Overview
overview
10Static
static
10MoonSteale...er.exe
windows7-x64
10MoonSteale...er.exe
windows10-2004-x64
10MoonSteale...px.exe
windows7-x64
5MoonSteale...px.exe
windows10-2004-x64
5MoonSteale...der.py
windows7-x64
3MoonSteale...der.py
windows10-2004-x64
3MoonSteale...ll.bat
windows7-x64
10MoonSteale...ll.bat
windows10-2004-x64
10MoonSteale...ain.py
windows7-x64
3MoonSteale...ain.py
windows10-2004-x64
3MoonSteale...rt.bat
windows7-x64
1MoonSteale...rt.bat
windows10-2004-x64
1Resubmissions
01-12-2024 17:26
241201-vzv89sxjf1 10Analysis
-
max time kernel
78s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 17:26
Behavioral task
behavioral1
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
MoonStealer-main/builder.py
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
MoonStealer-main/builder.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
MoonStealer-main/install.bat
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MoonStealer-main/install.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
MoonStealer-main/main.py
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MoonStealer-main/main.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
MoonStealer-main/start.bat
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
MoonStealer-main/start.bat
Resource
win10v2004-20241007-en
General
-
Target
MoonStealer-main/main.py
-
Size
48KB
-
MD5
ce6bbfc8f624a0590495fce46648d3f7
-
SHA1
182880bb1eccc344455228afe6eabc28b0d25875
-
SHA256
f4c4c2476408c644b2aebf613d42ef361e2a5630c7a62c505bf4c319aace6293
-
SHA512
2cb207f86bd64ae448e26d456a9970bec46d7e196209983a9e1c822136248b6c4795bad4b58809d4cf1a74bdd46d5e7ff56b0c2933e5a94dffd7e414284ea58f
-
SSDEEP
768:gDaj4Pvv8PZmsyhTuVJ7AWyykW2WMWLWLWLWQW7WP2uL12oqcW7WFufQtRPPWMCd:yaj4Pvv8PjyhCV1T2aRtufK8MK
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 14 IoCs
Processes:
OpenWith.execmd.exefirefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.py OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\py_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\py_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\py_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\죂߯ⴀ蠀譚Ȕ\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\죂߯ⴀ蠀譚Ȕ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\py_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.py\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\죃߬⸀踀 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\죃߬⸀踀\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\py_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid Process 1736 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid Process Token: SeDebugPrivilege 4672 firefox.exe Token: SeDebugPrivilege 4672 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid Process 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid Process 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe 4672 firefox.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
Processes:
OpenWith.exefirefox.exepid Process 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 1736 OpenWith.exe 4672 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exefirefox.exefirefox.exedescription pid Process procid_target PID 1736 wrote to memory of 2088 1736 OpenWith.exe 96 PID 1736 wrote to memory of 2088 1736 OpenWith.exe 96 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 2088 wrote to memory of 4672 2088 firefox.exe 99 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4608 4672 firefox.exe 100 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 PID 4672 wrote to memory of 4352 4672 firefox.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py1⤵
- Modifies registry class
PID:2624
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py"2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f91271-73a4-4c8c-8e53-ef068c939f64} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" gpu4⤵PID:4608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6eb5ff5-02b1-436a-aa67-522608151b77} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" socket4⤵PID:4352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3000 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c3d907-86b5-40d9-9625-25b3f3662b64} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab4⤵PID:4824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5946be18-eadc-4268-9aa8-6558d2aa1c50} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab4⤵PID:4528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8db9ace-6760-47a7-afae-b9893a86fd99} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" utility4⤵
- Checks processor information in registry
