phemedrone | 0404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd

Resubmissions

14-11-2024 13:31

241114-qslc9szfjp 10

14-11-2024 13:19

241114-qk1szsyqbz 10

Analysis

max time kernel
528s
max time network
534s
platform
windows11-21h2_x64
resource
win11-20241007-en
submitted
14-11-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resource.exe
Size

137KB
MD5

4f38c635b15d7f9087a758baca7c6662
SHA1

0cbfe507872829dc19e63436fb8e9759dfb42271
SHA256

0404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd
SHA512

dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb
SSDEEP

1536:5huxXrW4Heqv3taHo8a+rIq24GPwfWUzL7SWoWicEmDA1wWu0eja5JUrsD98fp4P:5AxbB+maI8aRqhvja5arGef1G5trgE

Score

10^/10

phemedrone credential_access spyware stealer

Malware Config

Extracted

Family

phemedrone

https://mined.to/gate.php

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ResoureFile.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
5076	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe
72	Resource.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	Resource.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	2736	firefox.exe
Token: SeDebugPrivilege	72	Resource.exe
Token: SeDebugPrivilege	2736	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2736	firefox.exe
2580	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 1392 wrote to memory of 2736	1392	firefox.exe	83
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 324	2736	firefox.exe	84
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85
PID 2736 wrote to memory of 4060	2736	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Resource.exe
"C:\Users\Admin\AppData\Local\Temp\Resource.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {505288be-0d82-4a68-877c-06a6e80ba117} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" gpu
    3⤵
    PID:324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1900ae-b77c-40d6-bc05-325cc2c617ca} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" socket
    3⤵
    PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 3092 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {817667de-16fc-4898-b43a-8fcfe78c914a} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:1584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3516 -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b900969c-c718-49b9-b887-94c038a8de3a} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4092 -prefMapHandle 4164 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c4cb13f-4dd2-4b2c-aee4-6f2736c7eca7} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" utility
    3⤵
    - Checks processor information in registry
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5508 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fce826-a19a-45bc-a28b-1fac0fa5346a} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ab0caa9-42fc-4267-a7f6-061c67f35cc3} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5860 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc5c67c-b2dc-4e47-b827-8947d65056c0} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:3932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6032 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dd0570-0c9a-4444-8db9-c695dffc09aa} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:2664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 7 -isForBrowser -prefsHandle 4356 -prefMapHandle 6244 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da44e0f-399e-4616-bfd9-623cb5511fea} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 8 -isForBrowser -prefsHandle 1388 -prefMapHandle 4980 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b21cd480-7968-472a-bebe-d5b4efff2fea} 2736 "\\.\pipe\gecko-crash-server-pipe.2736" tab
    3⤵
    PID:4436

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Users\Admin\AppData\Local\Temp\Temp1_Resource.zip\Resource.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Resource.zip\Resource.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:72

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Resource.exe.log

Filesize
1KB

MD5
7732afbc48d08e0eb8f467da606ea2e6

SHA1
3a772f6223bac92016ae5506dfa716160cca8a7c

SHA256
b3672d7a652bb8706c55bbf4c26346a8165225fad39b1a24c43579640d9f1e87

SHA512
0a95b891c0d5ef3459ec7f3fa1d87f3d09ace917b7c919f3c9b82c93c8765a61406555d02135f01ffaff843e2b3964e3d6b003955594cf2476e98597f6e71b4b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
59c6b109b0f14c5b274273a60234b33d

SHA1
1e119efe7372b954601ae6af40dff28d495e0e53

SHA256
20fa1c0520667533f6e3c8486b2cc0c52dfd6ad49dff77dc1b88310337c77eb9

SHA512
6ea161ee3513f790b2fcb7d3d91ebeff5733b7738ea709412c89c68eda0e888a6a588f2c14d5729ba0d3c0e744da9741fe3e8dab118e5a839390b6a04f9416e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
5ccfd710884318d94be00d4bee6e7a7a

