58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2023, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

calc.exe
Size

27KB
MD5

5da8c98136d98dfec4716edd79c7145f
SHA1

ed13af4a0a754b8daee4929134d2ff15ebe053cd
SHA256

58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f
SHA512

6e2b067760ec178cdcc4df04c541ce6940fc2a0cdd36f57f4d6332e38119dbc5e24eb67c11d2c8c8ffeed43533c2dd8b642d2c7c997c392928091b5ccce7582a
SSDEEP

384:Otj8FKzuRxmeWCJxhd2WS/YWyiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiB:QXif4CbPQ7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3492	GUP.exe
3976	readme.exe

Loads dropped DLL 1 IoCs

pid	Process
3492	GUP.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3392	3492	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	138	Go-http-client/1.1

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\test.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4672	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	firefox.exe
Token: SeDebugPrivilege	4032	firefox.exe
Token: SeDebugPrivilege	4032	firefox.exe
Token: SeRestorePrivilege	60	7zG.exe
Token: 35	60	7zG.exe
Token: SeSecurityPrivilege	60	7zG.exe
Token: SeSecurityPrivilege	60	7zG.exe
Token: SeDebugPrivilege	1396	taskmgr.exe
Token: SeSystemProfilePrivilege	1396	taskmgr.exe
Token: SeCreateGlobalPrivilege	1396	taskmgr.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
60	7zG.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2912	OpenWith.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
4032	firefox.exe
3492	GUP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4976 wrote to memory of 4032	4976	firefox.exe	90
PID 4032 wrote to memory of 1388	4032	firefox.exe	92
PID 4032 wrote to memory of 1388	4032	firefox.exe	92
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 3636	4032	firefox.exe	93
PID 4032 wrote to memory of 4116	4032	firefox.exe	94
PID 4032 wrote to memory of 4116	4032	firefox.exe	94
PID 4032 wrote to memory of 4116	4032	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
1⤵
- Modifies registry class
PID:3724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.0.466605287\1588693420" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d201b38-3761-47fa-a970-23157e94e42c} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 1936 2582a216858 gpu
    3⤵
    PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.1.1131426471\1599174690" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {659f8540-569f-492b-9bc6-10421bbebb82} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 2332 2581c270758 socket
    3⤵
    PID:3636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.2.578288428\890049193" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2836 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d720db73-56fd-4f4a-be3d-c5a174b2609c} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 2972 2582cef7858 tab
    3⤵
    PID:4116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.3.894387323\1526853628" -childID 2 -isForBrowser -prefsHandle 3244 -prefMapHandle 3236 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {719fc464-dbf2-4f1e-b51a-9b905fdc8ebd} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 2364 2581c271958 tab
    3⤵
    PID:944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.4.1919859375\790987809" -childID 3 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b99aff8-ad5d-4366-b2e9-3ee2e67fa0ff} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 4092 2581c262b58 tab
    3⤵
    PID:536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.7.1984785304\96922033" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed9ffa4e-c2e9-4b0f-b4da-ef94432c53e2} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 5300 2582b807b58 tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.6.1429621101\117582432" -childID 5 -isForBrowser -prefsHandle 4952 -prefMapHandle 4956 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0544ec1-6a2b-4b7f-bc1e-320285382796} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 5020 2582b809958 tab
    3⤵
    PID:2560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.5.1712932856\1745210549" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {326c39d6-db9b-4137-8daf-008f18d8a398} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 4976 2581c266e58 tab
    3⤵
    PID:244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.8.1631054087\380924904" -childID 7 -isForBrowser -prefsHandle 5656 -prefMapHandle 5644 -prefsLen 27020 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd796930-d449-4dfb-aafe-8581970b059a} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 5636 2582fc8a558 tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.9.870498232\2042793650" -childID 8 -isForBrowser -prefsHandle 4740 -prefMapHandle 5896 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b6285ff-d4e9-4f8d-af46-b434a6d54667} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 1660 2582fce7b58 tab
    3⤵
    PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\test\" -spe -an -ai#7zMap4582:70:7zEvent27796
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:60

C:\Users\Admin\Downloads\test\GUP.exe
"C:\Users\Admin\Downloads\test\GUP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\readme.exe
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\readme.exe
    C:\Users\Admin\AppData\Local\Temp\readme.exe
    3⤵
    - Executes dropped EXE
    PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 420
  2⤵
  - Program crash
  PID:3392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\test\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3492 -ip 3492
1⤵
PID:1916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
135KB

