20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74

Analysis

max time kernel
128s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
Size

898KB
MD5

f5b65056fa6c8445f9818411d6c635b4
SHA1

519e3c1cea45929382c721862e0c2b0d1fb529a8
SHA256

20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74
SHA512

c1eda3335b9a8a9f6bbe5e5492f7858dcd77b4f66057b8f583c1baba04f9b2d3b2a5bd5185c8c65e374fb0ea783d5e8021e41397c207a7b96313ab40bf0e54c1
SSDEEP

12288:fqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ty:fqDEvCTbMWu7rQYlBQcBiT6rprG8aby

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4436	taskkill.exe
4048	taskkill.exe
4496	taskkill.exe
4956	taskkill.exe
1912	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	5012	firefox.exe
Token: SeDebugPrivilege	5012	firefox.exe
Token: SeDebugPrivilege	5012	firefox.exe
Token: SeDebugPrivilege	5012	firefox.exe
Token: SeDebugPrivilege	5012	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5012	firefox.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4436	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	83
PID 5096 wrote to memory of 4436	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	83
PID 5096 wrote to memory of 4436	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	83
PID 5096 wrote to memory of 4048	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	88
PID 5096 wrote to memory of 4048	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	88
PID 5096 wrote to memory of 4048	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	88
PID 5096 wrote to memory of 4496	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	90
PID 5096 wrote to memory of 4496	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	90
PID 5096 wrote to memory of 4496	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	90
PID 5096 wrote to memory of 4956	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	93
PID 5096 wrote to memory of 4956	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	93
PID 5096 wrote to memory of 4956	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	93
PID 5096 wrote to memory of 1912	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	95
PID 5096 wrote to memory of 1912	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	95
PID 5096 wrote to memory of 1912	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	95
PID 5096 wrote to memory of 1312	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	97
PID 5096 wrote to memory of 1312	5096	20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe	97
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 1312 wrote to memory of 5012	1312	firefox.exe	99
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101
PID 5012 wrote to memory of 1936	5012	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe
"C:\Users\Admin\AppData\Local\Temp\20705a5792c15b7ce539a99d8956af6c8b188c50ab03d4b304f92e3ae966ea74.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c72d01-c778-4444-b38c-acd1965bb867} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" gpu
      4⤵
      PID:1936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e0b46b8-0830-4896-ac58-091be3d9edc1} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" socket
      4⤵
      PID:740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 1392 -prefMapHandle 3084 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a59c860e-9822-4ed8-a57e-14f91b1215cb} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" tab
      4⤵
      PID:3620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3400 -childID 2 -isForBrowser -prefsHandle 3316 -prefMapHandle 3476 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a801a36c-d163-4e1f-94a4-5593d9bc9cfd} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" tab
      4⤵
      PID:408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2eed0df-1b16-4973-9906-def81af7c687} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" utility
      4⤵
      Checks processor information in registry
      PID:3984
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22768c82-2723-4caa-b02a-b2bcbdc3d4e0} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" tab
      4⤵
      PID:1076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5732 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74446f97-962c-4d6b-9bc1-e8ef107fbcf0} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" tab
      4⤵
      PID:2184
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5868 -prefMapHandle 5872 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c342b50-006a-48d2-b431-1995c0691f82} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" tab
      4⤵
      PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
432217caf8801292d7e9f53cafbcc401

SHA1
f3f8bb4ac3aee3e6d147cd714fbc8c1d256a95df

SHA256
f3931af91e813a03691893dcf663eab1ab9be1d693a67cce39b164d670d9e1a5

SHA512
2a36b99e88f6e5d5d0c38d321b3dc6b02cd9baa0fc6a97df63a5439795a32b13e33024c4de4f98ad7b353ceb99282761255e6942ed5630fb37f1f24c4763a145

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
dbb8bd03d02e9b20cabfbaa3f54f47d5

SHA1
bc2f4aab890c872065abca24ab28f9d1fddddcb9

SHA256
926179569a34ba6e13192bf4960005cdfc0443292759d4262a2b5d9461115091

SHA512
09b18b7fbd84679828fbaba642403f9caa70d8958d596d53bb75addafea21c0e5f50e359adf94903c65d76f12afc572c4472ca32cb645b3c19576773ba1a87d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
6KB

MD5
edf9f631d041f246524f7915e506dbd8

SHA1
1990769590f8354fabfe336d917a3ee59f275365

SHA256
9f63e76a020b045b56a26ccc5e3b71ef190b2e533ee6428a52a5d8aa2e8f14f7

SHA512
48f0dbc12918a88d9571b3c21130eaf8ea709d5086a6b754f59db184e46b474d6e0d82fdbbc2662b494b6175c7eb7009fd546c4ac9b762c1c38fca02b54e8a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
8KB

MD5
2df04c573c44f53dc29227efa222e4a1

SHA1
d49bd53b1936f735332ecacffe1a1e3cce43d5f1

SHA256
f8e59023548ba55223760b1f46ce339242c020cdb43179c5198ee2ca9c516ad5

SHA512
4c24b67987357d3c8811dd2954881cfe3598421a940c10df737a64ef55300044a6ae5c69a3e30c02c511e13428a7b97bcc9779058764d7c4175ee02b65a3cc23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
10KB

