8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71

Analysis

max time kernel
124s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
Size

900KB
MD5

36364e1efc498b513634acce3a1fb7c2
SHA1

f94abbfaf80f939431b7f231fcaafbe173ee28a1
SHA256

8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71
SHA512

7788d4f298537d868728080c6157f95fd7a659fe6bf10bb05b04514bf2fed9a0c9c24fbca708dcafca7361e49779c45eb65a132adb1ea768b0568648e5e207dc
SSDEEP

24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8aFmE4:7TvC/MTQYxsWR7aFs

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
220	taskkill.exe
3348	taskkill.exe
3824	taskkill.exe
4184	taskkill.exe
2924	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	3016	firefox.exe
Token: SeDebugPrivilege	3016	firefox.exe
Token: SeDebugPrivilege	3016	firefox.exe
Token: SeDebugPrivilege	3016	firefox.exe
Token: SeDebugPrivilege	3016	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3016	firefox.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3016	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 220	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	83
PID 3556 wrote to memory of 220	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	83
PID 3556 wrote to memory of 220	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	83
PID 3556 wrote to memory of 3348	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	90
PID 3556 wrote to memory of 3348	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	90
PID 3556 wrote to memory of 3348	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	90
PID 3556 wrote to memory of 3824	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	92
PID 3556 wrote to memory of 3824	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	92
PID 3556 wrote to memory of 3824	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	92
PID 3556 wrote to memory of 4184	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	94
PID 3556 wrote to memory of 4184	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	94
PID 3556 wrote to memory of 4184	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	94
PID 3556 wrote to memory of 2924	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	96
PID 3556 wrote to memory of 2924	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	96
PID 3556 wrote to memory of 2924	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	96
PID 3556 wrote to memory of 4432	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	98
PID 3556 wrote to memory of 4432	3556	8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe	98
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 4432 wrote to memory of 3016	4432	firefox.exe	99
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100
PID 3016 wrote to memory of 2700	3016	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe
"C:\Users\Admin\AppData\Local\Temp\8ecd028ed29e5ea1f570045ad6909c3b18b4a6e722f5285bb5e6f918ee54da71.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ac3849-9987-4f58-b99c-56cc923f7c72} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" gpu
      4⤵
      PID:2700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d2aafa-de49-487b-9205-a0f91bfd0704} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" socket
      4⤵
      PID:1516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5c37d9-276f-4b89-a873-f1fb3b010e14} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab
      4⤵
      PID:2224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3996 -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9853328-56c0-4311-9d9d-0785c0e3d619} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab
      4⤵
      PID:1956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {129917d1-fbf0-4c55-a284-d325b16e6088} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" utility
      4⤵
      Checks processor information in registry
      PID:1300
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 5044 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aa1dc1f-0a9e-4e2b-8a7a-09cb3fdbd307} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab
      4⤵
      PID:4340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e1327e8-2b93-4728-a02d-484fa7fd7108} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab
      4⤵
      PID:208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5164 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e5e6089-7bf1-49ef-9c74-7a9fac9315f3} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
0cd65da8cec97b7495d806d8dec50dc9

SHA1
bfa998c4df41a51f0a5e3d0cb48cf917392211ac

SHA256
e73824b539af45d2611635c36a94918834e5ec5a44d245c966bced5cc8fb476b

SHA512
b172687a16520fae8a2199bcbf75fca853055c43a360dd3b61f444df3b2cde84dcf54edbd85e52a9f009bdc59f5e1fac45d3e54d2f1f518993ff215e371088e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
bdd4363b14aa731aff9086f2f2b140ce

SHA1
b2b6296c7c4c12328e28baa1cc48c7f3e53bbe47

SHA256
89c750f862d62cf6f77e77871d08c4a07d3ece65e9018684e2cf4ef6825194bf

SHA512
44ce647899ec1d33052c6453e1b86123a1e85d3ec8fdb1d6ffb2ad31d64d9ec5638f5c7e42581a250256b5b05a1a730a6969b52a1a79cca323594b860418ffeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
6KB

