kaiten | 21ad07db066936bcec2b7118ae378bf626ab22dd9dc92cc85a6f1b74dca8339e

Resubmissions

24-05-2023 16:12

230524-tnkgysdg6x 10

11-05-2023 16:02

230511-tg24esad6x 10

Analysis

max time kernel
184s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2023 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

knight.c
Size

34KB
MD5

30aded215fadd9c85bfcb92da55f8fd4
SHA1

0dec38ef672e09b22902271b6f5599277d10f932
SHA256

21ad07db066936bcec2b7118ae378bf626ab22dd9dc92cc85a6f1b74dca8339e
SHA512

00524d77dd051833d93a5b1d655cfcd0d2a173971a48b5b4d1a96ff39f690e1eeba8ad62103e5084af2a96c26b040c9b3ae27cdfdcc2e1deb49af186957719ac
SSDEEP

384:nwUhD+2siWH7kZ9fmNIVkVTP6uCumiQCuolbafAx2pQ4Q26Wv7xOsUvSYl+:nfhD+87VkJp6pQxNQxSvl+

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023185-699.dat	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2492	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe
Token: SeDebugPrivilege	4088	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
1444	OpenWith.exe
2492	NOTEPAD.EXE
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe
4088	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2492	1444	OpenWith.exe	87
PID 1444 wrote to memory of 2492	1444	OpenWith.exe	87
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 3632 wrote to memory of 4088	3632	firefox.exe	97
PID 4088 wrote to memory of 3916	4088	firefox.exe	98
PID 4088 wrote to memory of 3916	4088	firefox.exe	98
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 1564	4088	firefox.exe	99
PID 4088 wrote to memory of 2604	4088	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\knight.c
1⤵
- Modifies registry class
PID:2548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\knight.c
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious use of SetWindowsHookEx
  PID:2492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.0.1543088416\857981511" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb75bf4-46e0-4d34-a09e-fda53704e6d0} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 1916 22f2f719e58 gpu
    3⤵
    PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.1.1040076392\1452691199" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d4dec3f-e468-44c5-bca9-c1462b7d1e75} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2316 22f2176fe58 socket
    3⤵
    PID:1564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.2.1092576530\375945303" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 2844 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b792e3c3-97dd-46e4-a2bc-cbd3a8fd0918} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2772 22f323f7f58 tab
    3⤵
    PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.3.2098194519\24247351" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3396 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {509b71a0-66cb-4763-85d5-ebbb9cc1e4d7} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2456 22f21764d58 tab
    3⤵
    PID:424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.4.1195578822\1896497511" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7034acd-b266-41b5-96ee-5ea77a2c8e27} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 3696 22f30e3b958 tab
    3⤵
    PID:1952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.5.1525918923\281415054" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 4976 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {130b7d8d-4e2d-43c0-8d82-4f4a853d8191} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5052 22f21766e58 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.6.1196632651\1993649320" -childID 5 -isForBrowser -prefsHandle 2804 -prefMapHandle 2800 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98b17908-da5e-4083-a2e0-369ee5a8e001} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5188 22f34b66e58 tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.7.190210044\1813263607" -childID 6 -isForBrowser -prefsHandle 5424 -prefMapHandle 5412 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4d4518d-ab03-4cb1-8ef7-e15f09b6b0de} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5312 22f34b64458 tab
    3⤵
    PID:1188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.8.885141017\145128254" -childID 7 -isForBrowser -prefsHandle 5804 -prefMapHandle 5816 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49910171-57e7-48cb-9d9c-65b738437183} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5800 22f2176cd58 tab
    3⤵
    PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
64c5979bb2295e8747be5c10680655c0

SHA1
3097296b1468d84bdb79209660433ea800787f6e

SHA256
f19163500ab70020ae1133f55b637e48db01b7d335e205c3265c9faa72536009

SHA512
e59b5898641249e22cfa48d74d85886ba1481488ca22b2e2930c62b0f82bce666505b1ab4bc82de5b8e4aeb61e980bd908693889e1897e22bb57f05042fb66eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
757d282414294c37e91b4cbadb7a4894

SHA1
595675a2045e099f60cdb3ea4ff0f75d2dde2ddb

SHA256
08993f7313f1dcfe44f61641b107e28f9e010bb22da29ae3c9ac29d2ad142ac0

SHA512
f6813ee5e3f32b86318978ee495590e45077fc1b0f7ff71c17d414d9597147708a1615e94e9aee5d5d4abc2fa6c31ec8a9187c3f6c2f79e9f4711bd4e1da897b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\10764

