Analysis
-
max time kernel
103s -
max time network
107s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 14:32
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20241007-en
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
5294e84c734fbf9f34110e233b094b98
-
SHA1
2a2dc9fa78e3c80f7c425dc2d70daad6e0e2f6c2
-
SHA256
4abd3eb46f7ea1d4f698e5e35f6ce12cffbc131c994f842733aa4a4a6fc1654a
-
SHA512
ac67c08d7e1eb2d0c8b5f8928541c423d249094bbb72bf920a365f2afe9e3a034923c14cc9a667a899dcc4691b79c45b7eb352acd7f2e08a75bcbabe4cef2bcd
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Malware Config
Extracted
discordrat
-
discord_token
MTMwODc5Nzk2NTYxNTQ5NzM1Nw.GBpC5A.89Z5f6lFNt0ykOCJ3xjQcB6vyTHT36DHCa_Du0
-
server_id
1308798365948969031
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5104 NetSh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 discord.com 4 discord.com 7 discord.com 48 discord.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 5184 Client-built.exe Token: SeDebugPrivilege 4768 firefox.exe Token: SeDebugPrivilege 4768 firefox.exe Token: SeDebugPrivilege 1568 taskmgr.exe Token: SeSystemProfilePrivilege 1568 taskmgr.exe Token: SeCreateGlobalPrivilege 1568 taskmgr.exe Token: 33 1568 taskmgr.exe Token: SeIncBasePriorityPrivilege 1568 taskmgr.exe Token: SeShutdownPrivilege 5184 Client-built.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4768 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 5648 wrote to memory of 4768 5648 firefox.exe 82 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 2904 4768 firefox.exe 83 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 PID 4768 wrote to memory of 1480 4768 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5184 -
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240401114208 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1653cee1-804e-47fe-9cb9-ff4f31c85b2f} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" gpu3⤵PID:2904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daec301f-ee6b-438b-bd1f-79168cbdb4b7} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" socket3⤵PID:1480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2584 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb8acc01-e997-46ea-99c9-5ccbecab843a} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:5452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3500 -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3448 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaaa0405-aaed-41dc-bc19-a321a8541434} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:2880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4228 -prefMapHandle 4272 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f9a2a50-a801-41de-b58b-862f558bc2d3} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" utility3⤵
- Checks processor information in registry
PID:2840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5224 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747e8cae-0eef-4181-9219-0867428afb8c} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:3212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5504 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00749fc6-8d7f-4303-b52e-fc665ef164f0} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:6076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3df3c9f2-856c-4c03-b54a-84a0ed3bb38e} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:5972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 6 -isForBrowser -prefsHandle 6120 -prefMapHandle 5596 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a772b96-7d67-4c39-8476-873dc4f08e2f} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" tab3⤵PID:3036
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD513756233198dbed7455b466a4427f62d
SHA10c00a746f7f0837ddac499c4347be5bd6d20113f
SHA256d56db5e6614487e86d12d45ffca4178cae7fa5431b192ac6d26722ae74bbfdf8
SHA5126c2021eb8a30cafd742a4924f104e9ca1e3a5f34298ed1ac54e74d6e2516c479892897d65e6de91da9c7c813044d9855d5513eab79b5ee4e1facd129ceed3c7e
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
Filesize6KB