MD5
b492bbad0e3e8e2f2d0770a0ac5e914b

SHA1
0c0e9562586d8c96e84c81afaa0339b85f9045a5

SHA256
81fcc42d2d145c4689b6012a1130ea673bcf530cd685628fc4557e680fde66f4

SHA512
9bec24a446347f5035d94bb443de37405e0551ca62f14253552de1ffddd9d10a7ad1a462f2ead9e7d1cf323c5416be89b9799876718433d16944b989550dd8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
298036a3e9ed578d1927ef06b386ecd3

SHA1
9625b5505f145211aabf67873dfa63a3ab039de3

SHA256
6236547e2603f089aed5e9560a5ee5d51a50cb77b52543adaaa9e42c482b2fad

SHA512
4a77d6b8d9df511520c1bbcc00b696c75fb26a8b1bce3ce23a62a818c45bf4acce25c287d137870ae9b836fbdffe66847c0d04f10853657a664a0f4a20ea0aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
15KB

MD5
3848c7f2a31e9f4ebe201eaafbd6b94a

SHA1
390c6124f6cfb4d3e51d8c153a16f3d2a27f1df8

SHA256
72f695b5ddede8712e0a59888ac59ab4251f06a2a9f28a74ed24e35cba14255c

SHA512
67a9a595daceab9c6458a3e6393028a9bace6417b2b09a0106a96d121a451eec9ffcdbe2ef185bb8226b3a57d50ab96122fd12c0700aea20aa54de86264376af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
17KB

MD5
9caf6968766233c111b8636b551a4342

SHA1
662c208b4a216e274b86319e807cc8fd6ae3b22e

SHA256
b5e47a51968bed79e4984ad5ebc4f60cb5edbe84dd24cdf085091596728a05e8

SHA512
fcea0cfae9539aa19ef9bc5753f5b759da18815afe547376d05a78ef1db8964fa04f4992eb816287b0d45a15e3ffb6fd115f253a5ae3f194fb887b90f1f11d1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a4faaa9dba0f20fc3bbdbf2049e830ef

SHA1
133d99bedb4318f5a375e4a6a7d7f7e225135528

SHA256
36dd15533cbb4591492a15fba6f3af1648fb1394fc8bc4a93cf1f45b1ebf783a

SHA512
11326bab4aa3ae3562c37bfaaf9d76cce9f827c8723242d466cb816f29204c46ccdcbc85e9a3c59374f9d830d5619ca034f96669ecaf7bb6769759193cefb8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
d09467d585d1bc996f169cc70f8cacf5

SHA1
7fcd9baad2bccf0ae6b26c57820e7c6a5839f754

SHA256
1d8cc11f3cefe659c2754fd769bcce899c6e1e5839a50fd19eacd7e195a818e5

SHA512
07062e7a4a1031f019117b44907f3b0cb33ed74cb461247981df9a2fd21485a2d9ef707ff6092e260f5e4a7f9c6caae413186973e53b3a3c995e0cc2a286d121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
074dcdaae7b7cff68cbb3aba78d37279

SHA1
927f67d345f6b5ca4ac77c338de8a74403532655

SHA256
060543afb1fd2e79ffbe733a0042becf07008398c2a83ea1dba1001a2cd3fb3c

SHA512
f47174c83de7108bc9864d0678f2ff183ab3fd18fb14c1c498c919a90ce93f6f6ce3f6e05e49f03445d275f12e984ff9878e9855fc0a702e524d61e3ae40d151

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
e7a1c03421f1390dcb4f7019d73c54bf

SHA1
c678ef33e26541c6c5c0ea01a29971cf454bc21b

SHA256
3478aa08399768aba1df531d3eeefda30f3d17a5a2717876dcbbc0e5c05756bc

SHA512
ed686aad95bd854f8b2af61326036a52ace8d294e34096fb0eb334d034d27df381609d69781dd8d8f065e491cf2a9a27f9bacd106b8187dd67ef4421a3b8b63c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\3172e756-ba05-4d1b-aa2f-6264a4fbb4ab

Filesize
26KB

MD5
e701f4ec783f3fdf6fe59d4f09fa3b62

SHA1
15df7e510a0d06ab6c5004301bfabe9af10ef2e8

SHA256
169b06b63b4db417d3a9526cb35129068499dff0ac7f96296fac3805d11e1622

SHA512
3058850e96f9f4295b0f3149eedebda42f6f9b9b53d224ec8f4dc0a88902bf6d06eb458b259ea91e1fe358529bd6839a49c511ee9b137ddc168dfed6ee75f572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\a6bda6bc-2465-4aeb-a683-d3a3f15eff2a

