963edcc0ef0f02a227e40c4d1f7eb319ae32559baa290b24264aee027053ff62

Resubmissions

21-10-2023 12:44

231021-pyrxkagb77 10

21-10-2023 12:08

231021-pbd27aga69 10

21-10-2023 11:58

231021-n5h3kaga48 10

08-10-2023 18:41

231008-xb6ffafb9s 10

Analysis

max time kernel
274s
max time network
338s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
21-10-2023 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mathway20Database20Leaked20January202020.txt
Size

545.2MB
MD5

21da4ab437bc44fe51239d0d74bd1910
SHA1

72406887174c2631fbdeaa638e58c4725957ce65
SHA256

963edcc0ef0f02a227e40c4d1f7eb319ae32559baa290b24264aee027053ff62
SHA512

61fbd111860700f84cd43fe2a52c21f2ffde763f504bf06c73fcaafe3fa968996c6439e5074bb14a01f75e770d1dde61e24b9939dff278414c913e4c888af327
SSDEEP

786432:n8mrDuYVNa3Z8+Q6c3iBmGzFUQN4fmm1S39Z2dfmMY65rUPxgRH:8ip

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-827376917-4115551959-2205343446-1000_Classes\Local Settings firefox.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

536 NOTEPAD.EXE
4180 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4872 firefox.exe
Token: SeDebugPrivilege 4872 firefox.exe
Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

firefox.exe

pid process

4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

firefox.exe

pid process

4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4872 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-827376917-4115551959-2205343446-1000_Classes\Local Settings	firefox.exe

pid	process
536	NOTEPAD.EXE
4180	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe

pid	process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe

pid	process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe

pid	process
4872	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 3644 wrote to memory of 4872	3644	firefox.exe	firefox.exe
PID 4872 wrote to memory of 2992	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 2992	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 608	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 2968	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 2968	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 2968	4872	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Mathway20Database20Leaked20January202020.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:536

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b018989e31824938848d4e2b3152fd62 /t 4168 /p 536
1⤵
PID:4548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Mathway20Database20Leaked20January202020.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.0.1366189627\1816297049" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1596 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9635498f-29a9-413b-a44a-6090225110f5} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1692 1f37f6d9e58 gpu
3⤵
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.1.141513623\1650489317" -parentBuildID 20221007134813 -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0047f4d9-10ce-465d-9341-54d26a147087} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 2084 1f37f1e4d58 socket
3⤵
PID:608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.2.391408855\972912064" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbb27489-2d36-4adc-ac0b-fae6a2defa44} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3060 1f3037f3558 tab
3⤵
PID:2968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.3.976661321\1022785728" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71f90d3-9589-45b4-9247-aa9ebcda7d0a} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3556 1f303be2258 tab
3⤵
PID:2876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.4.1861030758\1630934700" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f138360b-dc4c-48fc-b419-34a8ef062d6f} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3776 1f3049a2158 tab
3⤵
PID:4400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.7.225156909\875746078" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8438162e-0142-4a94-acbc-09b3bbe2ce4b} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5028 1f3058e9a58 tab
3⤵
PID:4680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.6.951196060\302252247" -childID 5 -isForBrowser -prefsHandle 4692 -prefMapHandle 4844 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d53a3b6-4628-4301-bb6c-5106758bfa65} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4832 1f3058e9158 tab
3⤵
PID:4280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.5.154734462\495485952" -childID 4 -isForBrowser -prefsHandle 4716 -prefMapHandle 4728 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f640a1d-5aff-4628-ac71-ab3c2fa558d1} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4680 1f30491c258 tab
3⤵
PID:4236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.8.1511080141\1204993900" -childID 7 -isForBrowser -prefsHandle 4404 -prefMapHandle 3296 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae93f7d8-1a1c-4433-a530-cacf2455917a} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5484 1f3027dd558 tab
3⤵
PID:3296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.9.1014176977\628131686" -childID 8 -isForBrowser -prefsHandle 5812 -prefMapHandle 5808 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9412f7bd-6a76-40ba-9e86-3a4afde320c8} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5820 1f307ef2e58 tab
3⤵
PID:4600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.10.266249141\134515516" -childID 9 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3536a50-d36d-41e6-a3ef-3ac29d6400ac} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5588 1f308289258 tab
3⤵
PID:992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.11.1160444973\1660696830" -childID 10 -isForBrowser -prefsHandle 5036 -prefMapHandle 5620 -prefsLen 27196 -prefMapSize 232675 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dad31b04-5398-42f6-842a-45fc6fe0e9ed} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5248 1f307abf858 tab
3⤵
PID:4664