SHA1
5c373b72589fd20ba09c118f13f73329c45e011b

SHA256
cdff9b0ff96cdcd2cfe65f2d427db47fb78e73b3443709b339dbe6d7aaf19c57

SHA512
f4eb3f010a3d532be50de00fe639946d926fa6020c17a3e26339920e52f97377314f16f444a8e164fc5d7f3df21c4238cde72681756287b935089da8c7e83d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
a966263fefec0c8bdca452a359f1c3b5

SHA1
5e9b2b57d662fb9d2645df5727308cc801e5d8d4

SHA256
e845ab28963332d2f0cc0c22fcc941437121e748a9f9068bf78ff1c5dae87dcf

SHA512
4425677eb1cca648a5b86e875206265f3c4e2e38547aed2a25f8c38eae7a1a26936c6e08964f075d6d115d29f0a094f323107e146500783b33dc35db34afd33c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
fe02b3b747f499908a66871fe9925e0d

SHA1
f3988257a19459e2b540fe08bd3cb8e245b29323

SHA256
4a1d32292cc3eb8509bdbbc8e82fe0204db54d146cc31ef54e30d308726d4ec9

SHA512
0da456ae2933e7f80055267581166f15cca128489f22cd51034f849e5d8f580d0c318853aed9ecb5086814c641e5667d1975e18c7ffec8694447a0154a0da29b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
8b98905c9941b29795a3dfdaed877ae6

SHA1
f5c780acdcd413936f61f5ced1a804fad486c7b0

SHA256
7cb24ce80600d8bd1bf77de17afe6520eee65ce4fa54a385abbeb2532f9d3646

SHA512
ed010575f9c6ef8d911f3d4855d93bd4ec1616b0a7f32d0bc0ec6a4bbf39a4669efab53946f005dc4dfc9c9afb3d728dfef998876d4bf331b90972f095cbc799

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
8KB

MD5
e758ce436448ad77d7c44e5b8d4f5441

SHA1
a777fb9eedcdd4638fad0f82bc07bc275f4d246e

SHA256
75e43fbe19064fe1c42a6dfc62c9bd4218dfab6ca685db1119829a48dc2aeabf

SHA512
b028edc0a1e79a0b91ab149f97248b0072ffb13e7c601b563ee22125d937894e47190fd5a2afc850f5622550d93f10b021d4b66dee3411ed020b1e41c8242b82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5609307d1ea8ec795dfa5d5d4c768f5f

SHA1
ee80167adba2e21d014976a307524a587495c6a5

SHA256
a02d901350e9acd1117b3e3087164c0039eb4f23e07ffab5fdeb203346363bd6

SHA512
ff34e61cd1700c9b744b40de653c1365a1cbdefffb1fbacc0c1cf05667e8f4bba1c969134b73d9a200f44f35e3e799b42bbaf78909fea9199c7099317e35a216

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
5e73d74dc1f0c7ce3d33f6f847b658ed

SHA1
8afda776bf1d92f014300ad31378cd048214273d

SHA256
8ae7824c4f8dc69a93a3bc01eb124882779af9dc2b2651da03b80dacbd322308

SHA512
2cef44f8a7e0b057c6742b874f209de2dd631405ec32404124037d82516a2338b6dcba897de7c71a14c111d05493b7413c9f4740f83a9cfe38e6d265bc4fd1ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c11084e642afd0203ec35c3064465e37

SHA1
8580d14ca8143e370d09589d3eaf3503a381def1

SHA256
ab77d5501e61db4c305598be27bd5b627442c6ba93a044a8b3f3b8599c804f46

SHA512
738c11ae7a3ac35a5a20a239cf8f701e957dced2b49a6468612d21b4edbb3eff7dfd4a73d4645e535bf498351467813d6699f2209cef86e20dff9f839e9cf3da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\230f5312-25ee-4c2e-a5e1-d9efa23533f6

Filesize
27KB

MD5
70758a9340c9828760f2032b0d4973fb

SHA1
ad405637ed5aa401f5a9d9fdd21bb4e9d845eab5

SHA256
572643062a75eaa27ce18edc55fc13b2797594d064a6bc632520db9c0d464607

SHA512
288d2cb9943010c0bf717ff131ac309c2d7989cc55b828adb5c084b2d04a22d37ce9a175ef7422d3299e569ecf4ff99fcc7458d11421e219f85eca7347a6ac14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\361eee29-2ef2-422b-994b-1a9ada7f879d

