fb99a58265ab5f6b76b13cbbaf2ef2c74db316e292067c4f4a674af27fa7965390e8b20f76b36a8a231799c4e2a25429ee6e7a6f5dec0ff8d122a58a37
-
Filesize
11KB
MD5d21d1a02407dd89bf32174112ce32a3f
SHA1fc8b395dd8612572d61b833a6fa7220a80494e5d
SHA256ed208e66526b3fefe592f5debf368bd99227e07992f4558d145794b3fc91babc
SHA512cc5b00855d13aa6934ef22366323b677589fcc40d1297b1efc6b9e6e5352e45f7904e2f3741341ef7724f0dbfcdb59f095fc7b1e29eeb840aa99cb9243cca71a
-
Filesize
11KB
MD5724ffc8cff9b60d55d66963f01e4467f
SHA150c24a77356ddf9d804fb7740642f1262fa6b090
SHA2567cd03210e2a88cbc5fc3b5c4de1801d6539cc289bc29d6755dd747826f24214d
SHA5120983e0df772e4357bdf9e1dedaa0401cd37593e6a089e768e9011d90042d9173bbe802eaec9c521d127598541ffb183cd29159ac463d057a3039ae6d7ddb770f
-
Filesize
12KB
MD5c70508a364a581edc44269e80070c329
SHA1468584ffe529e206bf735acccc54a39cba1b1fcf
SHA2566a578d188740dbc69ffc6fef539e0e160b69a8cfaebdf5e75a603c0189701489
SHA5128ca626da7db6cf4092be0506578f0e6bcc27382e50666cdddd5c9643e840826ecca14d93349feb34777a779bd7145210d91eddd0d20eab7cac14c3a522cf3dc9
-
Filesize
13KB
MD580c4f21aeec8c30520ad0def29dcbb1c
SHA1e3df0462bba80076ba219987fa3c728474f0cf3c
SHA256d124cce663e610c249e41411cd998b093e6e6ecc6fbfbc0ff12e97e889807fe1
SHA5125ea013aa56f389b31ec7c313a1b457e2892958811169bb19d76e5147d8b7c3a1318966f732ae1df90cc2705031fb1573dec2586bac3dc08ec2a4e1421f64eec8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5623c25e6dd9652584c33ef55ee4c309e
SHA1bfed29945b680c1142c3afa2f13ae2943d613985
SHA25606807bb07e3e04e6a149ff19544d98852f84d51795a18aa4226befe9d2227fc7
SHA512b96dead80e261559471c1b869faf833c6f6bcde577dd22629376c8caf9cc3b455c6ff6bc73160bc501b50736c0b288aef1f5b8a570d9df80ad9ea0dc6bff0c6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD595c4d8ee407df1f1b7a54f8dd929f54d
SHA18b6738451be91f8c64e7764772576c8aaa578db0
SHA25618b46ce51701a94c2e5e1a3c7f6e93b474eaf57df2c243788ea827cbbf6cfbb2
SHA512af9f059db4f7aeb2840a9d2b339c0ce7b0ed3fc162293a66938a838569dc31e6525b38118208fb3d4b491991066b175bd08f8e305a13fdb447cb32198ac33fa5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++mega.nz\cache\morgue\14\{f2e1a0c8-9e12-44f7-a7aa-a5a238b9bd0e}.final
Filesize1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
Filesize48KB
MD5dd4c3b07ee6ca0a74bbce0e815530043
SHA1eed2ac2db4fd7996bb3791f0604980a1605b6261
SHA2569aa772bc601c1eda186a6eac8aba0c08e927a2906a499106750ef97b377de691
SHA512073d6f0568024b17ab19ef1861a7def436aa39bb88749e380653396c0513eed923d5248ab93092be06c995c6a6470ca19cb278662b7d2e0d28892c25901ebeaa
-
C:\Users\Admin\Downloads\TradingView_Premium_Desktop\KeyFile\1049\sharedmanagementobjects_keyfile.dll
Filesize23KB
MD55e54cb9759d1a9416f51ac1e759bbccf
SHA11a033a7aae7c294967b1baba0b1e6673d4eeefc6
SHA256f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948
SHA51232dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664