Analysis
-
max time kernel
1724s -
max time network
1152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 19:41
Behavioral task
behavioral1
Sample
meshagent32-mesh.exe
Resource
win10v2004-20241007-en
General
-
Target
meshagent32-mesh.exe
-
Size
3.7MB
-
MD5
546157d9f4974c5b9871be88d6814a3e
-
SHA1
8fa936396bca1454aa4bb8f8767394ca25763383
-
SHA256
c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c
-
SHA512
8369d845ecd5670abc2d257e9a794bf59c771f1496b8ae6a74d0987c25152483cf0ca15710bbf087c6aa816700b6a8774e4dd7744b91256e2f54094b65271117
-
SSDEEP
49152:r8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Qx:r8o8VOUs9joRbMc2tSW6x
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
meshagent32-mesh.exewmic.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meshagent32-mesh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exeWINWORD.EXEfirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5056 WINWORD.EXE 5056 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
wmic.exefirefox.exedescription pid process Token: SeIncreaseQuotaPrivilege 2168 wmic.exe Token: SeSecurityPrivilege 2168 wmic.exe Token: SeTakeOwnershipPrivilege 2168 wmic.exe Token: SeLoadDriverPrivilege 2168 wmic.exe Token: SeSystemProfilePrivilege 2168 wmic.exe Token: SeSystemtimePrivilege 2168 wmic.exe Token: SeProfSingleProcessPrivilege 2168 wmic.exe Token: SeIncBasePriorityPrivilege 2168 wmic.exe Token: SeCreatePagefilePrivilege 2168 wmic.exe Token: SeBackupPrivilege 2168 wmic.exe Token: SeRestorePrivilege 2168 wmic.exe Token: SeShutdownPrivilege 2168 wmic.exe Token: SeDebugPrivilege 2168 wmic.exe Token: SeSystemEnvironmentPrivilege 2168 wmic.exe Token: SeRemoteShutdownPrivilege 2168 wmic.exe Token: SeUndockPrivilege 2168 wmic.exe Token: SeManageVolumePrivilege 2168 wmic.exe Token: 33 2168 wmic.exe Token: 34 2168 wmic.exe Token: 35 2168 wmic.exe Token: 36 2168 wmic.exe Token: SeIncreaseQuotaPrivilege 2168 wmic.exe Token: SeSecurityPrivilege 2168 wmic.exe Token: SeTakeOwnershipPrivilege 2168 wmic.exe Token: SeLoadDriverPrivilege 2168 wmic.exe Token: SeSystemProfilePrivilege 2168 wmic.exe Token: SeSystemtimePrivilege 2168 wmic.exe Token: SeProfSingleProcessPrivilege 2168 wmic.exe Token: SeIncBasePriorityPrivilege 2168 wmic.exe Token: SeCreatePagefilePrivilege 2168 wmic.exe Token: SeBackupPrivilege 2168 wmic.exe Token: SeRestorePrivilege 2168 wmic.exe Token: SeShutdownPrivilege 2168 wmic.exe Token: SeDebugPrivilege 2168 wmic.exe Token: SeSystemEnvironmentPrivilege 2168 wmic.exe Token: SeRemoteShutdownPrivilege 2168 wmic.exe Token: SeUndockPrivilege 2168 wmic.exe Token: SeManageVolumePrivilege 2168 wmic.exe Token: 33 2168 wmic.exe Token: 34 2168 wmic.exe Token: 35 2168 wmic.exe Token: 36 2168 wmic.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid process 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEfirefox.exepid process 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 4172 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
meshagent32-mesh.exefirefox.exefirefox.exedescription pid process target process PID 4132 wrote to memory of 2168 4132 meshagent32-mesh.exe wmic.exe PID 4132 wrote to memory of 2168 4132 meshagent32-mesh.exe wmic.exe PID 4132 wrote to memory of 2168 4132 meshagent32-mesh.exe wmic.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4596 wrote to memory of 4172 4596 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 1800 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3056 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3056 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3056 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3056 4172 firefox.exe firefox.exe PID 4172 wrote to memory of 3056 4172 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRestart.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd69d14-f492-40bf-a246-bd0cee62f055} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu3⤵PID:1800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929a8287-d87c-429a-9895-01b5802ad0dc} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket3⤵
