86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
Size

898KB
MD5

f113ee92d1bceb7dcb1263d7def65804
SHA1

1e71bd2dacf338d16eac6242b7e43490ffa41285
SHA256

86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb
SHA512

3997ae972be0586423682afc8f82d8aceface8bf06d0ac16eacdf1a6d9e521d8a36c4636276c80e21e78e7e08154c9da22172afa1361f168ec882115d96f4ccb
SSDEEP

12288:ZqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ta:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aba

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3284	taskkill.exe
4476	taskkill.exe
4616	taskkill.exe
2324	taskkill.exe
4040	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3284	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	104
PID 1520 wrote to memory of 3284	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	104
PID 1520 wrote to memory of 3284	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	104
PID 1520 wrote to memory of 4476	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	85
PID 1520 wrote to memory of 4476	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	85
PID 1520 wrote to memory of 4476	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	85
PID 1520 wrote to memory of 4616	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	87
PID 1520 wrote to memory of 4616	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	87
PID 1520 wrote to memory of 4616	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	87
PID 1520 wrote to memory of 2324	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	89
PID 1520 wrote to memory of 2324	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	89
PID 1520 wrote to memory of 2324	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	89
PID 1520 wrote to memory of 4040	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	91
PID 1520 wrote to memory of 4040	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	91
PID 1520 wrote to memory of 4040	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	91
PID 1520 wrote to memory of 4900	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	93
PID 1520 wrote to memory of 4900	1520	86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe	93
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 4900 wrote to memory of 3492	4900	firefox.exe	94
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97
PID 3492 wrote to memory of 5056	3492	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe
"C:\Users\Admin\AppData\Local\Temp\86bf77887293ca59e40d5559a18ee035a20685c10ab81d05c7795292b8da8bbb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d060c611-f6d5-4deb-ae4d-4fb7da2e5c09} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" gpu
      4⤵
      PID:5056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {019cb7d5-2245-4520-8b80-eaefa3afd545} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" socket
      4⤵
      PID:3612
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 2924 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1c6e0a-8f34-4c25-9c2c-db3378d21df8} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:4272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2706cd48-2679-4c75-918e-935907063a42} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:1604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4800 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0855554f-3b87-443e-87a0-da3929152ca5} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" utility
      4⤵
      Checks processor information in registry
      PID:4976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ed98be-57aa-42ad-9d0c-4155a12d955a} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:2920
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {827f4ea1-e483-4269-be2d-47fa52f62f34} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:3284
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08727508-1062-4047-8712-c29073a4cdc2} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
e18cecb01fda1ab4a9c97a31697be1de

SHA1
0e627999a2f86f8e505927e37b39333eb89b0f13

SHA256
9bb02a8a83eeb0bea2eb79747414dce8dbab2e1fdf6cb318e09ac4bdad3e82e7

SHA512
05253ba7858afe4fd6f8a5c7aae1814a7fe807b5da897d2f16431f87f4fe7d12e8927079c5d66c76c11357d7d14234182e17c47dbe4883fa0a1054880e7d5812

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
b00d4312d49b32f1956f31c3ff34d15e

SHA1
dd795be3f23a25269ceb04a4e8a53a5f02ead1d5

SHA256
509cdd4a7c940445adbefd802c564756cc27c394fb12972ec09875d94b3516f3

SHA512
ca1a1240ae006fe15f9f0af771f56ed12fb32b778e911631bfc01ecf2bb62878373ee62241936e3db6a9d16bc004ab7a2c49010b721683785274056164917723

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
6KB

MD5
f7dfc4e10ab9cef043c5e39f0f0b3a42

SHA1
4ac827b76bbeaa70b1c662792be00f7328042c8e

SHA256
89f6d354ccea94ced6d8f79e9c5a10513501822e42a7aded859535c5e9995db0

SHA512
d52dc22f1374be8b461d256e474601d4c51e4bf9691c70b99614e82cf4eb6a9da13b899306b631fbe97f7b30c5f7215f8d2c46fb5fb6230408e298b678140625

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
2c76711fd30e7003db87a91fd3660b83

SHA1
f1acf2e25b9bc3a3e39545e72c201f8ce523777d

SHA256
ec0df8566dd3541155727f5027fe037bc054f8321a8f3682707207e6ff9666d1

SHA512
0260def222dabef9cd2ffae015c009fd331ceb9ee93e482614b42cdfdf4442a1dde21cb432278e8a0394add1f8adadb38dc01db1c69463f68757869c999f3708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
12KB

MD5
8a542cd87ad68addb63a2b1e5a80e4c6

SHA1
16a653da9ddf4baa473bb726e97f9d9ac74f679f

SHA256
f4666ab21e69fe8f996b00ed03da81a69a644fb967333f17da2114b4e1bb7204

SHA512
87187e86592113fea243b9ec913d3886bdfd63f15168571f0a297a774b2c9d1b8349c0b2ab577fe491981652291eee87f4e265ef24107b9938b3947f6d6ff56f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bd5ec95d900b52184181ac7bc24e77ed

