Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
25-06-2024 10:39
Errors
General
-
Target
KwishClient/Start.exe
-
Size
25KB
-
MD5
17d3aede5181494ef3a4a00513a84398
-
SHA1
caaacb5eb2582abc96af355c4cd7ce33863521d2
-
SHA256
7695430fc6530b309257c463264469f1f2c8dc5053ccd50876b196a9d73b9a5f
-
SHA512
482bf196726c4f87fedaa7b90bf18c61b4e24a78cc5479f59a2b0e2a76649f9c2ea2444899d42d9d6113182b39b7486e32483f0664bfa9f08435c45f812b4624
-
SSDEEP
768:svpQGEN3DpCuhp8mpSrVHyF49Fu9wq1U/XdZU4jFl:Qr4dCuhRpSZyzRuFZ7H
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
park-curve.gl.at.ply.gg:38826
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Detect Umbral payload 2 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies Control Panel 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\KwishClient\Start.exe"C:\Users\Admin\AppData\Local\Temp\KwishClient\Start.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Start.exe"C:\ProgramData\Start.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f C:\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 004⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.0.414005311\256353994" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f488c89c-4f00-4853-acaa-a0bec99d71cb} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 1860 2388f00df58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.1.2079324192\289540945" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b36de6b5-4dc3-4711-af9e-775f005c02c8} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 2404 23882186c58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.2.1834623299\451728472" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2940 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5d6694b-25f5-4340-aa90-5a98ad99cf4c} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3124 2388df97358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.3.996742985\1362042911" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3620 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {703d408d-4127-4d64-bb3c-8a1668f2b6c6} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3632 23894587958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.4.1833611587\1389516748" -childID 3 -isForBrowser -prefsHandle 4348 -prefMapHandle 4664 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b62bac-74bc-4678-8817-c794d0b24eb8} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5108 2389683da58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.5.1696285357\733367854" -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {964a10d0-0100-4364-86a7-2d8f43c42137} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5244 2389683ef58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.6.1231133378\1414252152" -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce68c3c-9b4e-4667-a1e2-3b8faf85765b} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5436 2389683fb58 tab3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Start.exeFilesize
25KB
MD517d3aede5181494ef3a4a00513a84398
SHA1caaacb5eb2582abc96af355c4cd7ce33863521d2
SHA2567695430fc6530b309257c463264469f1f2c8dc5053ccd50876b196a9d73b9a5f
SHA512482bf196726c4f87fedaa7b90bf18c61b4e24a78cc5479f59a2b0e2a76649f9c2ea2444899d42d9d6113182b39b7486e32483f0664bfa9f08435c45f812b4624
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.logFilesize
1KB
MD55f36c205799cb2f8966c7d5130cea05c
SHA1614993e3437ff9363c3eb698d7dba379a453dd6e
SHA2568eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c
SHA5127053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Start.exe.logFilesize
1KB