Filesize
671B

MD5
ab1c92c540b4ebd84fff2be010c66575

SHA1
6b3692aa31e5b8acaee4fb6bbd03265e64c2fe08

SHA256
df24802f2d6215b02f8e4f1407f12d5c89f90358c8c320a296ed06d080472046

SHA512
0debb448ecf555b47c6ca225b9b046c8363dd5807bdf8eb020300fbfe63f9a9ac60d88b24b104c87115ec47841d48b11e245664dcb06b4fb3d0e16c8b9a3ef6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b025f69b-9c8b-44e4-a123-4ac54f3d4b87

Filesize
982B

MD5
0a892c9ef3a81beda8de25afcbb77e7b

SHA1
12813141893c0d19f544d95ac3e1b475bbd67ce7

SHA256
76e7346f4478fef68ca90d6742aac7218c24ee7a7d78f1467b3279951f7101d4

SHA512
c64f1ff6e27029be0c88ddef51ffadcc78c17a2f7d7beb7762e5327680ef284c4b5fcd0f138cae4d15438536bc909397f8811fc8457f4c78f00f336623695fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
14KB

MD5
b1c1d785566025fcacc8187f8a4fb223

SHA1
f228f7c86e18a52af7bcd53892c7512d69601796

SHA256
ed33fd6931200d1af7831fa445209b8d99e6b2f66e175022184e9ab8235db41e

SHA512
1b585b0ce2a95414729639a0721a8eb29cd60c573ec15ee69503e5f60caffd638cf3e73b194c76ab9ce0618ff03574058a86195b4c0e790c2450807c61e666e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
a918c2374f3987264f1289e190264c90

SHA1
75be185700e6e50e5b9735f03e8fbe7e10363c2e

SHA256
7fe25a7aec24b1ff6b09aaaad4b6f09ffa3a298d3ceda7236fc4d7faaab2a3ae

SHA512
e1f4c2d2022a026a048421b40b90a9fbdc1db05f5f4644e815acb0931173c38aad3e8e34f56cf750b864efb86ba411ea331255db847e2bd08c89a7a7d63a51a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
10KB

MD5
911789b55baa874058441279af29732b

SHA1
368bcd15781690e37f6723efaf06d529eb101ff7

SHA256
674aeb4870f7e0468f67b49f113b673b9d8596e827f7ee96de9aed4d688de8d0

SHA512
4876b5315b7cf6a9747471a4dfbab68fb8be51d3a3c3326b703d2b76b9368697abf31a6dda2b8f97d3819ec67f33a3ed89d9b3ccade605615b1a7988c76bb145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
14KB

MD5
3707e4435701ff4d9c398a629a32c7d8

SHA1
99e0a0bc85eaf3a56594e6e759a5fb60ee3d58f2

SHA256
c3669a6cfbbe61bb075775b94b7ba8a02378b41e17d715c0effcfc59c7f08332

SHA512
5063c01bfe7cf919df09f21448dae77e5b83b876d6893c218bee8821b756a1602dafa06ae053e5bee1e929564590facfa8e9c32e9cea48788c231065fbf10a0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
9272d84f0b33b25e410517bc0b87a340

SHA1
855a0015355534c900086cffcf440f481358cdee

SHA256
a4568eeba498880c3fe4bd1d0d367a833fcd5efdddf23435178cecc6397cdc5a

SHA512
f4aa1ac4bf2c5c7e47689dc5ccf4af90344705b124dc53e8e782036026ec09226098186405c7efeae4dde757b3b65d235ae3642751df36f61d9e5ce8b6178f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.0MB

MD5
9453a5b06da6583b4ab6354f2d970636

SHA1
9da180dda7697d2c199419866480f997cdd28254

SHA256
c5958c71143f74dbe93dfbbeb79481a3a0a9f29be7182f3c3d98c3b2cb8424d8

SHA512
811c699188daff0055674947dd50b0f914c9c026ef7dbab23f8f89baed24aa49c7ad1576b9a8d0aa20c72d3109ceec2aedffd48270bb4bcecfc04b3f4c45ed50

Download Submit