Analysis
-
max time kernel
268s -
max time network
274s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-04-2024 11:10
Behavioral task
behavioral1
Sample
poster copy.jpg
Resource
win10-20240404-en
General
-
Target
poster copy.jpg
-
Size
474KB
-
MD5
c38cc38dfa5ae512d1841170da49ccc1
-
SHA1
a64033c83c25763f4a42c8a5c60185b3c27519b0
-
SHA256
59a5632736ce0a74810969b57eedc5b27d24b7867393cb92c37d1b1591b6be81
-
SHA512
965fd231f83726e5e57d2ef3b624e3ce3a8a37d2fcde61a1745d6ea46b41919f0bc8def67ae0079d8cebe03656d538fa7569f1874923acbf5c75ef24e19011c1
-
SSDEEP
12288:l+vhqYr1pbsJXQGJ/7xrvZgexHJ8hEsTvsT0ph:l+vhJrSrZge9o4U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MLG.exepid process 1636 MLG.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 132 camo.githubusercontent.com 133 camo.githubusercontent.com 134 camo.githubusercontent.com 154 drive.google.com 155 drive.google.com 156 drive.google.com 157 drive.google.com 131 camo.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
MLG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" MLG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies Control Panel 2 IoCs
Processes:
MLG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallpaperStyle = "2" MLG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\TileWallpaper = "0" MLG.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings firefox.exe -
NTFS ADS 3 IoCs
Processes:
firefox.exe7zFM.exedescription ioc process File created C:\Users\Admin\Downloads\MLG.rar:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\EULA.txt:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe:Zone.Identifier 7zFM.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4744 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2644 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
firefox.exe7zFM.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeDebugPrivilege 2420 firefox.exe Token: SeRestorePrivilege 2644 7zFM.exe Token: 35 2644 7zFM.exe Token: SeSecurityPrivilege 2644 7zFM.exe Token: 33 2400 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2400 AUDIODG.EXE Token: SeDebugPrivilege 2420 firefox.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
firefox.exe7zFM.exepid process 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2644 7zFM.exe 2644 7zFM.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
firefox.exepid process 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe 2420 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 2420 4288 firefox.exe firefox.exe PID 2420 wrote to memory of 992 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 992 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 3620 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 5000 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 5000 2420 firefox.exe firefox.exe PID 2420 wrote to memory of 5000 2420 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\poster copy.jpg"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.0.1856894760\1944202381" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e22e34c-d6eb-46bd-a368-962a660a4ecb} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 1780 21d82df5158 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.1.1762528581\1542053061" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bfecccc-3a2d-4e71-994c-b98d5e5091a7} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 2136 21d82cfee58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.2.35472776\789539696" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2756 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9bcaa1-682e-4bf6-8bef-948faabe06c2} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3048 21d82d6c158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.3.1816382261\573649444" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1824fd3d-6112-44ef-9531-3db53775593c} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3588 