Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-al6smavhnf
Target Setup7.0.zip
SHA256 abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923
Tags
meduza collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923

Threat Level: Known bad

The file Setup7.0.zip was found to be: Known bad.

Malicious Activity Summary

meduza collection discovery spyware stealer

Meduza Stealer payload

Meduza family

Meduza

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

NTFS ADS

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:19

Reported

2024-11-10 00:49

Platform

win11-20241023-en

Max time kernel

1457s

Max time network

1510s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Gdswt46g.dll,#1

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 4292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Gdswt46g.dll,#1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35c1ee81-ecc5-400b-bb7b-5a8124238fa1} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {523a4bf1-2f90-4b69-ad24-1400543a4214} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9d362da-b3e7-403e-8cd0-5c67895dc45c} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 2820 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7becb4ff-85d0-4107-8bc9-1b02089e634a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb275719-1dbb-43cf-a081-29824f52ea62} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0cb7cba-dfc8-45f2-9478-75c11de77d2a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af88b147-cb5d-4df0-adb6-00860356a528} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5712 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acef8052-0159-4bde-80ff-4d2301cb5ca9} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49776 tcp
N/A 127.0.0.1:49783 tcp
US 35.190.72.216:443 location.services.mozilla.com udp
DE 23.55.161.211:80 ciscobinary.openh264.org tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
DE 23.55.161.211:80 ciscobinary.openh264.org tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 173.194.183.71:443 r2---sn-aigl6ned.gvt1.com tcp
GB 173.194.183.71:443 r2---sn-aigl6ned.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

MD5 327a395703c762fa7cc64a2a27f78d45
SHA1 5682cb6157a78bd481de31ce03176ebc1806c67a
SHA256 1a0bd611603c523a730630cd66e340d2026bd351f606483814ae8b8eddab9d28
SHA512 ce3b74373abdb11bdc902d40a0da61cd82f22b2034158c8108e901639dc9dcb06e29ceecde0ba1425108c42c05a39d10a9ac256ec5f652a7232f3fb7c6c96427

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\da8128db-30ab-49bf-b9d9-93c9a6f1abd7

MD5 9cf1307d7ff6c5d7cad08179e63a4385
SHA1 00c35505e2bef9c4b8255e7cefda2b35378a6ef7
SHA256 8282fbf25bb5bf076daa041f5cb87e6d4cfe2d73ed1cb69385fabe193d627ebc
SHA512 545981bd1a558967d5ee2df8431086c6df773e748108e68f6246a39c3bbf6a180224661faf2f0c42a990264e6b14b91bf45bd11b563257818427f9a840402926

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\6bcc9e61-bcf1-4203-b92c-af42d835274c

MD5 f478fe87993f0bc167a4804188893c3a
SHA1 baaee5d7981358ff8fb0304140a747fe7d7df4e4
SHA256 d720b444dee3e870190127d7c30da4a589e391c2889c19e31a4f56632ad45231
SHA512 9a81968e948abec4c04892b173bcc0a6400858df15aef10402a84db8b4308ba6dfcef591c944fbee1049a95b0f3ff24d8c1a3db8ac27ece290e49c6c5c4c520e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

MD5 f16f83a5b9f68469f56b21fdc62ba6a0
SHA1 2be176b8f0b3c38b583bb4c27f016823533c3dfb
SHA256 79e9455e90b6f4fae369964fd2152a5130801b199e7dc5e5fa81e4f755fb8927
SHA512 b40035640c1d24c45dc683e154d3c169f5d42af898737e918a28306801df3d75f86dd132bc425e7e568c2b3b76551c3844ae906996cdac222c0d83705cc8af1b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

MD5 f437eed995eefaf30781cca6f71c0384
SHA1 31a4a357022f7f6854910247165231282b9df931
SHA256 c641175c332cd694dd2e3b4f95606443dcb2456a849667d682d2b54126c36a39
SHA512 6c25869c5af3c505ea1aa2dcd8f2e1af6382bdc188286f6203864bceef13501a0194661b9dfab7f36881be6127bf71595d1d9994379cb99765c23188702161f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