Filesize
671B

MD5
abc3bf5cbb224bc68ba72012c8f6a62c

SHA1
c1556a7f000a4248ccfe8c9cff821c24243dab3b

SHA256
f1394e926a6e8f8cad217bf02b48d3497d93d412a587e212e06b1b41dc8bca3d

SHA512
05a6e61035cfe2313a308bf51cab10cc3862ffa1304e8d98f0b3525c9f36401635d7c5c5d5f4b6fb513d3ef7e343edbfafa4a2380c3eb01ca1cd7d177094754b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\3afecae7-558f-46c5-987d-71271717303d

Filesize
982B

MD5
da83d5f4e5094adc1b859d4fd3de9656

SHA1
365810f286e3cab39fb56e7ff31e2489fd1317bd

SHA256
e120430579059851b70b04314614bf3633ab245f5a4952c63875fc6318da2f1f

SHA512
39e871d2656638f260f9a06e584711e9621b985a0dce49661f5ffc2057a3181eed74cc888b20b8755d1dd005ac3bf94e35d3390f824f12a39b34ba676dccf460

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\favicons.sqlite-wal

Filesize
448KB

MD5
e146ef2633ba1b584bd2a095ecbbd0b4

SHA1
7e90449e33be063f8a724e26ab66e26e1977f62b

SHA256
2ae1ef6be5858f52a6f7d786a376c9baed45c16fc24c13589e34b1941c82dc6e

SHA512
527b779f94da7e2c9ace42b530df4a32f005c4d08a7c14b1534abda8fa9062560dfc3797f75bb5e065e08a813ddba24daf100982a03e0ab51b522eb9656113d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\places.sqlite

Filesize
5.0MB

MD5
dafd73ccf57cf0fd20dc5d587f815ec3

SHA1
b240548afcc9f057af68f44cc500325d8645dec2

SHA256
d911cc646a241f188a690cab9bd4ba7831e9cffb92cb8ca3d10b2793dc65cf42

SHA512
5890dbcca214e9bf893d02e1349e36a5ccc615996939602cf637c905c7f35d852977e8bfcc6f7ed45986b9c9ca300a05097b29800e7b64435101cd0cbae7d401

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\places.sqlite-wal

Filesize
2.0MB

MD5
abd873a794418c56343da1c42e73af41

SHA1
b48a1ad868d4654f773a43e9b30f283685ddc4f5

SHA256
61d49ea31da5c69ec1c12d7378ac0d495cb2459dcd00a81214555092ff8a3f31

SHA512
6d1838253ef997a09ad973212d62db0bdac2445a01f4b529fa836f279efa2753da725069d2a63fb00adbd8b214d02b40f988d1ecb153507cd9680b078041a0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
12KB

MD5
bf904045902d2f05dc9744b62361a76d

SHA1
b4ef2e8846a59c8ddeb7973330ac84900f3aa36e

SHA256
97f008c740ae1e222a4e45e5aeb179cee87a0a1ae410250f848a57eed4756104

SHA512
b376ae88219ac25096fb0ce866f28383696bf1e2c73049627cd9f5067138f2bb933605f43f18407e29584759709f0e2e5536353bd7a8a5124f152584ce7f18ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
10KB

MD5
9a1b82b5681bd305aa678cfaeb4e1733

SHA1
ca2c4fb30d0f2121bcbbe6dd8f52b1e8f8c52db2

SHA256
9f9336648c9302e1ac85f24a4e80c53b2e42b56e34e4e4d5694b818e61ac86d9

SHA512
c68143ef591f08101ad37f5c3901f6fda974c069c3012c3ecd5fa53922a8b1133f683fa4f81ccd9d047fb7374a136fa942b55283326d39e8b8b77c9dafdcb36d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
b9b3c9f657dd9bb0948447c83a7ae430