21d857b3258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.4.841437538\1545827566" -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efbc9d3e-6a6e-4a5d-b958-aa5c7f29e719} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4424 21d88ab1558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.5.1247472796\806928633" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 4800 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a324d82f-818b-4415-b0ac-702c6ee98b9b} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4680 21d8935f258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.6.981717931\133183534" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0af0722-f4c9-4ab7-b1a9-4a591e7ac78d} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4968 21d89361058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.7.1655557889\1043231382" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec188856-f55e-460c-8a9f-da64bca1f578} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5160 21d8935fe58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.8.56030557\1702739205" -childID 7 -isForBrowser -prefsHandle 5576 -prefMapHandle 3800 -prefsLen 29562 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b33a09a6-51a2-4345-8d02-7e9c136b24e9} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5352 21d92829e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.9.1011419428\1760801480" -childID 8 -isForBrowser -prefsHandle 4484 -prefMapHandle 5716 -prefsLen 29737 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6faa3fd0-4c71-4f06-a72a-69148d67a9da} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5352 21d8b75b158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.10.129210850\1505843262" -parentBuildID 20221007134813 -prefsHandle 6032 -prefMapHandle 6028 -prefsLen 29737 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b43388b7-caff-41f5-91c4-bf026ffa278e} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5952 21d8f08be58 rdd3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.11.1815415335\157745347" -childID 9 -isForBrowser -prefsHandle 6156 -prefMapHandle 6152 -prefsLen 29737 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4ccb234-54a4-4c38-a418-117bd97fd288} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 6168 21d8f360358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.12.1598949687\1272446004" -childID 10 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e235133-3690-4c24-b4db-7574b9274d4f} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4660 21d8e320b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.13.1531255879\1860303062" -childID 11 -isForBrowser -prefsHandle 5448 -prefMapHandle 5628 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9da70b-efb5-4aca-92bc-e87aca89860a} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5440 21d8f088258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.14.841426523\1867323797" -childID 12 -isForBrowser -prefsHandle 4440 -prefMapHandle 6552 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47c3b915-e383-42be-8702-ce70ccaa2666} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3528 21d9282a158 tab3⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EULA.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MLG.rar"1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe"C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937CFilesize
13KB
MD50d079bf0645b0e4b391280136ae3f3a0
SHA19dfe2e2cc27ec0a6a6b6c48962e1913650bd4e8d
SHA256702e56324b2c66a9bdac3b69e2e98a95df6ad68e7053f31461043052acccefdf
SHA51243db4353ce15cf1f2c3c1cb290f75f5bbe32ea2c3c5c166998bf8dca76405ec3c73dbd80c1c78ffedc12d0e952ed3f557512acac4f9d9ac0a6defdf10895461f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftlFilesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exeFilesize
14.3MB
MD5634728f2fe391f5369bf655cc7c2b482
SHA19da51bfb54343dc4d9220c3bb785dd2a1ea7c17e
SHA256f6d1641642cebcdbef6bb2f110d0e3c6b592679d18f9dea71ac484c518417ea8
SHA51207d0d3ec375e441e128bc9c5d2067f983bee1967e3075c3b76ddc5339ecccaf28fe2d626bb237ea2ba1aac475136c8be33a7e11a61286a70406fae95cf90e3ad