MD5 8772db8cd9534bd8ab56f0883c051d5f
SHA1 c1dba16f4b0e43d8e8993ee74202178f5c7c67be
SHA256 badf9fbadf9211ac2b6c26c1c27887b5148f82324b1bee07f376a5d02595aa08
SHA512 73a866da08638b6830547f2a4bea95120eede9623b51a1470fb395b33e6276736fde3d6c1a36c0a4ee1593b6ab3ef7b3f670bb96764d3eab6033d6c4e62fd44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

MD5 5479b24162069458d9285bf4ded6ce80
SHA1 d5043289ab11743f860cc02828a3a39b6d837e0d
SHA256 916e7ca7de2080343c6d60b3903967e896f0a908707c5ebf2a12ca49ce780fce
SHA512 49658ea3d9ee9d30a9863ad2b8ea0adedf30625a930e454e16d9a7517762b60c808dd97176e055d50dd56775621200acb3e03deeb01c029e5adef176e8325574

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

MD5 4e3c860c89da67fa960b44d6100cb4b9
SHA1 2fc481fd1c150fbe41bfbd16cef68712f5c57b94
SHA256 9442c43fe23be393d6b9b615aacf6fa2a5ab412da257b15fc023ba69f6527ba1
SHA512 d4365378062e18547f89c449ce6cfc538dc6aab79a40fb426e63c2ae1c803e51a7cb06419af1d3528f4b1c7d2e5760681c919c7d881f335701aa1bcbdf0d0744

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 2483da102ccbc097fc2eb69b9ddbf54a
SHA1 582bd8ddf086ec09b4b30274f083959678ff350a
SHA256 ba3d81e8c5fdb64694a9413eff7eb68508c70016874e458b55cc388a809a033a
SHA512 9ca5808cf80204cdbbca34fcbdc50409a1dd8719ae3a3a62f32929ab0a1bb6378079e82e1bca00e9ff1ad6efd45ede66a5c889184ac86e9243cdc374568e722b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

MD5 3a00f171349907a184b10d954d1bce05
SHA1 0298c842b23236595ce30a2005815f488631266f
SHA256 218add1ef8f278139f19a23935ba851fc6ca8e69350fd4a152963d3c7c517938
SHA512 77d55ac4f7c3975df9d83466fa60230553de465e3b2848287ef09a64ffaa5dcdf70554a7138ef274a3168a68bac6d84af8e146fcb329d03f913f74cacbd3f10d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

MD5 755fe13a57073e60e66e984bec0a02da
SHA1 a00b30194668210426564fb6ec3dfeb5837199d8
SHA256 92909876774880c2559b308e3d9d887af87bde5d49a13ff9fa42733677aac22c
SHA512 a306e6f81841ac17376fa31e4689addc12f9f60056b0be901cb8433acee79770339cea9327faf9c8cdfe90172e4f89a2f6647f445ece73eaef1465561ea4509e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 58567de965795a09bb08f23f3874ead2
SHA1 f3636005e235733bcdaafebb25dcf66c920dc5c6
SHA256 98c292e2c19d2331aaecdb9e0e438653ff5a6adb8430a0d47ebd1be27c8284e1
SHA512 434c69e53073e6e9d8a7e0c9f228d2b3a9805574df364ffc43db4dcfca16f848b37b0dca41eca3be1917f4fcf71bfd5f046ded7b7e116614c59997c626d079a2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 bfc87d5b208ea30edd74ee16a0cd3de8
SHA1 e18e78e039eaae49a48cb7227b61a569ce5f60bd
SHA256 5befba9649544138dcb581f54a809e926d52b47c9693ad74a1d5625e9810c7b3
SHA512 d6d1ea5dd4e9eec6be50b9ca25c17d58c2706ed8b2f2a05e04c1ac6fb14c6b361b0cc020643ca606dc9913c7f09ce0073b29550edfeb876e6cdfd0e47751d626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b79d153c198b386f129c6f8994c8d829
SHA1 f24da3e92ef3a7ef3bd2165ba53149e31e6ed6aa
SHA256 79956d3f56cbe5a5d11f33fe993b8c9837899acf0ef13b4c07562eabbc2ca266
SHA512 5c836b0a51f43a463c4061178f7e5a411ab5a8eb1f37a17808a147bafb85e6b7f68941b9c3a4259360b0ef69d2a997f027e4d322caf1f67a37de67c0afdb545a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 8ddb722b6596bfd41eda0a61e9a1c11f
SHA1 28751b94548f4b998a49aa8f44bf454e7ac44d41
SHA256 9b430f6770dae1264fdb44e6666a5ea03336ace837408f17a97fbfad1e395dfe
SHA512 99bec288be9fe6cd470fd0503066ea5e984b3814767cf11db3105b44ac5f4009616937bb5d1e299e83dbbfaac8c62a82466c8ad22716116041f32721aadac2be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