Filesize
8KB

MD5
91c73b6a1ccaa2874f004f30cc6a1fd0

SHA1
f71083f26ff9aab95c022d16e659989ecf1a48e4

SHA256
b5ffbaf97fd14b26c33ef1ab91f10bb5de18bf55a792cb2345b3dc4b235d0b38

SHA512
37cbf6c4e61d1686e35fef113b8ad7a7478b96d699d01b4fdc39d93479c94b73945a92443ce5080b11288cb2024dba24451d6ea08548db51f851451ef76c426e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\11998

Filesize
9KB

MD5
c0fb3bef5ba5ce30882c9239f9422e13

SHA1
9d1598d0fcc7d036600f463d02d9339bd2d4f2ff

SHA256
c1207c11a7607f1f8252a6333feb44fbd4fc3f29e3e43a82a754749a0814a02b

SHA512
7131e90c703188b66c9c247c07f0aeca719f109c1b7096ef7b7663f0597285e2b652856f5ed02c8cc9c8f1e6ec4038709d3d636691ea8a21c742d110fbf9139b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\15264

Filesize
8KB

MD5
1c8114baae17dfce89615ee6e660653f

SHA1
16356efb5667fd8fc55a012ae808fe02cfeaf70b

SHA256
3e740d314f11b0ee6abae9ad07b1e0408ad68879cffdbe941e1d9ad4f1c4828a

SHA512
5348915528bc1e1a47d981704b9b1f4cbac9e092e6b341df950f6d6b671486bcb2edcf0c1dc72303e7d9a092b54eea046f944410b700b3b4d7df810ca9b03457

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\16161

Filesize
8KB

MD5
10640529bc4345e608569fa69ccd1f1d

SHA1
42146faf42449bf0631b9737652d2d3adfeafb54

SHA256
60a20ab14cc5e56c09691a979c800da7e52e1106bbc96dc62e104eb9154e0bf5

SHA512
0f529bad0cdeb9efcdfeffaca156f183605d0629d8d3e9e06f5c5728611c511f05b67254bd2e70fcc86ad603a53ec38a0f90517f430c785200c71d3abe19e833

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\16633

Filesize
8KB

MD5
6489a4686068f9cf526a71c8b6167b6f

SHA1
6b6fbd3ecb65c37156cfab386bc4d732a5d4ce9d

SHA256
7bbaf7c2e3fa277c95792f76c5d0567bfca4727f83188439a4252936c1218254

SHA512
9d2b4a49b3e94a1efae6c0df01604628502a69ca533f4070b680ff9f92bb3fbfca24a94c60ee6fa1ea6aad786f8d623f25671baeb14c9fc585147c5f1bbd9a3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\17778

Filesize
8KB

MD5
08395608122af31f8d55c7e97b5e2212

SHA1
a02d788563961065599f3cc6999a859d8a6e476c

SHA256
76e9178c49906d3a0035483a5931be36a848d05dd4ecde7535fa86f24cefb3bf

SHA512
948e1053067c157f688fcd0894ac5c168249db3631a19c333e71b90719af5585705bfb9fdfa9d01aeceeda8cf8fb459b4beaf3f1b279e25bb8882cafc559ba92

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\20471

Filesize
8KB

MD5
bfd96238dfb98321b8d6481ef7dfeaee

SHA1
51a8911b7f5e01a4e06e12bccfaff21e35851d83

SHA256
8216fd0c2dcea6c5d32815ceaa8ff9108b093f54b4c8f20b1cbc1fb66461789a

SHA512
86544778afb9fb9a06feee963f75c946fe6ffb78293bdac71347d17880f870546d9a41ecd37532bc875f6ebdbd6c7e6d96971c889660abb338318b80e31209ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\2685

Filesize
8KB

MD5
d0336f66db55d31af65cc32222c47e85

SHA1
cb89895b3f6b6f3c6a440e1cfd3b23d0b309e429

SHA256
9f8359ec59295f43ae11ed96aceaffa93184b5f11cb060b66e325ae1563f41b5

SHA512
9b3077422e2fb3c83a07c405065c70bc61739cef78bfb2f5ae1fe6aa80cbcdccf38b222eb0015a032e4411ab0db9017a1ade314a9fac5f96a5e422e6ba2ed767

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\2886

Filesize
8KB

MD5
d8a1f087c657d5bc7b19e954806c0f07

SHA1
80386ccf6e7dff5bfda4276d121a1524ffdfda2e

SHA256
5d5e91d8e81391db1771e570c691cd2df04b208dfea787e1037dc08ac9334ae4

SHA512
22b8901e798aca22a018d39c7773390fcdb7e25f75cba8351d17cb35162fdd42050112f4fe62dc66f63d78fc15ecbf0f1f26a1cdbe9563d64f7a571356902828

