9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2

Analysis

max time kernel
128s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
Size

900KB
MD5

869892b5e4cddac94811b40459904935
SHA1

3e9aaeae50097f7eb18ed03894c1bce0a4706c20
SHA256

9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2
SHA512

8b3769a15889392fdb963758e0fb4a7117cb66c41b00df947106dd398ffe1b5d9e0131d37f8dea97339aa3b78d27f3571795c616e224510f79c5684bdb00798c
SSDEEP

12288:XqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaMTO:XqDEvCTbMWu7rQYlBQcBiT6rprG8acO

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5052	taskkill.exe
1060	taskkill.exe
1528	taskkill.exe
2524	taskkill.exe
2224	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1896	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2224	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	82
PID 3240 wrote to memory of 2224	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	82
PID 3240 wrote to memory of 2224	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	82
PID 3240 wrote to memory of 5052	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	87
PID 3240 wrote to memory of 5052	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	87
PID 3240 wrote to memory of 5052	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	87
PID 3240 wrote to memory of 1060	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	89
PID 3240 wrote to memory of 1060	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	89
PID 3240 wrote to memory of 1060	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	89
PID 3240 wrote to memory of 1528	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	91
PID 3240 wrote to memory of 1528	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	91
PID 3240 wrote to memory of 1528	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	91
PID 3240 wrote to memory of 2524	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	93
PID 3240 wrote to memory of 2524	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	93
PID 3240 wrote to memory of 2524	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	93
PID 3240 wrote to memory of 216	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	96
PID 3240 wrote to memory of 216	3240	9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe	96
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 216 wrote to memory of 1896	216	firefox.exe	97
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98
PID 1896 wrote to memory of 2864	1896	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe
"C:\Users\Admin\AppData\Local\Temp\9dfa629a7b90a9b6e0563817137550b0b77b47f57982dac5320667a851ff14b2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ed7743-ca8f-49a4-ab66-e45984ca1b88} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" gpu
      4⤵
      PID:2864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc8cb4e9-b749-466b-a805-7f3cc96a99e6} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" socket
      4⤵
      PID:3652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 2880 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ee6ec6-c898-488a-88c7-8d45383bdbbd} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" tab
      4⤵
      PID:4872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 1608 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de08c41-58e3-463e-95b2-2ba73675f7bf} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" tab
      4⤵
      PID:1392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4516 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e3eaf37-40f2-4d42-983e-d03eba33ab7c} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" utility
      4⤵
      Checks processor information in registry
      PID:4812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 5516 -prefMapHandle 5512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {771e37a1-dc32-4d92-a008-bbd2d87a34a5} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" tab
      4⤵
      PID:3780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 4 -isForBrowser -prefsHandle 5712 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {521ba147-7b33-4a5e-9427-8fa0dc6e5d48} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" tab
      4⤵
      PID:1804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e00965de-6cda-429e-94ce-6e85580308ab} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" tab
      4⤵
      PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
a67329bdc5a5076c5415d273fb0f57c9

SHA1
cfa645f0be0da1297fdbe91497be913417e5ef10

SHA256
f6ee7a536f0e27288726cbb292bc57f5ad35d810bffebe7d22ec5a70443f4170

SHA512
2bbb510057b526477dfb69a53e4f02bf0ab8586cf3a0726acaec6a1a58ddfde7ea0ccb4fd615fe941e488f68c5aa30be18e2a2ef3123709366324e3c288edc6a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
4054eeca0a83e5a4d4c41be2a1dd44b4

SHA1
d0b1e53eac79d976fcb3fbbbf04f7f708af2a7f6

SHA256
04b7a9e109aa13e834b1c45d4e3aefc6a721e71c73c7834168ec1b5410242c9e

SHA512
4f22f9a313475ce5f91444663207715312d4c502ba7d7daacc901e363b0aa6ddb7594d6339e802c535f077976ff02c653da1244cf757e558119f6a7f6d9300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
12KB

MD5
8f754197dd18bb87645c0f181c688f19

SHA1
4ed53781b366389ec1a89644118dc26b2894aac3

SHA256
2dd34ce4569ead67e04be70df3ae6c302ea379f7b57e97861e042cc5a9546528

SHA512
4eb5c93e911755a9f6fbab0cf2f16d3b19600b6727afba3387e5f8429ad66db084f929417911043639493cf79f76a47989388a4323644100a3426209b2dd2f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2103ad514113ea226f0b9c2adf686f19

SHA1
731b346c91acd48f13713a840e2e1e7fc3d3714c

SHA256
36e57bf1028e3cabad56cc6c53a8345c96d26de6c9cf3d5b56a3e72b17c54228

SHA512
6da25fbe22713c89e6e32a5f03fedfd86c35ec4fdad038b8f8f5cf714c6ad68e98fdebb299b1e5d70e9331781a857b0a9afe2974b672bfd23872b7ef6d834d49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
d3bef1140c0dfd8dd843c3960d524387

SHA1
663a1313d37f44551e9690182bafddd9e4c899a1

SHA256
957e60bb3ecae874308a107fa169234585fefcce3ec8f9661db56d4aa27dece1

SHA512
d770fe12313316ec1df590181e0824465e9750b84fffa8d6c2d4f2144f1ca7a6679dd5ba034264f4da8feedc300f47afae09e42a8a5ae06636fc9504a83bc588

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
7625d24e41ec744b9ada38e7959e5819