MD5 b60c0bc28c3ab87ddc5e9f345f96a2ab
SHA1 297460f07121d6173912526ad9b58f75d1f2cabc
SHA256 52c46102042aa3d7b30e8589726cdcf533a9857b6afad26cfa27cf62f83e59e9
SHA512 c78ade9ccb50fcebd14af422f28b21c9e0d37f5b7f9ffdff9171a3fcc979a6d52d8251221d07bfa9eacd91fa403c7a4ceed44e8bd69c160eb281373cbdf037fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 16cf24d654e1d2d99ccb2d5c6e0de78f
SHA1 e1fa2267798b53637424d16eeb2429618d359f7a
SHA256 4e9b9ab3421a8dfc841f15d84937e1e1219113c18cb4e25b312cff32e4b7c950
SHA512 40d94e510d2f1c446a29be500840be0cc5bf38104a5b10d798ec9f2e16d04445b9ec848482d99bcce0b859ce1e54289369289bb9d6139deeb9b65f713af136fa

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ee1d22a97bf1f6d04b6df07afa748bd9
SHA1 916fafcc2241dac3ba3c7e1b11e81d27f8aaec4b
SHA256 0349c9bdef48a0d19a9f514af669d5c696b8b78e6403f32c5a2cf595a5141cdb
SHA512 c25047e9f836cc049f0f158e7870f15420b3cfddaffd0d52c801dad2abdf2e21e4ecc40e352a381a2eb9c00593f2e6bb2566636b7b313cafb12d5df9ecd6f7ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b79068d30bac094e1639a8d554a85620
SHA1 7dab291bae6561ea33d71b9655d543d93bce5804
SHA256 972b55c2532d0aadba668611f5160c7ab61fab639f571057313587689a055bf6
SHA512 470d011a7899145a4cca70b6d94d9ae1e3dc135fc24be377fd75e53897667f9d158c95815976aaa64d5bf83a4d629d13789c7168888525c3d42dff082c91cd1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 08083df4095396d8ef249711b2e9a99e
SHA1 cacb1a7eb92cb18fae9d51c2fbb7d92d42d3ec39
SHA256 05fbf2960b218b105a0a6cccf6c10886746d21442cfbc9ae0c8de161cb1502df
SHA512 8a03601e9e6683d2f9f2c5fdae7000797923759cfb25a3f986628f3b9264b481af2061a4f39e15ea0a6688f211f81627d47af42b9d159f99de34e40554680eb1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 c704cc3fb82863a586c6ec1185e128f7
SHA1 e977cc14b28ee7c7aef8ec75e5cd86e7adfc721d
SHA256 11aa97961616e7d3b2b53aaec8445f1c444af7477dfc3da817826553e73faf23
SHA512 38e2e96b203635d2193291a30fa4ef635dc129c8637989a0e336306f8d85debf28d922dbaf4a9d2c53f2971e64a43f3e531228fb1b29cbafd4a9f729d8e69671

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\recipe_attachment.json

MD5 be3d0f91b7957bbbf8a20859fd32d417
SHA1 fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10
SHA256 fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7
SHA512 8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_sports.json

MD5 ce4e75385300f9c03fdd52420e0f822f
SHA1 85c34648c253e4c88161d09dd1e25439b763628c
SHA256 44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14
SHA512 d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

