f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
Size

901KB
MD5

8952118cbd8aac309af40b7ba020ac8e
SHA1

9eb96e51892c77f644997905d5a7b680558e0aa0
SHA256

f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a
SHA512

4199640d12798c108f09d9007f29fd2f4f5a075986b5e257c5629dde340717d0199a92601262c020a55e6ab370c8f26e88c35d5a547fc02818244590502926c8
SSDEEP

12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgamT1M:3qDEvCTbMWu7rQYlBQcBiT6rprG8a+a

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4784	taskkill.exe
1380	taskkill.exe
3700	taskkill.exe
1068	taskkill.exe
3744	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1380	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	83
PID 1392 wrote to memory of 1380	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	83
PID 1392 wrote to memory of 1380	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	83
PID 1392 wrote to memory of 3700	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	91
PID 1392 wrote to memory of 3700	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	91
PID 1392 wrote to memory of 3700	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	91
PID 1392 wrote to memory of 1068	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	93
PID 1392 wrote to memory of 1068	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	93
PID 1392 wrote to memory of 1068	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	93
PID 1392 wrote to memory of 3744	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	95
PID 1392 wrote to memory of 3744	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	95
PID 1392 wrote to memory of 3744	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	95
PID 1392 wrote to memory of 4784	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	98
PID 1392 wrote to memory of 4784	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	98
PID 1392 wrote to memory of 4784	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	98
PID 1392 wrote to memory of 2860	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	100
PID 1392 wrote to memory of 2860	1392	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe	100
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2860 wrote to memory of 2856	2860	firefox.exe	101
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102
PID 2856 wrote to memory of 5032	2856	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe
"C:\Users\Admin\AppData\Local\Temp\f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bd4557-4ceb-414d-9155-aed1f1558c48} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" gpu
      4⤵
      PID:5032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74b3e530-e94c-47cd-b028-3461f068b072} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" socket
      4⤵
      PID:1404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3248 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee3db309-025a-4ce2-bb71-a882a5bc67a0} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" tab
      4⤵
      PID:1016
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1128 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 2560 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24e35997-91ae-4523-a903-409ea1ed4ce1} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" tab
      4⤵
      PID:1340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dba8235-5a4a-4c8f-a9c4-0dccec3c5070} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" utility
      4⤵
      Checks processor information in registry
      PID:1072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5224 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9292ab58-405c-47c3-b9d4-e19befa780cc} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" tab
      4⤵
      PID:4312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5192 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3e816bf-4db0-49ed-b8e8-80b6e864b443} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" tab
      4⤵
      PID:1792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12531404-b8c6-4465-8717-12355f566155} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" tab
      4⤵
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
9aa35d5aa3a7ccd2f48f65a1181bebf0

SHA1
913e535ad42a1083e688c43051a8f84a64f64d8b

SHA256
fdc4e27f27666725cf46df257a72a701cc351707a571f72ba476868209c5ffa6

SHA512
58ecb84bae75d2be70c8bdb037b55d8f0daee792f334c399475ec1fdfd4d76be6528b6fffd9880a9de92965d76989acdfa0ffe40f2d242efca9e19062aeaa73f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
25e238beec3341ad21de9bd2ab54b9c5

SHA1
6663e83319793a8d084fe8d2338f1e4cb850ba47

SHA256
5bb23dbafcad65bbcd9aa953167df0fb6aaef7534c1efa785f443134f5d0ac0d

SHA512
5087d6ae71902be113fca8316f4ec5ff57c7ac71618ca2e8c39ee98d9a1b03348f9617de36fdf3f438e3b6264d996c82e1ec9642a12587f8ef11dc76f92d8d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
ee8d04fe43630c79aa2353b003650c8e

SHA1
e59bd80e6271a69d9e7a250f8ab8b6b1ef277b54

SHA256
85756ec19c0b8917490e1de8381fec6bd70da033c0370d83ee20ae8dfad2e721

SHA512
ccc65431682ab21326fb55a7c67e98b5f4271afbf0801135e62c68043b893c50333cb5a2ae61227b2867fe0f35190b972c03b6bcceae529250c13004edd010b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
8KB

MD5
fc94aee32673fa24eca2d355428c2af2

SHA1
0cac96e5c6d4262fab992c75f1d8f57a2f327327

SHA256
c1a8e04a1501ff4d4c575003549f7a4beb49c252113d907fdbe008021b33279e

SHA512
9e56c351f3c3915e785d7259328c2ffd2becf977ed57b6b9dcc36d6e43fb18f657ecaeab25d05c3234da76f333600f109b4c9a45ea08ba9b6dc148b2a718dd09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1216c57c53ac73899a8d899f707c6766