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\1300318f1e46434cafd60d8991be378b /t 3096 /p 4180
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
65768e4c70ff42257d3b6a5ecbcc7132

SHA1
547057167d1504e483d9e3e70e181e167193edf6

SHA256
5bc46c145e244a180633b6b42d83e7041c5ddb9e1a822ebd4417ae6362cfd4a1

SHA512
06df78149f756ac5ddd1a8375466fd12936424108e195ff7cba29112ef45b25b4ac245bfd09dcbbdd43ec39810722d94feb2fd818f3e6d96bb95b44c1b869214

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\10483

Filesize
9KB

MD5
4f3dfc963b3a70a591eef882c11c72bd

SHA1
5f822e42cd143ab948687fff1feeb28a2f637905

SHA256
1b60bbc16e00037e9ee2e3bee7267a0bd221c6ddda3226ce78918132c5eb339c

SHA512
5958d8ded2b03fdca304bc5fe3bbbca111653c52c9a8fff23246826c157bd214e518f4a18a26caaf0514d10be227d9e8499aa002f570edd65361b0b00d9584fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\10932

Filesize
9KB

MD5
fc187e7f1413bfe5c92eaa5838c4a8ed

SHA1
94cb0b5bd52e02f57c5eefa426e68a2ba9b66458

SHA256
e639831c6b88237ae0a32b2e00708fd3e364350a3647338a3ece23b934ea3049

SHA512
27181e7541f22d681e4447b8088ac5bf06f24b0f62c30d90ed03b144f4d30c360a2cf0493bb8b2bd6e7ec4ed4d5f881f82969724d595a336a26b3040836f5008

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\15892

Filesize
9KB

MD5
54b4d01420ed5e24882a03cec950a8bc

SHA1
1f5699c4e51b2c0e69f3b85e5fcb9f41b85b7948

SHA256
33dd22d32fd2c9ac35871ce61899acc2d8a77f57e2e0c60bbd1644176108322d

SHA512
707dd3bfe7acf6a3aad712c57f2d801f5bb565df878783edb56979f3369166ec22bcde916daf29464579aa95794a56e3f548f6982b9c3acae36cc203fd5a0424

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\16920

Filesize
9KB

MD5
6c38fd6cabfc468c9b102eeba210b47e

SHA1
70116cb5b573e64178e7cf27dcec1ea30e738ddd

SHA256
c6676ec06f8ee3dbe665c3df178fff8ada1ad6df75773434e3771ae596a4da0f

SHA512
ae9fcd2d154c73bb652cb7e917ecadce1110a790fe144bac0cd890ba763c02070b878d76385cfb43be3ced2b5e92bc4655ffd093f9f062e79c5adca8d78c2164

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\18024

Filesize
9KB

MD5
0dc76a3d087572a369379a34d0e518e7

SHA1
8be96ae13ec3acaec6c1cf15f73112604eb8a89e

SHA256
df684f0ef7e7f478c0ede89339cb5867631a86276fa3e5d3ca5b365844a2c96c

SHA512
35fb63599a0d5f087f4b17dbfce3dd27439d2593594e3e456b98b6b8e6a28be3b22b652f6500624595a7eb92a3bbb655960a05f65ca296acd8702ca614c9ba30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\2033