SHA1
134485fea3b1fb41660460b7bafe23adc022079e

SHA256
aa205d512d26bcec193e88f59e6eede5d2d5be1a86a4a68fe9024deee4f8768c

SHA512
d7037ba57bce72e29637419392fd1172773035ef8c2e8d5b0fe137d7a8806c497510296b4dace498e1eca24faedac203f1d6908a5ee5c7b8e0f02bbf392732c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
10KB

MD5
7b57f0b87b97fabc9e219939d64fc5a9

SHA1
366369c392d8537c841f363a1146be1c53c373ce

SHA256
5e88a73083679c6bcf518c7e68faed1e7144f58cd92b4aac1091b6fe314d6801

SHA512
c93f7b315fe59ac0682df5f1226edf048fa8f8124eb8e6bea913355ed653f9f1a41aad4db9a53e6ca3547f2c0fb78c9ac43b81b8ca7f3c5a1a4f5091f1e58381

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e51a034b26ab5bed2ffb0a9a35f12f45

SHA1
5e1e736ed470b0f59d9b8b8ea63a6552a8a2d424

SHA256
d0f2001dbec1ff8f8119dfc529f69386329c5ad8ec6544b50ae44fcfa166b77d

SHA512
77d1cdb35102d4296b809c9369000eca0132dd99eef6ed1f3ae70af4db8f283543f333da6ae435874c3dab87000eddfb2f167823be71646a06382d75193e4f2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a284c7cf56c05435c689dc3ba44c36de

SHA1
ff58d585b7da416ef2724ab39ca11febb2c700af

SHA256
3d6af17b12704a16a109c84a296bbe40d1d5cd807737e5fdb3af41cdbd59e45c

SHA512
a440257d778322f779b49a88c96c28ba124758d37f06e571b9d49e2de18c36df252e8bedb9a2e5a895c5c40c59032bcfb6d7f36efcac52dce0e9086943a9710c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
76ecdb2ac2ade09482ecfa1a2ad9b56b

SHA1
52f594ba41bf56c9a76e18343dc76364123e67af

SHA256
4feefa8f60e78745a98e78da9928c6fb2a85068caf0a0f7afb293bae567a278b

SHA512
dab33fe6d4d7f4d9f442310e3b7a5a354ace0dcc79639e26896b72e6e8fa1d4c09abbc3c947fbf5da297230b0e39335e0b5f5c6bdf1cbf2a052ef1b71db2c488

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
65f123aa00918388cd1c12b379dd9da4

SHA1
996703494f8c03b843c57475e1beb24a4270fe7d

SHA256
165a0914da83fe604a837ff09d0066fef454f2852fd3c4f2f7df1dbdcd34b80b

SHA512
b7c2365c5e938c894ade02c6527b046042d09342f569979cc2823ea07a159fe6ce830d1c7d85c39a827df9fbaa16e7401e6bbedc2a90234f064c603d2e1e6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\124\{3d0366e9-ebb7-48a6-83ac-b13cea61937c}.final

Filesize
3KB

MD5
43a05488d04f26ce98a5e7a14ae2973d

SHA1
30b30ab31c45d686f7df02c9bdb2ccb3bd32972c

SHA256
50f1d8327b58679d2d1b14726bcfd722b0c01f4d65870e01279ea768288a48c1

SHA512
02024db1719b41c212e1bd0d4a4584f82681854b24b509ce65d6d1994c443eff2f7aa09bf086bec368db7791477945ae862cf6b7824d63813ae16d7feb2d74bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\235\{8c241660-6ab3-434e-b408-9f1d886158eb}.final

Filesize
9KB

MD5
acb82f1af6eb8c3be48a1f475913739c

SHA1
d717d237cf123aa0d2b6c3a9cbeb32340e5370bb

SHA256
729bcbd4a7252bc21b611cc87b444dabf5e4b503cbfe0b940da96df0edcbd7c2

SHA512
3c2696c48c1b5fd3a8e070c151844791f59bd0029193330d611d38e398fbbb5bd164007004cdd637255506f32ac303619d9c7b08ff655707ed117fd5fb3ae4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\235\{f86fa8ef-45b5-4843-b4fc-e582e45b5ceb}.final