MD5
8daee0cb84590c36d92d52d64454bd8d

SHA1
305416c9010e3e52ff9b1cfb383c0a45ebf7ef71

SHA256
69e382ef3232b4797e38809119fe793da46911a03e8f1032f15b4fb5d5232a22

SHA512
ca443127817b7ad4b6313ea6abf7fa3f710ceab703c14c1a9aa96d6b417d9006b95de00ba9fe1f8924a302fa4ca8ecef77d589b38b8a3cfccd04fa55a1191162

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\10614

Filesize
9KB

MD5
22237d55702453a5d8bb1b7b689f018a

SHA1
2de78d07dad947fe90d73fab2945c125f4b0375c

SHA256
0ff076acb29532b622bdc17b92641915e6ac3c478ad37766e64a1c743835b0e1

SHA512
e82918939f6df296b7a414675be579e8c0397274b4a3600f540a20ec153418cd58586aa69104f921bbb8d295e43753e361d5f6f869898335840bedc2b9b7619f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\15564

Filesize
11KB

MD5
1f7cd7cd2520f1b039ea461d0d2bd7d1

SHA1
47ff7c604c41f8ab5e85066e9571e532173eae77

SHA256
158adc4e238229fab02d88c7d7b6f263dea77bd2233b1719a067c6c0b9046bd8

SHA512
8aa842b5e6ccde7416727a8d86fc2e24483e25f3671d50fbef6db3590fed49b50c05244e4915ad31e1592e09942bbcaa75d37efa2a7d8c35b49ae45456b40cd2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\26777

Filesize
11KB

MD5
477c2e2753645abb4f074965641eaa10

SHA1
03837f7d43bc901feb15e8cbccbde332840ce339

SHA256
f5cd3f9d3f320712d42f5f7a39a5656e1cf356afed6f8921f7da9c1f74a77022

SHA512
341816d9d6ea2c51094670710c2d1ac8d600a1de4d8d8b69742b365fba839b54ed87d191513dd952fb4ae533b8483a2c2fa56fe4a8b21fa065c815ec720488fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\27717

Filesize
43KB

MD5
7f212f13f9e3f399b1dfc01be263015d

SHA1
a7eb2ffd77ec228368a8395c76cd13e66b1bf537

SHA256
379f7c3ecb316f20915a5642217941c20acc0fde45cbd9ee26e3b7b0b04de744

SHA512
1f18c3f353008dcdcf58e82d08cfd3b0198f5d08f93084e3af972718f94ac03b848152474dda0eade29f7f22534162e4e58424e1b0845aa9a709f3f08f8dfc71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\31095

Filesize
101KB

MD5
a03ce1bbfe47455b1045032e6b932fba

SHA1
39372e701ff3d6f5f5f72110ead056f35278ddb5

SHA256
d672fa485fb5cb333c2464924908952406dd2c00c3187688d5b34b1cfddc3d74

SHA512
901e6b4ac444c9aeda5c9fca66288c360752d9450d1c69503b99501b2c5adda260940e4203257b8546100288ae5823103310779bf4195b36e21ff8c69c757ef1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\5082

Filesize
26KB

MD5
ac7f640cf70e5c2e09cba83272298e2d

SHA1
308ca37b40d490a3795bab8f8ce03efd3b282aca

SHA256
dcc414188cfee6ecd9ce18154746ec9b36e840ccee84a54c4563de2a3911acda

SHA512
ca096b5f075ddda0a36963e8c5a285eadb1c8bf376899f933a1cafed14067dd007a039828da112bb363822993252151b3b66d1fe9184ef457d295319eb027b41

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\8808

Filesize
9KB

MD5
b9e53382d178b44922ee248047c2bfb4

SHA1
10a7e1ba4724d8303ffab2f681d8b71355b3e983

SHA256
11956e0b5eba2b592be87cd1ef827d17bddf6d79f39c17db398e1332c97c8856

SHA512
90b1c977fc75df42d6bec58328e540d5354ae5a5429ad9e322adf49f00edab4b44c8e000a0daa25504fcfe36cfc2359cbe122c2acd6c8af51600dd4013df701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\readme.exe

Filesize
3.8MB

MD5
97fc3ed4597ba3572ca8ecc2d49a1358

SHA1
8b2b076f19f473d9a282c0a5e8dadb12f2f0e155

SHA256
1b60515302d751705508414ad0a04c553e12e0085f322a29fb03560c021723fb

SHA512
c9b83b4c5b769dac30349e329c7b84fac76886a5575d100153523b0214d00ea1ffb2d357ce0e32d872e84d72bd593237fbc8c24df8f2669d3c2437dae2a5cab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\readme.exe