SHA1
41c42e711d776dfcf1617a73d2080b05e836f84d

SHA256
04b4ccd28946272206406d09682a2aa70546d422ce250b0ef42dfe83f266aedd

SHA512
259f63b990fd8409d5ee62d1a20954bd1da47d31b39ae58a90de170fd0bdd775a97c513b8c9c08d83f6d55afde0a3cb033c026a4b68679558f24b9231ce6b689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
9f770e258b2c868e8ffa2350dd777247

SHA1
a953666af2383c033c0d0fddfabc355f200243c8

SHA256
3a85bc48e7024bd29e8f0cdbd322709dce2e9edbac987d4c3d79c77ef1777a95

SHA512
b6272b7a19e985a60539e50522701916009245b7dfa679c1c34e9f0a278816fed50bde5fb0fe069feb6a657135ac33b609e87a24f0a97d02412a4180551bc76a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
4a39291f0eeecbe778696cc5b76410ac

SHA1
96ed31d9c0e46374e98886b48a33ddf40c52483c

SHA256
076b3f5634e7b43f9e12c7a8178b1938d30438281a2a3df6a779ce4a59af7e3b

SHA512
07c93b9cdcf983ef80767e8cff7eda59493f662f63d80cf10c56393a81d9cca9d3c5e9e60224eca6db00d10b1a1c38cb8b01efac45db32af70395d98ed36ce20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\00bdecec-605b-40ea-9b44-dcabd4654a40

Filesize
982B

MD5
bd10d35aa54c1f51731f4e4d81b8ed50

SHA1
2da374356bea9f32c5c4916ada90df7f418c5ad2

SHA256
284795b31d71984810ec748c569da61a1fb7c7cfa21b2a3ce65e5be0ea70b8c7

SHA512
f7b20084fd0762de4a735bce7ae886ae71aeae40f398d17b30d97a57f230cacb5732732b4f6a324dac2e875ea3bec60e3485ab232ec52eb07cc057a7bb5818b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\73c71735-460c-4cdf-b8e2-b38213bbf5ca

Filesize
659B

MD5
af331db26d95f317b70e037f80a3c008

SHA1
589d353302fcb86ae1757404cbef0055cd475103

SHA256
e643c843402869aae2767c40e6746f76a22c7518c472bb977a5e769b37b44ddc

SHA512
bf4dc36fd8851db7d3627632398bd083bce5e1494dd48a87959873c32f730f7213443841882bd82c75a8d2ab7a579b45c59f7f539d9091493f35672591579efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
faedb7023b97f32059e0e2dd144cd588

SHA1
0523796a903b810b74dedea7bdfd80b1c39a4ee7

SHA256
16614d1cc8a5306b39c7b711bc50add86568a931e0268e6abdce3d2659202db8

SHA512
d1372bf5e36e9d4deaf4e803535105021eb4a06468341c46d8a70863f25a9d79f99a8a9d24b8896d389e80380a1a80e5e5d78dd60edf5faa1f2d1b5ccffd42e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
11KB

MD5
fedd4c62a83f881191322f8150a589fa

SHA1
6425b83cf8beccf884c0a32807567145044b9681

SHA256
31567f4d51f06ce376b74215b78f1925e69e121b3c4bf2182f2f0d677dc8aa72

SHA512
6630633677e17be0944c5ea1f02e0124b93456c997539b622d5fab0c069aa7fbcac2f3da5738169308bacadb06a66b238d2993cd8deffece1b59d05ba7072e51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
15KB

MD5
006fe68efa220cb213f88b58a727c1ea

SHA1
af05bc4b15a2015526e798a18e4fd03a535abe4f

SHA256
bc8e65e6eaf8e1ba6eb5be62c8852e436cf4641797d13b5ffbe126db4496d08c

SHA512
d9f59a54034fde369e8e5a83dbbc4f861a85f78ad97612df83eaee4bdd1d76c3bd40cec8ffa9e3fd09ceb28c573a91369f5d7225ab780c1975db4163d6cd5cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
11KB

MD5
2dd7b552a456d440f571c49e7f4cbc9d

SHA1
f4d6346b48c97f4a45452aa361908fac08de44df

SHA256
f9fc2dcef1037864706d3ae64a1a5b5661cacbb9a694435e76d670cfa91a5684

SHA512
2aba193381b8d70f476746c35974710197eaa20684ec8a959638fb56d49a573fb634d6622bb115d2c23c859a6853bd6e31ed580f86f7d6319fe020d9b4dad73e

Download Submit