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\4782

Filesize
64KB

MD5
83eeb060676fc1703188df0e6f8e282e

SHA1
6c2a1552552be75d9b3adcb99b710b1854d1587b

SHA256
bef39825948dc383f71367c3fa4506cf29522801ca7d4912b0e800ceb1ed5d3c

SHA512
24494e394aae1d9e2967ff453746d8ff04796a6971e80c589c7dc9f656011f615ae57e9c5946ff297d07b3491ad134491a21c4fddf43b92892ca5c005acfe3b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\4805

Filesize
8KB

MD5
c94ab6be7c05be20e2e000a06d6b2036

SHA1
5489493cd5649b9a9604d19a649e2890561db3ae

SHA256
6e16b7e148c4f693c3a91cdcc6d2f01babc156dd59e230341a7dc87518c61c77

SHA512
5bd56c327b33c56f35499784ef93eb7c6ed060e736d30d9e687b35a2bd12440b33a42303dbfdf36c49ac2fc7c53a4804713708195273d5abe17f43ea2967098a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\5904

Filesize
32KB

MD5
0da2b5df1e8153cd16117f549c693900

SHA1
9f8bc9ad42c6f8e9eede3484d079d3391a4ef40f

SHA256
65057f1e45285deab9ffcf16cca266fcd653b6a6ba838f28893b703a470a5c39

SHA512
99f7be3fd21657af717efb2b951826aa21f50d706a34776185edee497068d637930e5b8989c70744aeba812a3cc2e0793973cbdf3c96843b250f322e9991ca74

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\6028

Filesize
8KB

MD5
1f1d3b059068447056c8f36c4f605c7b

SHA1
2b9b9c5b3fc654c1f7f4a493f41435ad8b55adb3

SHA256
04d669f3552ef7302f08f600daa2c790e1952bf5ebc57c63dec13e9c1925ea0b

SHA512
aff466442a3329a4420220fe2e223e96a3ba2c71a09c79f8ac6832f5c711436cb71e4fbc04a241c793ef8c1a25f3dcdb9446b2628c412168d978ab592b981895

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\8396

Filesize
8KB

MD5
124489ed5f8fd82b8495e58e666a468e

SHA1
ad16118bb420a4c468fe38b8f514471e899c7e68

SHA256
c87f7e9de34e62ee28fc58ca2e09669b3b7e26a6de1e5f2344fbe3dbd72b6a20

SHA512
62047fa46ecf20a70f6bc4338b4604b2d0756dcaf5e1084d0f95167131bd290f0cdb539c906cfadf41073f4e78bb17e957ff2674d8962d27683fa0cad85929d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\9293

Filesize
8KB

MD5
f19ea5420f72fe004403b99ca0990658

SHA1
52f15802040e2efc2fe4788eb2ae48b13b2230a7

SHA256
77bdf368f4c8433738c10b1bf4dcabb429db46ae3178015fae7168c732297e6f

SHA512
53e72756ff56df4c51e385058fa8a654367ec7a4b5c0017fd98a0d3b7fa2817335641d6b06deaa46cb745a322148abe6af894fbdef57064bf5b1e4927f4e6828

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\9901

Filesize
9KB

MD5
d9a63df88d6f4e7793f2913d4313990b

SHA1
95c486bc958fa0b0f64065565b5c96a32fc4f1de

SHA256
566dc0b01fdb1f3814bc894c6601b2ed63a85ae9a5c7b5abec059e13afaf92c2

SHA512
facaaeb700bdda2a4d2760164552458a0722c30e0921fc185c556823769474acccd974c8322e8a6c66e9aea3218357561c944642eaf79bb17f3fd491b737ded6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\917E41E135032D6BD66E5D6F84F0988D37234A33

Filesize
14KB

MD5
b2ca14c7ddc787b03eb4b3b76d5a6457

SHA1
22122f96da5f14c61122467bfcb5217b0e3cccb2

SHA256
b268f74f1aa24d25a5ced2eb95b2e403a1e41318c8ae9d46f97b1e2ac1de7cb9

SHA512
ee8c320c45d9862fdb615daf78ab7e706cec785edfe21afd915e974758217eb0c6de4a59d1df9e5e1b26df302a5f10e3193285d069c0b16be2322b907bdd7699

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
c535cbd92d2a37f184c0e26544bd7093