Filesize
3.8MB

MD5
97fc3ed4597ba3572ca8ecc2d49a1358

SHA1
8b2b076f19f473d9a282c0a5e8dadb12f2f0e155

SHA256
1b60515302d751705508414ad0a04c553e12e0085f322a29fb03560c021723fb

SHA512
c9b83b4c5b769dac30349e329c7b84fac76886a5575d100153523b0214d00ea1ffb2d357ce0e32d872e84d72bd593237fbc8c24df8f2669d3c2437dae2a5cab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
dcb696d08e68cbbbe718edc13c662920

SHA1
c177ef5a522b64d4e149598cb3609f2506c3b81b

SHA256
b4047df6ca8b4982b98ff33a07b12912e69a7ded230ce31fba5b3253d0b6e129

SHA512
ba921144d8a2badac12d351b83ba54984a9ad66770c7a7f582234ec13541b5c82a69c9419c7a80dd37f9ea33b973c37b435740d475cd28cb90a62ea39ff6cdc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
34b2d5c3992a9390d06f4715a7edd354

SHA1
163e4def4fb5d763ba6849c1519fb801e289c8a4

SHA256
d2e1c54cbffdf61b399db1905b2bd9a1d6f117442c2346b798a2ea3439760d7a

SHA512
016c8dcadd5d5a3543956be95eb9c921e7d6048ecbfad21e295209ec4993d9c686c0904270d8da0d2351394a6c2de1f0a539eb0a5baa0bfcbd28c3676c1d370b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
81690a5ce12840dfbaac59c1bda60479

SHA1
033fe20956d20d4d5fdb03520bdf2e81cd5aa002

SHA256
883cae507ac6f75dec71cab9f594bc1c9a94eada6f57f2c4d74e4309892418bf

SHA512
fe594d794afbf6d6ec6005c58752d15f8f9df6f22ef5d7b00c295a4bf47317fa24e8eace3b5c8d5e3e76416f702c7237a70009c55fe1e6813a8acb35f3b671c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
7878d6c79afe66a2938062004d221af9

SHA1
16859100352e81f94ba2bdcca6632cba8018e9a9

SHA256
c08dfa52d821086aff6607e7ed2afaa27ddac53d1558ed279853f16c1a132cf5

SHA512
0a90e62ebd48c2f4d270aae3d1a7b317221d92bef1f18dac6c44e1e01f027f96016aa2fd1bfaf30287a7cb10e322875183882cd60b790157e153fe1861740972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
d129dfdd41e141f2d1238a9b6ce1d29b

SHA1
5f40e00a9920c2bebe4e9fcefd7f4dfca1d2181e

SHA256
ce70b57296d306c2d3d4d06179fde79d83564355f19636e22f0dc6073f348e2f

SHA512
7c2f6f1302e1bcc5235ddb66c973729757c98f33d2950759b16e9c6d2d8e466e8d789a266a62def6fc5f28bfcd4f2aa8f0599ebaa0db4b410d756a008dee689c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
19a289e70cd8f3b6be77f2cf82ef5aee

SHA1
dc16758d0ca366caf32980ebb60208858c66a13e

SHA256
135689544cde8ae0aa181f0255f850f2af2fd4d1f7595f52c3a5e5820e248e10

SHA512
e995667015e2dbff4f62c8950b9eff656386d9a84959bdf917fe4f57b1efcceb4e781b1aeefde9c9b402b45a77fb69bb8d2ad4997ceb895492ef2dbdfb29ac17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
71c7cddbfb5c149b877f1e726d60b8e4

SHA1
234939542d5c9a52af46334c494892b64c874b81

SHA256
109892511908a8446647791d6176379be8b7ffbf4a80604a58833aa31f981a23

SHA512
c6a161093f0c6ee037538275dd42776d3a63a1b3293fff2acbf814d6e71ea20b63a94d09d2e18d94be57cb26e13573d2a07c001e57d10653b539974182618206

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
543bb517945945cbd2e6533093494375

SHA1
78130431303e99cbdf6c0fb5459c23af22ba77a8

SHA256
25b766ce95381ec91d8110f981ffadb6c02f3e6bed2956efe14a32f0222a0fe2

SHA512
6ffa94d8a97e3631655ccd176f14b9d014e708ff45a1b82ac1913bce9df2f0ecfbcdf6070517fe60fb1ebe825a59f6dd0a278a3d1f2aa0420a5c22ee2561fe0a

Download Submit
C:\Users\Admin\Downloads\test.YgJ4ZGLA.zip.part

Filesize
104KB

MD5
4efb7a6c52a9706cc22ffced950d1b25

SHA1
1300e722755881b3fc7cc8b807d0b76ccd1d85cd

SHA256
d9a452dce0f2435fddfdc87bde79bd97b116c0c9584171a44fc4c1cfc6cb4a66

SHA512
e53bcd6364b0b601e74f2224cd5008f8760465fbef1ce050cda87272c20f100caf598d808fbb6f8bfdf953b3513ece0486fe767e9019721171a2e944d89fed59