MD5 6ccd943214682ac8c4ec08b7ec6dbcbd
SHA1 18417647f7c76581d79b537a70bf64f614f60fa2
SHA256 ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b
SHA512 e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_science.json

MD5 7a8fd079bb1aeb4710a285ec909c62b9
SHA1 8429335e5866c7c21d752a11f57f76399e5634b6
SHA256 9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32
SHA512 8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

MD5 85fb3371b22e17d32fdaad8439143dc3
SHA1 7a149bbd376dad89c7eb490e6fa4281e8fb5be2f
SHA256 a58968084f93ea4ace6df78e7966dd8479956d05ad9555e7cf4f9ec2f2101ab7
SHA512 596fe3854f6446c9248cf6859c7e387caf4caad34ea903407fb825b6e8afd1011a0c482da0113ba620f78ebc865913d87bd3d343c23013938c0f1c57c89028a9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

MD5 2d69892acde24ad6383082243efa3d37
SHA1 d8edc1c15739e34232012bb255872991edb72bc7
SHA256 29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a
SHA512 da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_real_estate.json

MD5 9899942e9cd28bcb9bf5074800eae2d0
SHA1 15e5071e5ed58001011652befc224aed06ee068f
SHA256 efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a
SHA512 9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_shopping.json

MD5 97d4a0fd003e123df601b5fd205e97f8
SHA1 a802a515d04442b6bde60614e3d515d2983d4c00
SHA256 bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6
SHA512 111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

MD5 b1bd26cf5575ebb7ca511a05ea13fbd2
SHA1 e83d7f64b2884ea73357b4a15d25902517e51da8
SHA256 4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0
SHA512 edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

MD5 39b73a66581c5a481a64f4dedf5b4f5c
SHA1 90e4a0883bb3f050dba2fee218450390d46f35e2
SHA256 022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17
SHA512 cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

MD5 36689de6804ca5af92224681ee9ea137
SHA1 729d590068e9c891939fc17921930630cd4938dd
SHA256 e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52
SHA512 1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

MD5 5b26aca80818dd92509f6a9013c4c662
SHA1 31e322209ba7cc1abd55bbb72a3c15bc2e4a895f
SHA256 dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671
SHA512 29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_online_communities.json

MD5 37a74ab20e8447abd6ca918b6b39bb04
SHA1 b50986e6bb542f5eca8b805328be51eaa77e6c39
SHA256 11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f
SHA512 49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

MD5 df96946198f092c029fd6880e5e6c6ec
SHA1 9aee90b66b8f9656063f9476ff7b87d2d267dcda
SHA256 df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996
SHA512 43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_games.json

MD5 4182a69a05463f9c388527a7db4201de
SHA1 5a0044aed787086c0b79ff0f51368d78c36f76bc
SHA256 35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85
SHA512 40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

MD5 0ed0473b23b5a9e7d1116e8d4d5ca567
SHA1 4eb5e948ac28453c4b90607e223f9e7d901301c4
SHA256 eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b
SHA512 464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_finance.json

MD5 e95c2d2fc654b87e77b0a8a37aaa7fcf
SHA1 b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc
SHA256 384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e
SHA512 9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

MD5 6c651609d367b10d1b25ef4c5f2b3318
SHA1 0abcc756ea415abda969cd1e854e7e8ebeb6f2d4
SHA256 960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9
SHA512 3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

MD5 80c49b0f2d195f702e5707ba632ae188
SHA1 e65161da245318d1f6fdc001e8b97b4fd0bc50e7
SHA256 257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63
SHA512 972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_health.json

MD5 11711337d2acc6c6a10e2fb79ac90187
SHA1 5583047c473c8045324519a4a432d06643de055d
SHA256 150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565
SHA512 c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

MD5 a92a0fffc831e6c20431b070a7d16d5a
SHA1 da5bbe65f10e5385cbe09db3630ae636413b4e39
SHA256 8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c
SHA512 31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

MD5 70ba02dedd216430894d29940fc627c2
SHA1 f0c9aa816c6b0e171525a984fd844d3a8cabd505
SHA256 905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34
SHA512 3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_reference.json