- Checks processor information in registry
PID:3056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3188 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c3555a-f67b-4b2f-9c00-ffdbbeaa0fd0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:3384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4248 -childID 2 -isForBrowser -prefsHandle 4240 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc197ed2-47b4-469b-aab2-2eb58ec9d6f9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:1812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fcd362f-3703-42d2-9132-f5f21935ddf4} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility3⤵
- Checks processor information in registry
PID:2948 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a202bc2-5b20-4fbe-9475-7db73e22c2ef} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:1872
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a0577b1-c7fd-45b0-b297-b6ca43512971} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:1224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc803fd-200d-46a4-9f55-e6547ffca931} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:4368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5644 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37be502c-627b-4ce9-8809-23acc1d19a78} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:2232
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -parentBuildID 20240401114208 -prefsHandle 6248 -prefMapHandle 6256 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4522765e-71fe-4d54-a6ef-cc2740b2e830} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd3⤵PID:1904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6244 -prefMapHandle 6252 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723c157d-df65-498d-af78-111d906860ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility3⤵
- Checks processor information in registry
PID:2092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6608 -childID 7 -isForBrowser -prefsHandle 6628 -prefMapHandle 6008 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b4b168-c8d4-4434-8cb1-2edbd97cf8c0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:3132
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 8 -isForBrowser -prefsHandle 6780 -prefMapHandle 6788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b386081-2360-48d1-98fd-9a3fb2efd8e2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab3⤵PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD5cdd138c50a19cfbc6241c9aa610216c8
SHA1f97ac324758a2b4b8a67d95f0976110e34459bfb
SHA256a0db5b6686d5e49be5b41ed8b28fd98151272b96e79e36aeeeeb8e7ca53379e8
SHA512cbea2e0f576dfa1825a9d2263da5f1ffc8b672c6270891290636085913e78b00040ac461fe3d2b0dc768a5131232c0c985e71ea649b1ffca0af07293c94b92b7
-
Filesize
264B
MD52f4085bcde8cc8001a0c66e1b3fa2c21
SHA15277d356def60a3af5c2889e2d03a127e56a2ce9
SHA256da7c119ee3a61455ecf58770ede1961fd5cb34a3628fd4c6026e838a90addfae