SHA1
1181556a4f59835c467d0ac552ef64f00ecd2672

SHA256
da440677c0a7618578870e5f3c43120f2687974ccca28aacd29c76f7575c231d

SHA512
f8b685bfed531f7aa8462d6621484dc610c53fd9e4ac51eaab5352fb7e03261a754c32e98a76945f0b8669ead3029c64eff43ec882a60ce896524453a12b41c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
9ea318e5535bc2e3e2351a25f315b550

SHA1
37647d20f3b1af9fff5957554047a3520dc05226

SHA256
9760269cb8cf2873d09b0eca84d21f73a881e9cdb37778f82520b05d32190c33

SHA512
9d5cf0bb3c7ef4801029e6306ba1a4cb29cddfb6e2931a3f9479fbd576d629ec2e98aba109b87395c7279952aaba57aa7f753237084345da8ff1cee6b24f767b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2dc471378b3075916a242c758c439166

SHA1
e6cd1e571a9bb001644393dcf4efd2c2615a2f90

SHA256
dde360fb523cc7c3b59723d9cf2938ab713ae57802f2c2dff6ff5599e47a1e38

SHA512
48a692a10f38dc11ef72c01d95b31e88171f84aa0490959938992359a0c2249f46526c20664d72c44bc9c18d679dd1255ddbe8769a9896ff45192f6c6dffa905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\26b2fc9d-ce92-4a23-a8a9-6e9b850c5ae7

Filesize
671B

MD5
d692a2f6cde328a45d3b3c9a3134b5b6

SHA1
64d2eed5dff309e11cf70ed128ba92324f65b0f0

SHA256
9def9f5681af4608f63bc22d1093d3eb5ed6ac787c21d71c44e1cd71c3749ce5

SHA512
66069355e22621ddaf68c428697378ca8369bc697f9fc757772e883342e4a60637c2fdaf2170f97ad20c1e2e27dcc823ac922979a57378a9ce0959902d155245

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\321fa2e3-f845-4871-b299-7cf670196340

Filesize
982B

MD5
bd3fa8291a43576ebea9ac7a9a201b3d

SHA1
572accdc93ddbbf547df148c3daf5e612327ffa9

SHA256
ab8603f03523711fcd77735a68d1b24472a691d361877d965f33b5e36a6ecee2

SHA512
2f2d9f2985b353e96d3bc02f5e7d0a03f6dbe665fe6098962c935501e328704358a503f6bf3d1205a13dcfff9465f58a45072b99bb40c5eda646de17f6f40613

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b3faceda-5e75-436f-ad98-e7db16b43fcc

Filesize
25KB

MD5
bafa9b4ae83c7b5464b1a1fb5636e28f

SHA1
e325c58d4441124090f457e3e0e82dd24610d10f

SHA256
e33a3ef407732b650832a49793c7335b9729569cbb5cd590959099d6e483cb1b

SHA512
7109b9fb8575ba4197317a39fafddf8ecd094b7177d93263184aeae9490b3f4c8fab89211cdd82c24a26ef7b78554b00b2c83dc05ebe9275e102d8328209a3b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
12KB

MD5
1d7667e20c0632a761c1fadcbb60c30b

SHA1
b35a3cb06adf5caeda700b2f051823de21bf96a9

SHA256
0e3034eada1e881cacdc66f316c28f526fe799ac60c05bbe3f97089da480979f

SHA512
418911af72f4baf2732124aaea88d9ff5f744305835ac3881e2933665d4bac4541e309a7877c26ee660c6b4ccf7b0583e47a9d666939018211a9ffe4d8c28ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
15KB

MD5
eca76143e4f7d86731705a839d126e44

SHA1
46129459ea8baab5024949d4a1f124430e03b667

SHA256
b3721b89c7986bb1dbbc5ebaf69da3a0df16c47f6ceeb91de799ac72c8760cb4

SHA512
1a3e0dcd10fcd8a3fed90c2d4a1116ed213064f49544df79409344375a85b9f1e2e222a369fd7b2e621fd0c362462d0afedc704599c23470ead2f5c3c7d5087f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
11KB

MD5
80749ff841399365c60c859c6260d552

SHA1
35852e7938d19ceba280bc782f35de2eb044f192

SHA256
ef32d2fc11b55d642938998bb6849f22a672e6c2619372c5679a3a9f32cfb2e4

SHA512
4076e8f6c468cf2abcfc4641c9706a7c32bf1aec6d5147d3cd10c4e0677a84ae5322967ed6691f3f2eb2e3cc712be26cf622ca11d1706ad3902dd051fd69f41c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
8a93cdd9d4f0a8b002cd6df8f96ebea9

SHA1
3c8c5c7107d8cb89425f851e1b3acae88a0349d0

SHA256
9fc1fede3feaf9782696418db96aa1c405a021f174cf9b794059053df1093ca1

SHA512
3c0f4917a9f6935b09fc768f146a1e9fda02b07547fdf3821b69aa706ebb1ab9f4a952792c826553ea2b641acd1e1078d86c9da7894b151e56c3fc4167abb679

Download Submit