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD5fe11eebeed07c9c95ad284ebe203d402
SHA1754eecbc7cbc18079cc06313ec352c99f5a16665
SHA256b15fbd0d570c5642b162867c4c027dd6a83284d011522bf523ad1a4c1e345c13
SHA5129950679c04297f3328b24cd1d53e9fb89527ca6d8c2d4e9e6e48b47f379ff85b73af53cf500a4b7f0f89879bbbdd3ec13b0bf9af1a1deb05436c774aac196342
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5f9d4e64f2d77d5d723e303f492b1c1c6
SHA1e989bd0e5668b3b4094303a1ca187e2f67db9335
SHA256bc055281e56f6ec2108c69e777b8fdf276cf291a67f728da11c6fed66c4df181
SHA51275c75d47ba06f41ced5b8ef330d48a8de6b3aed1ff7205f36945ca297e745a5b3d29964b7d87a7d7341e168e889567fd1f9d1d8e6a62872d9ebc19a2888d449d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\6ab39e12-9d11-42fb-8077-885573ebfa3bFilesize
11KB
MD5a553de20e674fdbe71d5d7508615a9d0
SHA1470f0b7a3aabf8c803d91cd4be52acaa57a3ccf9
SHA2564b82070f6a25ed0ac7752c5edb77bfec03352d11f95c860e5c657216c3c99e64
SHA51293add0716b4d3c937579542a6494088c9ec8c6ce266a663c3a88c606db2e7cae4da48d58fcaba0f67a1c8fa242bbc78ae35f585d2601c1a8f3fd571112812534
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\af4e617f-4141-4512-a0cf-cdb4f2455f76Filesize
746B
MD578b97d0dbfc264606f608e9fbb833086
SHA1a202aded2c1b426e6c68f42fb29276362b38ca07
SHA256e6fc0b7ded824f04394dc3a5f07c5576f37e88e86084143cdc4bce0d481d901f
SHA512c62323261a795563691a8c22b048d7398309c472ec0d3a853b5f9b2205c2aad33cb11dbd29b4c64790a77145f5e035e6eee9bc8e299296e5b5dd880f7822c681
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.jsFilesize
10KB
MD5f7625317ba43441c17c8f172dd0546b9
SHA13b54916796416f54c1490ef3d3245a826d3dc84e
SHA256c3d7437ef04deb1f141cbbe17c66fb8ad031cf8fb6f036429a7afbac824cdb35
SHA512ba23b3d455c2b5bacb74e2830a65bb4c6dcebd1474a5102de296a4a6d7b4862f21bd0b83935440f7129443731b6b3c4f284cb9b4d1f6a4abd510a5a0277b831b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.jsFilesize
7KB
MD561d2b9f974e32070d678f09bc11af7e3
SHA14497edbd2f3cc2994d9427ab1030a1e2fe57c27a
SHA2565ee37960cc8e81857df3d728993503a31b8fedf395c1414175d7a1d0b4aa22a3
SHA51212c7e8116a76b419f1c0cb3798b8a86ce1a68fc201c161b73b1e4fb3559879bfc0cd05d67bd7de8cc43040af0493c4be65b7e41c1ab46341ba1b22d69d744997
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.jsFilesize
6KB
MD547a3018d6f2cf92def15cac5d4657c1b
SHA158bf49fc564085971366e25a9db5e26ca1c9727d
SHA2560ba954aacb299e9f7493fac179fc8f2be362b0f9929c3a9119a369aef173cca8
SHA5122eddbe4ddf9fb76642f77e5a45a59ac7a195ff42a1716ffb2cc1bd3c172fa427f8ddc4650a3716964cf473c5a1e089de2dbdecce62c1cc3867e16dd8e43b5c56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.jsFilesize
6KB
MD5d6e2564880cd90f1119d002ae1f51766
SHA1a2de1cfce0385a1620c252acbc092991e98b91fd
SHA2566f6ba941dca3efe3e159b941dbc39f367003810e5d1ab73019152cfe1939822b
SHA51294441dcab44bc763cfc19876dbe1e1e5da40d1ab00905de192510af18d453e99576990fd3e6c31886fe676e43bcc87b645f17e92c775552779584e1b71311a6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD57ad5a1833f5ae41b94af83c878e2d5c0
SHA1ebdf5c4ea3d361b2be515dc5ce4d1b75a251ac49
SHA25622fa07c9e34504642fac2ca5ee2bbae8d228e3a345d0cf6791725b091d8eb5b2
SHA512baa00f61319b707f8effb359546365d4ffab822775dd18a273d796923c9200bfa4944a82c41b624d948b2d9830037ba38c6e62664065b7d831e4c76ed9f57ba9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD5719123b23b1ba79020be5492e7b80019
SHA16cd8613ec6ca678c04df6da30d9f780a9e7e5939
SHA25691003332238156876694561e63ba4432a06d08f4cf74f5719c5a8292daa2c62d
SHA5122eaa28a06f56d95c6dd391293a84844d4b8d18e8b375912092b6c281db453baffdf49b189226c15d35b98cad37b928643d25aef3746cd10ba471e6c322e98fab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD56a91814421ee083c38befe17b691e5e1
SHA184584fe3274374f479c2483659c01f3a32ea65cf
SHA256374933866c96d49d9c80ead9da6c2f6843904978b0f27bd955b5bdc16a8733b0
SHA512a7e2e5887543dd5090c05333460cd7032d20405634549430a333ba90b12111059767a71f1aec5ca813ed37d27632fe6671cdb855e810eb9b3c9dd3b1a8df6bba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD56a5de58ef838f4a3f7845fd96b4243e3
SHA196d72dd483b1cefc938a9cd6a37ac88f0e7f5dfe