SHA1
b7214f36259cac66a6c95449fefb816475eece92

SHA256
1e2b29d1ca28a4f783fb7669a888282a7e5e35585374dc0690028770e85a3831

SHA512
07f5c3528e42b02825ee83d1062fa1a78b4684713a8f11016ebeb57eb4af22308015506c1db89d326241d49b856da79c4f7573714f458f35162c928dc90a1b85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8d8437b2abe9b2e2f2b1c49f9fda791f

SHA1
5eda578a40cb580d0553718ba912801ac356bfba

SHA256
44c1ff823086d0559a17ab24a7b8ca81fd52fe4c8d93b1d53e7e33dbed062fbf

SHA512
3104a9319837e38b9b5cb6439207801de8912f725358df5efeec95c079f506d289da221db42f982ca02b8eb9ba070fde12cb2da66feba272222fabf7e7f7df0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
66eac7c207462cccb012ce9c7a618563

SHA1
3f1ba195dd653938719bda7cc717779f69750944

SHA256
f832cd2af46d8cd5c48ed5ad7afa345b442a80e0b061101a67a25f56bea1437d

SHA512
eea7b54e39400207f1f80c2bae504493cc508c7da0fbf7b119c3d6fbec46b319d0350022d78bf0aa1f0f93ade921d3c76b38c4ec8e55f2af5c984924b36f4a56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\9bbe889a-5cd9-41c5-aa5a-1d14db60d50d

Filesize
671B

MD5
847a5ab3138e00c46eaf650efceb5f06

SHA1
746b10d157324c49358575ba09fa1ab89b57e11d

SHA256
5f3100fec433ae17f1a56c88f843ee6fd5a40ed48696f8d4411989cb7ab22dce

SHA512
093bba5626a936a15650155e3a73cb519080874a47f39574ebf205ab430caa995cfa5aab3e0fcf0443fc57fa2e946f10f9c7d4245edbf9001a7f6068bf725044

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\b57a327f-0d48-4d3e-b48e-0f8637cd115b

Filesize
982B

MD5
e4d96f7ef4076862ee97b581131d4a1b

SHA1
fe3b044198b5b9d31c4003d4c6d1b426397c7e8b

SHA256
060ea421a2e80fec5de649c1b07c3646620bbc5bfae567640b1f35c19696d08d

SHA512
8447c22473a602509306a848090d74e7d86667cc01fbe275a2dbfdbe54d4498dd1c3acf978acbc92e6d7ef6954e6a28b15a6b81385da34be4774f33879f3d552

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\e740f272-fd21-4fbd-979d-8fc5ee213154

Filesize
28KB

MD5
e771a42a650b84239113dc07a72f5c7c

SHA1
b55e02a175395e5a4e438acc2bb13d4838486818

SHA256
faab031461403d97347d69dfc8cc6679535f406eaee64ee78aca07c7edb42701

SHA512
a4d1a3c39e0b56eee46a42128c556db03405dc6db44fb7c7dad0bdd2cadf74a279796d00f994286cbc2158e21cbc9b6e2b60283a218be659fecaf306c049fa83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
10KB

MD5
3821fc73a9c46f4858fd2660e516417a

SHA1
93166c67827cfff6b328de2f915fab17adbe131c

SHA256
95038175f38ac90e3ad0c2ba312fc0a1599b2464b23074429cc2d1716b53147f

SHA512
ba5a6c400a90a1e05924315b799a3f2da08894b9fd1e187c8de5fadffd8f1feeaca3ec7d945eba248dd689890e6c1b98e96da0b8c503842a720ec0345f443499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
13474b7dcc3dae2c97f9615ddaec460a

SHA1
def5bf9ba820a324401580daddcbf6f3a9b7cc25

SHA256
a6f9013aa3f3983afb2fe3ea12ae764b8cf8d429c3e47a7e99f200dedb2b2b9b

SHA512
27a7136334a644bce6240f91367e0270e94c0e03c4197837560c895e5c925da177e0770f9e262a77d6222b09236efdef472efa34337359d6139293185a8a804e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
df893f50806491c760dc6599c7390140

SHA1
196a8b4aa8068650d0a9d809e1672762279992b2

SHA256
e922f83afacd3c07ab9f4c100751613ce4324a9a8d25f751a7e270fb10f93a5f

SHA512
f12d3985476b974f81c429eaabd71cc576791c5ea69176a08258485db06429fd4dac13521fe00b8f9ea56107c22201cccc533567b36f172449974c7d44fe4f19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
12KB

MD5
3c0793c722cbedecc85910c955bac28e

SHA1
81d2f5953fdd18dfc559010d3e297a082c6f0aa7

SHA256
9f93e729414115af9e10c4533099c80f4a2f7fd0dfadd5e4a83870371d7cafbb

SHA512
1f65e0591bdf168457a2b9920a868375de4016b37571e4422826228adb2ed97419530972912c31c46e627f3ef3da94d416c6aa91628f92c6868f95be7acb203b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.4MB

MD5
bdcf1802b2e7ce80382f47ce76163614

SHA1
dd8211e63a2850abd35d6cec89ed9cb36898b326

SHA256
8e66dbd92048a5fa9c12a1500b37769293176c9611ec07817b055ab5ab6f6833

SHA512
440f70e7047be8bf5e9a650e89c567461e8eb12b5225b4e5ef19fc09b7331371a4c7a075f4627cc73b64ad1301dd4f152af313f6dbcf9650ffa04a3abef45fea

Download Submit