Filesize
1KB

MD5
405b669e8079d96f7bcc412bc1c2e9b8

SHA1
708cbb4f6beee3f4d5f0d371b081c5c251601fdb

SHA256
19c8781adef7b3758fc70b15072ad164095d8b7bc6f30de8e5919283b83d140f

SHA512
4dfbda91b86fe59b77bbfe1ae4d193b6677d1d6c9bd25f691da0c05b60c25d1d0d2aceee347c3324afff7e7071f2810f74742752407fbc04a0cf247c359815ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\39\{df18d5cc-38dd-40c4-aa82-3c608f399b27}.final

Filesize
1KB

MD5
1ca3cf57769dcc70bc5b5bec5f472f2d

SHA1
dcad2370499395ff807e5f2bbfab69d7255b0099

SHA256
82f8ccbabf81006933f2b4a212dc45521bf512ae513ffa04140a776753f52be4

SHA512
6d016cfe9586dc6926c6d93b704949b6e12bb9ecf1b09da83e085cfc4661577b718376fb8771bbf5c5df4c75aca0fc8df55f7314e45efd33e6b95e5e00a9ca2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\5\{90497040-0f29-4feb-9012-204bfe41d205}.final

Filesize
31KB

MD5
4bfe8e77bd1310f663096697db87ae6a

SHA1
46b2e8c8ae0d646535a4dea56070913cf354ef2f

SHA256
85dd75f0fdea3b8a116f833fd7a44f24844fbbcddb01f444d445e3461d46ba88

SHA512
3bdbd35512cf5fbf1856a3ba21fe2dbea03ea36480ff5c6efc35eaad703319daf271ff4c81198a1796e7f96f2a058a9c7d79187f88322b6a9ccb2557f5e212af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\62\{ab90a284-ab01-462d-b7ae-89a0bac92d3e}.final

Filesize
2KB

MD5
0ba84aa237c58935f2659f70bfcff705

SHA1
be68e762d407f94d79e9acc56ad5b84b5af7ccd4

SHA256
045af05203ee319f712b9923f5e633be1d94932eae36d1be74cbf4ca7aec342a

SHA512
d985f8a17cdc3616465de3695193d2da58ee2aaff93f1b10361e456fd2e33c95cf9b7d0e88aee60fd7c8a8d4d6b5d3ed626a7c6f1a61930cb3c0ff447872e236

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++upload.nolog.cz\cache\morgue\79\{9282bfcc-05e1-411a-ac8d-d516e365704f}.final

Filesize
531B

MD5
3421849d3b9a524e93a67ff69ea8a106

SHA1
ee769a44110eae8e19e43a9c687af6ccee79f406

SHA256
06581a18a821de09525093dc3ab8d4cc00ba595b2e1f1ebf1b8c408b8f8a6f74

SHA512
f7a86c400c5234b791bded79193fefa0826fd9e093b1894521cd8318cc898529dd64cbdd3826b54dc3b1c9dd6f15d0c8c327e9484146896e7405d68d8f300f36

Download Submit
C:\Users\Admin\Downloads\ResoureFile.H-bOiMWg.zip.part

Filesize
138KB

MD5
6174ba506514ec4b51459759c8d0f0cb

SHA1
4c6340680c3ddaeae06d1a8cd34dfbba2de748c5

SHA256
f22347457dcc1547a18a9aa2526dc2d355b4af14ebc468c0ac56ba1f1084041f

SHA512
799ed2e2ed3837604edd51119424dbc749938a207cd414fa5a709f6b2eef7d9c2195e3b1ffb69a59242190dcf123113b21e895fbee0543e7d74f41abc5729df1

Download Submit
memory/5076-0-0x00007FFAFF0E3000-0x00007FFAFF0E5000-memory.dmp

Filesize
8KB

Download
memory/5076-4-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/5076-2-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/5076-1-0x0000014F71AB0000-0x0000014F71AD8000-memory.dmp

Filesize
160KB

Download