SHA1
e82a8620049954b54f70c05ca802e75774d2a1ce

SHA256
4e7ade99124640429529b8bc5a3d59a7375ee0b35956890af3b2ddce98a682e6

SHA512
0956242f089a33a0a69052c9920b17411ce43f9bd5620a68a20fa31a32af7f7b1e854f24f6c20e53f426a2586b4ef249e7548f33f24092d74edde0547d96b9d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
5c96e303a62f9e3b26ae2b944a546098

SHA1
606834514a9a5fcf49b63cee5be6a1ed3a67f09d

SHA256
3677e877defb707e90b998402e0310efac749122da1eb687eafd6c8e41fc97ea

SHA512
43241434ec1c6eab9cf512b1966d7262eec711a73db8d15117fb2f283bc8834bacf8f4ef8fe59e41b6022407a5510ef8d4e2b1028ef9d64e14bd2fa2859f3c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
73f1fe3528b6c92d825a0bfc2f13944e

SHA1
cb2f6a62166729bd87650d2934c8ea56568779fd

SHA256
47f6d2c78b824e54f4f02b815ea9eedaa28d66891f8b36d226c5264b3050a489

SHA512
3c3772cf580d3cb7f52e159b2cb6261ad215d20a1cf4626f7751f0737d431afd2ba0911ccddc28954ab9664ab5cb3b13be8f5c2e3a5043f4f1f551cf798dc3d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
8KB

MD5
2f092690840d2aabdf28917256d1e997

SHA1
e99a3a22f9c5c7bb6452b13b354c3490ab335282

SHA256
9ef69d9431ba9aff3a87af05391e43dd469644cb303329973cf365eed57a502e

SHA512
8e1897255efc596419885d6c9e8692038cbbf13ed234fbd393f4bdc51c46d115091735c9bfb398315f1e688b60f9fc7231009923df1922e5102d703caabc023c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
b4e0191e3df3c10a3ba3258609c3ce0b

SHA1
a4f21fda5660fcf40e7c9b54b60ddcc307bf4e28

SHA256
e481e285445480f97887db60c37f7d533e6f8169bf1249994bd08a631ab93c7a

SHA512
ac233943e4151a6cab52fd88718ef22e49fe75f139e5fded7d30d43e4818864a0ffaa1289456f20e1038d3cc6be118b15f1c5a60279f36f482295f1a0f7bfe2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
4ed9750e3a9aa2f14564caa6d4a9e4af

SHA1
2033afb3896fe285f2599e6b854167882f87f255

SHA256
8ed87a5f66e28bc756ffe1a17dbe4e5f7f80fa85d4405c005763dfb36d3ab788

SHA512
4f232fea58bca8af78caeb48d2ca376b2578726891cdfd47c2b182ad44f13442b519507e37a005d158a140f547720e886c98f6a2959ce0f647875022cfccc3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8fccad48279550ffee8af0a8b4de8484

SHA1
686e47039818d808934bd6f44232dc5d22436c48

SHA256
a4909901a91023c79ffbee1f073c36094cd2bad1a25a96e598f227e45beeaf0e

SHA512
7285caff815767ce682325599b559eff3202238e9e61f4e47354a7cf523aad0b644e1a30214725f8df9e3212adaa4f65fd182d25609d7a3b1b4bbb15e1c64163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2af0fc74aa33f7773ed889783b4fcecc

SHA1
758d5432dcc12b6f3d600113aa09da6c8a293db7

SHA256
6923fc32851c1e0479fcfe47a73c9f8ea491221e2a212462f7a18778058c1bce

SHA512
688df7eb41faa1d8e1aec66fad66968b4ccdf66524892271f214fe574a8bb44afc8b5a35641a38d74a195a550261daf0dfcf6870dc80b15a024d83c503fb97c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
c6928f47ca9f34cbf68be296a0410bba

SHA1
93471b60a611d334e1122aa16f920fdd5edc5d64

SHA256
d5f66f463938d10d1b690d6363e57df6a8d5644ea1e46ccad408d43ebf832aa1

SHA512
9d5c535f88de1be02e1bd9b2be0386bdf16d27991ed330a9484ed05a7e2ee9e32a267d80bbd2eb028c7c038f89343440503733b7c36be906eb465f3bc71c0d96

Download Submit
C:\Users\Admin\Downloads\knight.c

Filesize
34KB

MD5
30aded215fadd9c85bfcb92da55f8fd4

SHA1
0dec38ef672e09b22902271b6f5599277d10f932

SHA256
21ad07db066936bcec2b7118ae378bf626ab22dd9dc92cc85a6f1b74dca8339e

SHA512
00524d77dd051833d93a5b1d655cfcd0d2a173971a48b5b4d1a96ff39f690e1eeba8ad62103e5084af2a96c26b040c9b3ae27cdfdcc2e1deb49af186957719ac

Download Submit