MD588cacd2e7db2a88ec4d8a1d641ed18ea
SHA19f7103d769d592955996421d3f396df53ec51323
SHA256cdb19e51174331f2d224db5ff59891062cc4f6389706657be80d7c5ae475f830
SHA5124ebac70777a01f6ba56f028b1ed7f17ed9c5cf77d949c4d816e65b443d02ef72346b8fb300615fcba12f6b8fd42df6a836ba5c2f136b5a6c0366a96f4dde7dad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
Filesize12KB
MD51053a5961c5f46099bb4290073469d82
SHA1d3de6e667127ba68be54f9c6a611beef2b443613
SHA2567e194570c2a616f42dfa76312e662d9b96f9f68f509a95c34e4e4ad1b352ace4
SHA51249ab5c5cf98023cb2c7e06c668bc855e0d9eb9a2767780feffb2492dc588f990b39018be073dfe03be8d8226c552e51c07622525ecd3d73b3097bd328d0c9108
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD58cb387b0a5d7ded4b4638b326424c715
SHA18e6860a5c45e539c273511ed9d34a8962762229d
SHA25606662567ecf8b52f96f8ba7b3355fddc8c56ff10ba6c9faf411b7c20cb5eb080
SHA5123976325c1d0514aed29383c402f689a49111e90d9068a140b5d94406358a1e6caf4b1bf762fa895e529eb00a078fc00066f2b06aacf57da10a55e55fe2231ef6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51999e7d3e02b600736f46b29fe4e97a0
SHA1d466b20b8f2112a070d9255fefb9b1a34f9eae6a
SHA256f29ff707f8fbff403b0943d040b1d7ebe0e4051938678fc5aae611d20223b67e
SHA512a1669940ae4b9b1cbd5b4faccfc72a8444e0460b01b977a72a6c90a5c07b6f74c3c66783b722ad0357b9fb82f38477738eee86bf1d5a32c4b1ee8418d3ed8d7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\6699360f-f701-4916-bb87-0e78c8f73230
Filesize24KB
MD55e78b78172c58cd7dbcdf4b2cf586b81
SHA12102b2a06d2bc240f72fdadd7b9b4d1abfe5098f
SHA2563db7117f019de3848970a00a88247f81a55b75e665c48977215819ec226754c5
SHA5129906920148d4f7644728a6c2716adb2850643c3e9878ae78d1038fc8b91f505f0079b0729066665cc8b26dc669c16e073eeff6f8a1cd402c8c10d4d0bab0bbad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\b524bba4-23e1-4163-94ff-af0f964338f8
Filesize671B
MD52f62370922e015bd0e64ed6e19237f0b
SHA12750ef24ac285bc9811a36c8104e07fa76086f93
SHA2560316c8dc4e9b15b300a347194ccde1916b1ccdfdf8c74402fc4af3aa4a17c8aa
SHA5127ca9b842030908827779e3452b8d1bade3d2448eddf9e417363f0c5af41ccd0ba48cca475cb2e4df410a7601c12d69fe8f731e4aaa4bb212b48ebfba3cd95c0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\b5431f1b-48b2-48fb-b968-0576006fcf6b
Filesize982B
MD576f4182a43c5148f127db7b314c56b5c
SHA1506862a17623f73b6d3a7e4a4c9e036de8f55e54
SHA256bc1640cb48cf3b732eb7cabe536284726b4184f2a374cf34dd24634f925dafe0
SHA512cac9c84db4226891c78d1b02d23e0e0c09954648697aa069cc0ad509bfb493d810f6501e6b78194e7036e60eb088fe6b59929af0fde90a62b26ad593eba66daf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD587a9df4a45169fae0cfd5a9b957ea780
SHA1c552105631540429cc3bcefc897c501f00b23bee
SHA256c0b2dedcfc46ee5e74b9752d652315ebc358c8e99644183bafb55e8ebd68d342
SHA5123e2d8f96e7ecc8d4a0662ff35fb25b0d32ca065e761aaf584971bd62ee58629ca527a9ae8dc14d0079feccb4d70864bacc586c44c213f113ddae5c6db96aae16
-
Filesize
10KB
MD5970e24797e3a3ad8499dd4adfaac33e3
SHA12db7490be80e09bb5a4403d8193a4a0697cdc2c9
SHA256d4e8b60665d09e912b23a49f435a3b1b658a3d19b4f0d8a75a2f32d5b5aaaa6c
SHA512311a5a72b3a5a3a85739bba3a596bff91788e8fbb31be6be098164d0da64faa4c8187d5c9770f28b022e8ca7ee81d1c1d051f659010138341d69a45c10a278a8
-
Filesize
10KB
MD5ff9dbd5765984d6a555380f199c84571
SHA1af21a5b70f51c680a3ed8b31a2ee9be8cf74a85f
SHA2567815f651486afc1c0fe7b6498e346608088a2c3ad6d120878870a779270b0dcc
SHA5123421d3120eac7c42bcb39a0bd1638d6da9be62d8434dd220ea1bc3e466e983b4e00c0dc6718d2f16483809380d2a8da020d3907edb22c5f87820d8d535c652e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD53d3269851e81a219b9ce31f6e849ab19
SHA17a9d0b2ebdf501d9725d18428068d6ea4ddb8eef
SHA256c89d3565bdebbc7a2665d31bfa2c2832bad70176beb67582f360ef5eb98c6dda
SHA512083d8b93031af3b7c92d6b52780228611edfaeeaeb416c9dca8b86c41e558a1db84b7def0a66861e6b55ba13deee4222958b6fce4311e4425572b4e078099dd1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize384KB
MD543d8b5e920dfc7a58a8b27df40240514
SHA1be2447441d74a1942866558fe4293c7aa86b9b04
SHA256e63c0c180ca3d780ddc90291529ca3595e3027b85379999cdc88aa86b130ecf1
SHA512d60d5451178387830635994f31e7b14a427ed97e1eda47a06218537e185748310fc075be3dd26b83bf8c56a51ed392ada45f1eceb45bffc8dd3b21b4456160d4