PID:5424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5308 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fada8118-ba1b-4d43-8bbf-85704512a551} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab4⤵PID:5992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5488 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {972a854f-b26f-45f7-b93d-becb3b2b213e} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab4⤵PID:6016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78f9bd2a-d00c-4b57-9931-710bd10ae280} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab4⤵PID:6028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize6KB
MD525f3f287239e9b7f8abac606db1bd43e
SHA1573fa94e46680136ecbef847b1598b9d39f2f333
SHA256e50188074ec4d96a0e0b05f84fdfa296c0e56668efae2000e525d9e5e58d803e
SHA512efde161d95017d7c7b5be419baa6d578cc002c3c069efd77b7d345a883cefa3d232b16ae78f7dcbb07c8e1a38ec311d73ca7753920a7d57e6e6d8e34c4d62f5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize8KB
MD55c4b6a505b73c2ab34b480bbbb987cb6
SHA120dd221f1554ed63e2ae04aeff315198e29335b3
SHA256152852eecdd136065f889c0618de4f01ec1a307281e7f720d69a095df2f92326
SHA5123896ae306fc5a7dd9cc9e53a98eca84bb821cbd48da4c59519c4b6baece9b56c3ce7bc035372c47461178f81bcb5080515bfd5d0d4c3b0f601be2bd280b67951
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD594edd5cb85a77256260d97a5119dc28b
SHA1f006b2a633e641872949d0459dd5d07d6a86f3eb
SHA25623df3712b54c577d78e1009f838fce22fa7eb85a6c7b38b35eff041a8846e14d
SHA51210993bfe7e747c95c7d9b7fa66adcd20095c09633bbc2876c5915ada101355a75e66cbf9e1aca8b693e83550c8a4d13be34049c2e86015affc0a22869b5a6d54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize4KB
MD5c500cf1b17225c3d9a49028ff9f1b672
SHA1c6cb200a7cca65ca65e38f1dc74ce8403d726a8f
SHA2564184dfe6b9468081541be86e7e499c729f9be1376a7327198da0c2b83f0b59fc
SHA5126d21233a31c31006b6a8d0f5ebe549173809f454569b5c866736edf1d2591cadd2e5eb18d252eb773e0447cab4a04dc1df6c38cc93030f96d62b91d3cbaa69fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\4e22d860-7078-4630-baa1-ecb0ea614834
Filesize982B
MD59fff02fa9cb51523d7ec53db742517a2
SHA1c5423967fe3c67c74688dd44159b81e744d89a8b
SHA256df44f188a78b1513e2319bbe7834f45c46d59f939ee0d72de6aeb902eff6dc81
SHA512dc63d7d10395790b39bab9dc218bc726daffe96f00d14cb66eddd7936a98f75b63e7aff5a1c20341c5455963899327f3e484c898eff7a389727bec8c42ec3c8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6970c312-6d26-4b05-9b01-0fb68242d484
Filesize671B
MD54ffa7e8c9704b143eff596924c98e63d
SHA16fee64dcb399818fb0955d98597f3a61b61a0599
SHA256fea2b3bd8f7852ccbe196126e428a5f06cf7e9468c804726364ce964bd6e1a81
SHA512194b615d80694f80ffdf807c70ef0b17c7ae07298560ab6f2344ed6d53c4e9b97380740725e2519f671b166c10d124c050bd2c012fdc253ad975614fb6c5bbf8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6cbd2ff2-8e2e-47ab-bf0e-6c6701ace184
Filesize25KB
MD52203ff026e956d30427d436004c3c042
SHA12a843eb6381349a8e7a8e7b0fb7a7b4613b4c7b9
SHA256ac4c2c529ebc6a978b67f9003fc774364298e7f4c88a875f796659503aab252a
SHA512891c6fa533ee97f0a924eb067d5e7ab9a64cac2ab827c131ec81ce9d37832471f64f2026475614e9463df0514176b298d2e6d9b13e220b5c6899a6e5bc3278b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
11KB
MD5d68eac2569e6870790a24cf39369c66a
SHA1378662c5f0e9d59d8a3505cf857fff27acac1ae6
SHA25657ca16f32e0404663c4b1496bc3a602cbfcdbe758dfd036947391097f09a9af3
SHA512303996a86f7fe27c360645a32665138687a6ad6ab86aed8b7351bbb772b89402c99c1409b5611305cb95459d138d678521a1861f30df5de50316efdbf61cfab1
-
Filesize
11KB
MD5e4c7553e63c4428e645f7ac3a6fcdc5a
SHA1dec53163a85dd9d5f6272596cd69b93aa552fae8
SHA2563604853cc044d506b820bd5835f9b54d0c9276dc52299fa8f756320e232bd1e2
SHA5128ac5a0e92837df594fa6bed8c866bde5fa2e65644c0b5ac51be7d95e8c64cb81d738418e8e2ecd24088bb20bec4fe48da75d0005dc3388f6da053915fc7c088d
-
Filesize
10KB
MD5d1f5ad1eb79a1135b47bab11dff5249f
SHA12a9f29e5f4237a49c9dfef8acbd83c4832360a59
SHA2565a72dddac6cdc4ffc95e6ffb008cce2d26e05c7c96e2136a7c5013abb84ccfec
SHA5123ed3b754eff57b3c17389b602270bdd1cc1a0328cdf79f045f8c006ffe322e8618b3848a99184509de543da9c091e8246c1eb75a6a27c3bc7db86672ac659f23
-
Filesize
10KB
MD5f29f3418132dbaaeda98752647bd29cd
SHA1997a42bac1c0cce1cf4473a3d2492984f50d7a19
SHA2561349bfd723d9a88dd0081222ea4849423b25ea8751cccba40d49083c4f1b85c7
SHA5120d6fd231f95d607110c0c1fe98ea03ffe3a48c3c650dc00840d586bf20274861517eb55a2216ebe4dec1f6ac7b45fc59226067983d16d478ee11ec26a0fc682c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD52125d8d8364cafafa274ee695b49a3ff
SHA105ca9aa2423224326e09187923e83e6064e76bd8
SHA256a780df36fe5295ec125632ea128baacddaba76673aedc61fdda15fa60d0fe429
SHA512e5654a3bb11e3cd500ad43f5a42d2369a6749f08faf252cb934e7af4665bafd5407c3e969e17c817fb9b22c89b19a44a13aa0e99bfd5c281205efb4861e028b0