SHA2560542d9b2878b0dc2d4f48cf0cb131b4b687f2acd8a80127bfd8c322e89dd6041
SHA512b8cc3c2ae7e285021e02c7dde8b9ea23625cd844cc0f280003a3e0300cb8d5d71419945bd0ff8adfea9859165c9113ca2c8edcd858484fd1d7c1f87b0aa453fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD572125f59ec12ff72462e8a9067d7dcc9
SHA14bbdd6d6ad16c3eb6474265ec3dcf872b0515eb6
SHA256c4028a575b1dda606bceff142e17c1285838da7acb0389f0eb0fd189e0fc5af6
SHA5123628bee1728640c925f0e75f50609fc8d465b42543b208d89554925b2684e62a0b2ce56b20f0087ec0828898ede5c11d5f6c182cf9073c5278f273d3618c44df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD571be7f78649fdf83d0cdb040a21d7f0e
SHA178f8a7afac864a2044e8326876c175a49813a770
SHA256564a5e6b9abb4a5c2381405de330fd8cc8d48abb78dabd0f9b60d2037bf70b6c
SHA512f7b3104fe2aeebed379753e9f507ebbb7c77ceb2d07cb3c5304e7ee05bdabbaf1221315da38b694c459e7d2566cafe7a94debfe8e2cf69877f3c006094b6813b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD57261c56aef5503145ee8a577fcacb26c
SHA1965c3180cf27f3288a879461db1bbe6d4354108f
SHA2567deb1ddf10c6db0c16719384d5f10a2dcb00a8d8375c4ec7d265804c1bf9e2b0
SHA512ab529307c4d413c436dd6b668bd3985f59b974f65e91e1b9ad828950e2f6e2ea8ecf7e1409b6626277541fd32fe4455ec3b1e3e3e9117c81b186092228525fac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
5KB
MD5d155b2148de36d157e8aeff21759e51c
SHA13618312aeb956d4c6e09c8c60e41cdaa3bdc6709
SHA25622b7da918a0c7a14ac8f1f055a2573fbe49f4717f0e19003f43edd5a8c671c1f
SHA512e45a8105d121ac0eb35b78cb5a68f0b4936e3a173e402b6bf70226b3d774e1ed4a885a54fb7882ee0d2d5ece0a61c82fbb153a3d5b0fd9014548142e49dfa117
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2232182701SeesravbiacteaWDosrgk.sqliteFilesize
48KB
MD5997a3bac033ad0ddabe1fedf99d01015
SHA1a54f69cb6388f587b7cc000692991a7a192d2234
SHA25643e16e4fe21ba06cbf15d5b6a4ba57cae3e55a15fcd9b0cd1a7bc51ab3d25775
SHA512f0b038af59c80341b388d22f3f55ecfa35b45b98d38ce4e500e85e42854339a3c144be7feba439f0da8bc8aa4fdef72e0b744716bc9fa84a29c141523273eb83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
7.7MB
MD5fa756fe8825aa81c3901a0a551d7afec
SHA17456d906fb89c84318901945af58e0c99fd2f036
SHA25683ccc0cb1c2fb5c76ec87358aebb10bb681559625dfcbff7c6568f625af6120c
SHA5120f51f6468638139ea3e0c4c08e60f789591f402023c6365bc9ca2b9bc25db28a076d4b7afc8c3a6ebfaae4a6e770733560ccecf040f55fea61d0aa05ff755fe8
-
C:\Users\Admin\Downloads\MLG.Dbdy1EfY.rar.partFilesize
24KB
MD546bb190b41d6959b3e9c538e05134308
SHA1cb682c4b15aa6212599d3be31c1fa0356f67909a
SHA2566d3d4fab38568a4b06dde14a1f6f59902ba3a548b1da437f68541be82e16b152
SHA512666d7d2bb3209c1cd1182f0ca826c4de488c1d58a9ddae703273fec64b7389ed96d69a68e7f74ef8858101def35075562fc2e568c37524f76f8f8851062e31d7
-
C:\Users\Admin\Downloads\MLG.rarFilesize
10.9MB
MD57c7fb86210ab287c5b1b8da0e493818e
SHA1fd0c9501f63ab40ad21b18f744c0ab126407b305
SHA256adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe
SHA512d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b
-
C:\Users\Admin\Downloads\QhVeWCbe.txt.partFilesize
1KB
MD573260f26eceb865bdcdd0c6dcb048734
SHA1d6151f79bcc9cf4cdc1eaa856aee48ebeed5e6dd
SHA256feeda441eef6bb3787db9dccfebf00f70ef30f5881ff2cb089f3e1dbc06d0c30
SHA5122104cefa4087c91238a21b094f26bd48d188d6c40488b68c9656d47e1853a50533a4e5b2abda5b922572e01f60aee3b7d7e594c0f7e3491c3afe8f2fffbb5b4a
-
memory/1636-2826-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2808-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2816-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2825-0x00007FFE94620000-0x00007FFE9500C000-memory.dmpFilesize
9.9MB
-
memory/1636-2806-0x00007FFE94620000-0x00007FFE9500C000-memory.dmpFilesize
9.9MB
-
memory/1636-2829-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2832-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2845-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2868-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2880-0x000002CE66A60000-0x000002CE66A70000-memory.dmpFilesize
64KB
-
memory/1636-2807-0x000002CE63FB0000-0x000002CE64E08000-memory.dmpFilesize
14.3MB