MD5e7edf56d23e3eddab9453776bd1cc9ed
SHA136c5a79710d6810871de84443bc4f42c404504bc
SHA256b115c8bd4e8c80eedb64322046695b1bb6783ddfebf7bf93a0562a12bb4de95a
SHA512ab2c905ff55d9a202469218f65d6df63eac131c06886316ae4e8cd05dffaa42541d11df774d89629d0cc6df067ed9d0c2b44811952e4f3668c3e9d4fb84f57a1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5437395ef86850fbff98c12dff89eb621
SHA19cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA2569c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c24caab1947646fcc49d6158d78a56f5
SHA1aa2cd00401eb273991f2d6fdc739d473ff6e8319
SHA2560696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a
SHA51235e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5ae45638dd1c046829e39f88839964222
SHA142b27a30e3bbadef6065fc5f0129dc24a9d87b76
SHA256b62cc7a49c958d41c0e7784cc6918f5edbf197f19a9b00c09b65e2f44fade360
SHA512593b1912bc28ec098778cf5c062f5e95de6060c0052334e9ebba10bc01e8139ae02603a3d97672aaf09e0b44b87655a36298a0b09de2368f0f802d564e76ce92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f75e8536b42ee6f7bb660ade7991245
SHA10918496d043aa7d232f69d44d86cca77938f3e98
SHA256a705c54b798f77c9518ea45b93bec6c4bcab90c0977d8e1b8266c2079262f7fa
SHA512968601098ec2c60007eb58ba0e48cd3dbbc3365e98b7713a5fcbdffdabac43873c0547340dc1bea994cb8b365ba6981edd96780ece9c9e5e60e122d79988de9e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5bc70849972f9eb81a90775daa4a5239a
SHA1d90a695fe9c1686d83e74094e721a8c28f7f803f
SHA25624bb10d611ac05ca4d6c4b647f5b63ca0e52d035f3c482261e58555907a72d84
SHA5120e4ce1448436bb5521ff2f0877d24a3b28306afd42747156f10329f6aee7e8964f17a8bd6665ae023dca113c264af384c6028b4ed33a73a8a840d4012b5b7656
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1AFilesize
13KB
MD5b08e44a02eaa00d1eca0338780aded5f
SHA1ff24341f41a0cb7f41b1d9f046ea471776cc8475
SHA2562056058cfff353f1a8130e1ef9da58ac6a7e41ca6db6d0f7dd3a7aa50b12b44e
SHA51256873861a5c4d1878ad0cb6772afd9546191b73af45bcad22332a1841624de4acefd8b18709debedcc455ed42197339eccc0d4ff62387f4c5870ce791f8cd5ba
-
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exeFilesize
22.0MB
MD54d1d2d53bc1aac8b044fe12d9121ae22
SHA10d8088a23272a3a20785637915cb81af137f81cc
SHA256b6ef7d7410a44494a09973b7b0ca173ca4f67f52ea542c7393e3d1874257dfb5
SHA512520c8796ff1229a5ad072d408ca97b2afada4fb10d9c2a8360f1cae1d29ac67ca42e80842eeb2052e6e715ee028a5e6a8d15eb388a23932655bfd0319cb3db9a
-
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exeFilesize
231KB
MD5157dc3d81fee89af95e44300cb46bb94
SHA1f7684bd8a11526a7cebeb668e32a01498785ed92
SHA25672ec2b7ff3142521a6e640371dbf03125af27057f77ab08e2d50b0f7e3f97f7f
SHA512fb7e7fa91fb1efef7d2e95578f305a9d81e48c8ad229cef9404abe7688d9cb8981ccd779a1ad2604d877a3cbeb6d7c5f4c5f46c07cffb309c06b44c50e9d39db
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wi5x2m42.fie.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.jsFilesize
6KB
MD504faa5b7168897c1b036966b4dab7ddd
SHA1ffd991ab3f4a803e76d976eaafc861734c76862d
SHA2561ef41eda4b7a9a8522dace2f1cd3dacd549f357611fce91f6221f0f5ec2aafae
SHA5121ac5b45f2ae318cd452099ac83ef40a116270f3f6ded5612443f0b9201b3f97a195261bf7bc461204714c7df9fdf1e02b0bb7aaa69c58cfa7fdce75bcf04b058
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.jsFilesize
8KB
MD59b17d54f3bcb2f00b90d802f106009f7
SHA1a7de61462986b808fd46ffe3526855642a2a586c
SHA256012d19acb0b6cc4455ce8dcb9510d9a552cc32903e6e2d61eebf898b3006e3d7
SHA512d64e81851352141b33fd0734b2919c50fe36eab3735f7de79b43caf3b3766e7d9676fd481066dd6833d0524af8abd264ba987ab2a3f6dff844fbac0d98bd1394
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.jsFilesize
10KB