MD5 567eaa19be0963b28b000826e8dd6c77
SHA1 7e4524c36113bbbafee34e38367b919964649583
SHA256 3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49
SHA512 6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

MD5 250acc54f92176775d6bdd8412432d9f
SHA1 a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65
SHA256 19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54
SHA512 a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

MD5 c82700fcfcd9b5117176362d25f3e6f6
SHA1 a7ad40b40c7e8e5e11878f4702952a4014c5d22a
SHA256 c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780
SHA512 d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

MD5 bb45971231bd3501aba1cd07715e4c95
SHA1 ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a
SHA256 47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d
SHA512 74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\personality-provider\nb_model_build_attachment_travel.json

MD5 48139e5ba1c595568f59fe880d6e4e83
SHA1 5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78
SHA256 4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa
SHA512 57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 baa0434281739ce9b8e511f0d76ea077
SHA1 42b1aa8e691afe42721445c0f6e82da0cbea2219
SHA256 6ee50b9d51c4120b126be127fb7a500d7faccdb35db6fde87bf3eddd22fff2fd
SHA512 795ff7fe4f7495abe9b8d9816b859bdece0db1c771c04139b9b9d235d401981160d9da26d548dfee0b7965a09a156813627d28997208b8ecc2b9894b7b24a305

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\bookmarkbackups\bookmarks-2024-11-10_11_NI9CendXNAkPMHJi29hZpw==.jsonlz4

MD5 f17260f6e11781116fc7b81fd6923b8b
SHA1 6edd220093b30ae7330c255fddb0442196e1053d
SHA256 afb9b0b1e7b1a826e88b70c5912df30ba8a404e6c06bf0a0c67f2debe60d8482
SHA512 1c5c1676507e78b20df1174ee88172c7a35911cf254be40881c18e3fb58c9ff6355f4637da38585e3e70ce5c0674c08c932eb18b2e6de62be6b73f03a86477c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:19

Reported

2024-11-10 00:49

Platform

win11-20241007-en

Max time kernel

1332s

Max time network

1154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gsdr3y4.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gsdr3y4.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 00:19

Reported

2024-11-10 00:49

Platform

win11-20241007-en

Max time kernel

450s

Max time network

1171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"

Signatures

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4624 set thread context of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\setup7.0.exe:a.dll C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4624 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
PID 4008 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Windows\System32\cmd.exe
PID 4008 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\setup7.0.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2288 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\setup7.0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup7.0.exe

"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"

C:\Users\Admin\AppData\Local\Temp\setup7.0.exe

"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
DE 109.107.181.162:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup7.0.exe:a.dll

MD5 d9a74092beacfbf63708895c03774dce
SHA1 44b28f038e8aabd1718b904ebc58a91b7f8be103
SHA256 6abbad8087891836e562bdf0420ce019471b649574caf68a938e300e9c546793
SHA512 4dec51a48b700ec4585bef9edd6d329dca1b562eae7e0609dd05462b4810f457e94fbefcd25e2853f27f36c4b8707676f34075cfe1ce2f00830d23a4a3a32f2e

memory/4008-6-0x0000000140000000-0x000000014013B000-memory.dmp

memory/4008-7-0x0000000140000000-0x000000014013B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup7.0.exe

MD5 2c685fc5572fee6107d76c17fa873a45
SHA1 05436164ce59ab80e0bcae7aa779b2426866446e
SHA256 f585f729ebcdaf7a70e16690398cca0036d1dd4c398b4044004e7ab0ccc6bf56
SHA512 6bd9fbf04c75c0a6a07846233e5cb31f7f8373f3bd2fc62f70f27c34d37d640d80647ca980530ba99d77586a954c73899a257e1dc2e422279a0c46f69e2107e3

memory/4624-10-0x00007FFB60260000-0x00007FFB603C4000-memory.dmp

memory/4624-9-0x00007FF73D1C0000-0x00007FF73D375000-memory.dmp

memory/4008-8-0x0000000140000000-0x000000014013B000-memory.dmp

memory/4008-4-0x0000000140000000-0x000000014013B000-memory.dmp

memory/4008-19-0x0000000140000000-0x000000014013B000-memory.dmp