Download Submit
C:\Users\Admin\Downloads\test.zip

Filesize
2.7MB

MD5
6cdfb2ea90c3b598c9076465a9718a88

SHA1
6423c4429a6195a0965af391a5ce43f9d638cdda

SHA256
33b8dcfd30098f79b5f0c5994aa4e5febf46a4213479e9025b9766231a9e9f9c

SHA512
9827a279dc3e41865c1c6b64f0ec890a199d2cb3b4be4f18ed3693cb65555c4ed4a68dcf643258278faa8578a956d0627f48b40d66175a25fb88d64e9ac5c3aa

Download Submit
C:\Users\Admin\Downloads\test\GUP.exe

Filesize
735KB

MD5
14b0b4b0b265e12e4f82acd9ac55c7ff

SHA1
9302dfc6b5f9fdeb4fa48febaced1f59aa9d80bf

SHA256
b229a5a67a6431eb2b99a56039cc374562f1a4da50847e5214be93baf507095e

SHA512
610cc706de51e515b96da221c249cedc7814052992974ecbcecfa2a863c571059a9bbfc7ddcefef071827d9554daec9815778aa984c675ca212eb62b0b5a5b7d

Download Submit
C:\Users\Admin\Downloads\test\GUP.exe

Filesize
735KB

MD5
14b0b4b0b265e12e4f82acd9ac55c7ff

SHA1
9302dfc6b5f9fdeb4fa48febaced1f59aa9d80bf

SHA256
b229a5a67a6431eb2b99a56039cc374562f1a4da50847e5214be93baf507095e

SHA512
610cc706de51e515b96da221c249cedc7814052992974ecbcecfa2a863c571059a9bbfc7ddcefef071827d9554daec9815778aa984c675ca212eb62b0b5a5b7d

Download Submit
C:\Users\Admin\Downloads\test\libcurl.dll

Filesize
75KB

MD5
3727ef565724b2acc0697028710cffec

SHA1
caac38f1475cff0f0311b7a42dacc6bb29aef9be

SHA256
c375a1cd9ae7c62d9fbec0660251c0becb361985336dae3a6a3c1663bc762b67

SHA512
0ebb78ad6aee8689c5a8c2ce9adf730da28092e09e27ea668c0ec81e1cb781f13e2bdf7ef2bf101c804b83c5fe77caf99ccaab6c98b52b80f5f55acfc02c8be0

Download Submit
C:\Users\Admin\Downloads\test\libcurl.dll

Filesize
75KB

MD5
3727ef565724b2acc0697028710cffec

SHA1
caac38f1475cff0f0311b7a42dacc6bb29aef9be

SHA256
c375a1cd9ae7c62d9fbec0660251c0becb361985336dae3a6a3c1663bc762b67

SHA512
0ebb78ad6aee8689c5a8c2ce9adf730da28092e09e27ea668c0ec81e1cb781f13e2bdf7ef2bf101c804b83c5fe77caf99ccaab6c98b52b80f5f55acfc02c8be0

Download Submit
C:\Users\Admin\Downloads\test\readme.uxd

Filesize
3.8MB

MD5
97fc3ed4597ba3572ca8ecc2d49a1358

SHA1
8b2b076f19f473d9a282c0a5e8dadb12f2f0e155

SHA256
1b60515302d751705508414ad0a04c553e12e0085f322a29fb03560c021723fb

SHA512
c9b83b4c5b769dac30349e329c7b84fac76886a5575d100153523b0214d00ea1ffb2d357ce0e32d872e84d72bd593237fbc8c24df8f2669d3c2437dae2a5cab4

Download Submit
C:\Users\Admin\Downloads\test\test.txt

Filesize
288B

MD5
9690dd39b46718f2e8849bf6f7a0cace

SHA1
353f14be9354c114118ce3b2a0ae382de1206ac5

SHA256
adc59dc298c01cd68642bd5aabbed31b175ddde2cb8cde23d0b82894e1d58868

SHA512
63351416e98b23821ce7529ee7fbf15addc055ab52ae7933f5d564fd9a937a339d53face1c5a139aae6be657c40482e45cdbeb0a24cc226e99238c27ab9ce2ea

Download Submit
memory/1396-1199-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1201-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1200-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1211-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1210-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1209-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1208-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1207-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1206-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/1396-1205-0x0000020A68D00000-0x0000020A68D01000-memory.dmp

Filesize
4KB

Download
memory/3492-937-0x0000000076FA0000-0x000000007701A000-memory.dmp

Filesize
488KB

Download
memory/3976-1222-0x000001E026B40000-0x000001E026E3D000-memory.dmp

Filesize
3.0MB

Download