MD5
962a9529c7f54fca285b27008d8ed35e

SHA1
90bdd4715d2b570b5b95f95eed7e5b31bff1476c

SHA256
4e9cdb7b776d85e43d216424fedb89bb669c78c94dbc442f5303064bb4b16da1

SHA512
053d7c8acef7b670958c7f8c4be2e17ec5a99f1e760739f5c6a4f892c86976502c10dd116d4f21d1e31616ef0415d01c1099b6e4cde28ffd044eece7cdd4e168

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7ca3df94dc2a692c4d6885c8a13ee657

SHA1
e4facb1d1006aadb717e6c73dbe20c3bb7948bf5

SHA256
5c4d1445bed9babf0d88493b407186cb1fc48db4d7c7e442c20277f803fbc676

SHA512
fcc8ff256b721351a69601b862b8a547b5cd2903dce141a8274d1e296fb25fd257a702ff64a84b559f54659e4dc5b61485c738645e0cda07425942d482498db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
202fcb66d916902d53e384d9cf750051

SHA1
62f9a6dfdbef3cdaf4b0f1d5d9aa7cc84602b84e

SHA256
c30bffd17754eca966da7d5ff8aa48f2f7d64f8823de50342303244217fcfa4a

SHA512
aaf8ac8418168f467b67f5271ad61e0aa4a0ebad875cff1109a51155ce0a64d21845a7c0d2c0065f296fceeda69422079a71f63922596faa4bf83aad0424ec03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
10315f4b3e1e3490d402110e86e9d1d4

SHA1
9f816cd270dc270ff5a86360a6a2f032c434d3cc

SHA256
02f148dfda298cd19f39bcfd8fdaf57d99e69e721a52cfb2e3cfb33159cc2982

SHA512
a79e9cde9a3a3bb6ce69f1f8be8660c147b0c622add14bc9e86bfeb33cffae7c4f2d00506548751dc197047d47ad90b2ac854f4d074f75fe8276447e84da4b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\3dec57dd-4ee3-4f78-9ee5-dcfa1810f66a

Filesize
982B

MD5
6a3990b861e6fb23196744947a5a1c48

SHA1
e74c32983669231333ced654d455e7cf7ded73b9

SHA256
a5d94dadbf1657994d8d63f251d07d4e12964bb952e1fcb72e40de2598c19fa7

SHA512
5290635a2bbeb339e8c6a0fdb2df4a3568d0ff8876bbe9a4281cd6e2c59cce787980e4f32a3d506f6468b5b184bd63d2da3a2d4c7bceb5c692e03dbeb53e7730

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\5119c7c4-0f17-49c0-beba-191d56d0b1f4

Filesize
26KB

MD5
25c8f2e091bafc9c988149be14aedeba

SHA1
9cbb6aa51fb5294efbd01016a10df814c12f360a

SHA256
a2691b7fac19cd9bb5adf2214395dee7018071d0761b1b70af4db937b88a9997

SHA512
5612d7216e836970ffabc29a7dbf59918ef63fd37ec25b7e3f62d2d2515d5344ae841a6c4115d89e33af76a00abc357db87bb6afbccd7b7a389dca4e1b6c41d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\e3ec7f11-9388-4e7a-926b-82161f94389a

Filesize
671B

MD5
422bb786353431cdf40546399054d4ad

SHA1
4dd4d0e32b0293e05f652872e61f4039165a9d6b

SHA256
a68464beaeda58ed58e17b6677c249d15ed51c8e72891021b8daffa87dd17a16

SHA512
b26759055598fbd90bcd7faa4cdffbdde8a6493cd379ef949610e22e9e760a356ddb4530fbda55d9b032fe4b0f2f6b77da8d4c8e5d30d418f73f5e6ac0039634

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

Filesize
11KB

MD5
b15186ef55129ec92a61b65fda2047bc

SHA1
f3b8b4eba165b4dc3554f1819db28035585e1ab7

SHA256
1cb48ca737a6db2d9f88753abc17648b0fcde3fd864d64cb91f2dfab6301813b

SHA512
ecf3509693ecd693adcd3e044cfcfa4ca9542f9360e0c854687f4ec7a9a799b65901351ad5d865d3f31fb1c9b9fba6bfcb917ceea266334277b96ca2a6dbe229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

Filesize
15KB

MD5
d1c2ad55b8abc3cb552459a8a2dd93e8

SHA1
edd93fb0920b644615b555188de1bf382700b35b

SHA256
c5b8651860fa9a25379044d40eb4b058dd72525eb310956a61241b78b8911580

SHA512
a8dbb30b8ac819ba3d649ba3988e9936722dea86f86cb6891340d6fdadd49ab98783409e0144efb3fd502d2dc6f4caa4d52f5bff9c25def322c61928e5e63935

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

Filesize
10KB

MD5
8a5197c01a80b4f0f308fa197aa81882

SHA1
c29d9678faf34e537ee6d26053564398d6c33c5e

SHA256
ad952230075d76794736997731c538c77a8eeb36a6b8f6d93ed8cc60074d92bb

SHA512
1e616968d9c9c2ddd8c5d559f4d55a24c86b5697c0937d1fb6a19183b6c90673ad8e327998e9a399743aef5770ffc5d53d3145e6ce47637603b0e6986d9cf704

Download Submit