MD5057a25053824771e2418c7e54a497c81
SHA15723f4956556e0f7a8aa8f436df11bb106ecaa45
SHA256864ebe99f54b6057e9cec6ed10fec176f3c6effb9fc95784066fa965a5c9c395
SHA512f49f36890ba37c40e8b080342ab02e9514dae90e299dcb618d73c659103a5aa991507abab9cbfcfc81b36d90ca37fc668b9f9d821f6b6aa7c9422d075a2bf7ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.jsFilesize
10KB
MD53b15249d0b69f30e83f8bcc1ad0aa110
SHA10c224622b83a4cfc3eca3ff0ae86e4e741ad094d
SHA256d3d60febdd0ac2496ddcbd842e15cff354de47b525ff1809d8a7b567579cfc97
SHA51292a4b38a8e11b67c9daf92cdc6a912b7c95ee52b500648e2765c5334d94685c61d3f5aa5f6a98c2b42bca2d37fbceacaccd5b82d6c7b4c9385c02ee974f0cc1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs.jsFilesize
10KB
MD58803b1340206258f12de3db7c4944eb1
SHA1358df6a35aaaecdd36d88dcdc986fb14c468f14a
SHA25624ff59b8c1ca18072e46f0077b981a9ceb5235fc2100c7f23cd5bbf60060ce40
SHA51263ca0c93b7d6b783d262280813ef7a139993fae6122d26dc601c7af3f1bc6b9a97bb50b660333a0073e66036e664ebce0ec2fcf11163894eee3ec21629822279
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD57430397b58e2b176a5a432174b7d5834
SHA111f3d748004dd3352de0162cf96e337cbebf8b41
SHA256db7117fb44b16030a9ea0e1bca8e2e98c52fa8bdb146728406c7b7f2192644f7
SHA5124a1f45e47ad807a7bf6e2b41228c63beeb7fedeb7c5308df5955c7bdfb1db1a02c7e9e01f339dbbdc27c510fe3b8cac720bd75e56e4fa6a36726c8e916abadc3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4Filesize
878B
MD5812f2a4690b156ff5d95e5eb7cfbc11d
SHA168380b202cdda28258ff521d7e6035ca6e3a9d79
SHA2561e96685388f5c8416103ffde699d3a4575a3dc8d5d75bebb7873ec60dfb684e8
SHA5120cb0d806786239a8a95a9f09a8af2804c7375a16da8b1604d01e99d4f7a8120f6e83e3731cd271b70efff31aadedb7645a6e2cd0b9e06f8484f95ace79d669ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
592KB
MD518b207724815ecf77509be164527ef45
SHA15705fea72720bbd4491ab10cdeaf44c41aa04c63
SHA2565be074771f990d41d788b24025bd2d5ca3877339da59462067d7139ea17a2749
SHA5129acf0242814f844fc6986ef7fb030fe08adf2f24cefce217eceae9f5c01fbd894e426e27a67e068742bd53d0a770308dcf951f37ff807ea3bfe47412bef95ca8
-
memory/1480-15-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/1480-3-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/1480-1-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1480-2-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/1480-0-0x00007FF961CF3000-0x00007FF961CF5000-memory.dmpFilesize
8KB
-
memory/3152-97-0x000001FD8E890000-0x000001FD8E8B2000-memory.dmpFilesize
136KB
-
memory/3824-2235-0x00000000000D0000-0x00000000016D4000-memory.dmpFilesize
22.0MB
-
memory/4228-19-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-168-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-2296-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-17-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-20-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-21-0x000000001BAA0000-0x000000001BAAA000-memory.dmpFilesize
40KB
-
memory/4228-22-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-16-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmpFilesize
10.8MB
-
memory/4228-14-0x0000000001680000-0x0000000001692000-memory.dmpFilesize
72KB
-
memory/5080-88-0x000001FC7EC40000-0x000001FC7EC80000-memory.dmpFilesize
256KB
-
memory/5080-112-0x000001FC7F170000-0x000001FC7F1C0000-memory.dmpFilesize
320KB
-
memory/5080-111-0x000001FC7FDB0000-0x000001FC7FE26000-memory.dmpFilesize
472KB
-
memory/5080-113-0x000001FC7F100000-0x000001FC7F11E000-memory.dmpFilesize
120KB
-
memory/5080-148-0x000001FC7F0E0000-0x000001FC7F0EA000-memory.dmpFilesize
40KB
-
memory/5080-149-0x000001FC7F140000-0x000001FC7F152000-memory.dmpFilesize
72KB