SHA512a965d37d91b348cc981102bcb15c1516daf3cb17f73b2ba74e6b4f009d26f0f8dd4e3d71b388f5fa77792d7fcbef17d4898012b60a45ecb1209c2fd94cf13d37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
Filesize7KB
MD58034bc285ad243194db4938c4607ff4e
SHA16ce6e6b96031df7bca239ff2ec362b7e351af5ed
SHA25668bf6f78fc93dcd66bee61b7b84b5f9d22fa190a52c0e3c65bb63626d59f4bc6
SHA512cf3985e1fff069711d49ee46177323c74e07dd2a8e01dbfe8968f9d5495795abf46774b4ab01ea980b0796b7eb36699cc54f9421aef01f2fc4799163efc1df8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD58fa964548c7a9648ac35813f1474c452
SHA187c92d180059e475826ff69c8f97057e1cabe3b6
SHA256b32d066668cdd56ce3640f63013cc6cac8a91540d258179644b3bbae4f007c2a
SHA512374a8c16cbf0be9921c5cc46ed52b4849acb6d7c83dbcf21c14c4bfb09544e00c872fd541f927a44d5988deef8ed6d3879cde9319b7c23e29286265d6188ace0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c251f2a5094d1c61a7ad1b1761c3980b
SHA14873380573a78b3869ce64257d5f310b78366265
SHA256ac7617133a8fcc840516c0b20a784c71ae36335dab9f5552468d72bfdcc2e344
SHA5121302b6aefa036425175e7e5c779238643c6cc6bd892cda672dec14b5b99af0d3912b180b4af4c7e5e53fc6a352b5162f41666b0942e357a1b1a63cb2de5c8025
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\11670282-128a-4903-83d5-70b7b7331a2d
Filesize982B
MD5449f8fbfb92c9980fbb62de03dd433bb
SHA1ebc7e8312c7c559b6afa0feba720d33c0278b232
SHA25621c81de8e21c98b39c04a1cb606dee84997554b65abac4478d10363c42fb7eb8
SHA512ee0ceddcbdd25c7a876775887f8864dbdbe6d0fbd533411a694193b64e4e813e72a0eecacf7867c513a09e938ab86080aa79b266a3e3b4a43ef041170354fab2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\775b80d4-9596-41f6-bee8-ed0c1eea47f1
Filesize25KB
MD56450f9dd849a6abd0f0bedbaec41aaab
SHA1c32316a081fa16a98f886263e90aa58bdbd9249a
SHA2567a290f9dbebcb32e601c85791652c25b71ba4cd42353234f0180ea1c59615fee
SHA51210f451eecd82f4ca50281fa0d87ffcd60440a250edd3cb54f092a6af60b5cf89983c1c65eea9272e548b8ea8b7c006ddb73dfd30210d66af908c963e6e0db365
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\f5259a18-7aed-436a-bdc2-97212ea1887f
Filesize671B
MD517561f7c0d8b95194834990415334c07
SHA18a9a755db1f6b758e0fb20933cd4d25c4c03fab2
SHA256cc6e0ca5e7793dbb4740097b1f55ef9e85e8d3578b0a82158d181b758ea9e687
SHA512e4f2a774b6b65fe323d3b5cea4a1b97023e87f5a61c081361c609d4442c2f6e980debc28bd354f169881a659b295fd6c43988121eb45d609098e286db2072b20
-
Filesize
11KB
MD518e69e4eb7db9a79bf44a9332cc70f03
SHA1a73ec112a74e322f2254fc865ddeeaa6ff89dd81
SHA256a5857af4e31940d81f0f6a3de1df68b61286f657a1f892bacbcc560f01fd619e
SHA512c5a9671d7ff30af99554e8f6b3ce64a9222b7fd6e2a40e9c4d8b010c62aa2f568a65e27557302372aa976586f894d4412a25a31d2e74cfd0b4dd76334bc9ebef
-
Filesize
10KB
MD52e00c4c63aaeedbca09e5e84f0b06bab
SHA14b624fd49d1b755da75fcd87c52b4fcb59b5e80d
SHA2564662405c126e441f913a1c9369262487d4bc5f8d721fb88e087c6599c74eeeca
SHA512283bf2c11d278742037a23a863e8a2059b3a410352ab1ce48bdbfa1fc3fa05eedf0a2519a5063f37a9b40968e33b0d819a66d45bb354019ca01e2a18af1b0e12
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\cache\morgue\215\{b8341a55-e61c-4684-b693-b6404be9c5d7}.final
Filesize192B
MD52a252393b98be6348c4ba18003cc3471
SHA140f75302fcbe4a8ac2e33a8d9daf801abc2a9598
SHA25604cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee
SHA51207af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\idb\1854707665yCt7-%iCt7-%r5ees6p2o.sqlite
Filesize48KB
MD5aacd22420c25dfac1d89d63129a34a56
SHA1ea8161cf0e68ef70092e9dabb9908d1791a175e5
SHA25670db4f9fcc68b7cd632a487f3e410ee6909c6e9de3ff5d41e0b12b081da9acfe
SHA512681448c10fd2d6e450b6f1c91fa249d1ab5d3dff5d8b15c04fc80b34a94122bf2e87fd28500234133f85f3848cf91a980e6a7980ee8af0d79a4e63d9cb89b146