Filesize
9KB

MD5
be0db232cf297b931d661215e16cbd46

SHA1
ac7ec425b0a38321057d5aa744851cd63d7bd983

SHA256
2fa41652bb84fbe7720705dc3a0e5ef53253c20804d8682a73e6f85e917aadb7

SHA512
9f2a5d6ce48f66fc0a428511f7a44bb94fc73064d52fc2e3c311b52a433e4e915d57fa5abca0d42155df9054061e045874425ee40c6453dad3fa241e0ed64c6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\24331

Filesize
9KB

MD5
bdfbc2a9e5063fc1119b9581bd7693c8

SHA1
67595866e3efa286d11c9d80ce0ec48c8308efc7

SHA256
b3edff13371c0a2dcf7749a33584b0f1e5aae1e9a6b2d8caa48d73a6834ce82b

SHA512
f5a035409b018b24428a8422a5b176b5deb777e268a125b2277591dcbad304124b50d0db9a3b5cbfbd1acaa12c41b58a44c50098def559af6f149967805a70ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\24757

Filesize
12KB

MD5
ae6803a212605e94c4aa9f185c271f1c

SHA1
32c56dcd7e6ee78ab5bdaff2f5f42e19216eecc7

SHA256
51c47af832efa947d9b31c09e080eca2e130c2e57297b45b53ad321f6ec10858

SHA512
c9526500be104f9a0d886eef21f8995a386c905c5ffb529887ae40b3d3d10fc675efc54c846f31b0d7f08caea26d42e6c79f1776153da409eacdb5e6832e0472

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\25689

Filesize
9KB

MD5
a35be74082071e199e2f2e72fbe30bd1

SHA1
c9c2db15f1174327ab4321fc59b89b791766a55c

SHA256
c4d45f020f07621d4e201574fe96b2b2644762f76f719eb4c3d2993cafafa5b1

SHA512
aaf3b557e1820e3331163756a40b703094a53f9072e8cb2434b8dab4d8c906eb4a23b026bf6e98f1d9ec07ec4d7b12c353870ebce6a7e13ed00c031bda5a54d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\27260

Filesize
9KB

MD5
46286fb55e78612caf57be4bf6a83ae6

SHA1
d11985e63ff0b95ca4debf8359aa1a43c856fd89

SHA256
408e3d257b1a9df61af3926e78a2b427371e7ee3dbd5e48bb3cd677f3d0f27d5

SHA512
58e38f82814e677a8555ad0e17757e316c779426e84e729751f05e1299ecf4fa4ee7647883e8189da1712e9b68c88a6709c077137e9c6ca0a07a3b14e6d9557e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\28029

Filesize
12KB

MD5
054914d7ed17ed3e50a77351be514ec4

SHA1
a2016454f776cdcf5d15da573c0ecbfd5d669720

SHA256
bc21a41bed8607534720154ca63893392f1320c06c4fbca7b570d7d69f6e77b3

SHA512
d79bb5da611d7474d852333e48f69cdc3546f9e067769ac0f3d688baea5ff691a0730003fffc2d1a423a64626c5d20bfb8168299a514493565dc8e5a03dcea34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\28046

Filesize
9KB

MD5
168cfc6addaf585fff7c5275705b1347

SHA1
4918e2e6ca0ad1ee9c6d1f46cad31b80bcbf13c9

SHA256
12ed5210cdb4538fb4ac4183266512a6fa30534b12112f0e7b9879bbfa33e43a

SHA512
b0fce41afb2732734e5e7536cbc0d106b5ae76661241cb63f3cf93ea3dc2b3bb83c3447925c596e04117e20a62848a45ce00af213e4f9a76c07d5aad82667979

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\32584

Filesize
42KB

MD5
31431c0f1318bbbe05db1c76b4be82d2

SHA1
536302918b04f8eee175dc6b838fcef586bcd0e9

SHA256
d90ce3d5b8a08b7db94b74e9193bc2c360b1cb091a483194fa97a37d07d5287b

SHA512
7792e8299f1df5acf28ee89011f3bfee24acb78dec2569369c1b2b50f051d30e282acd093aa2464f84e0665512e385da48faa03f301e1aeb449e000f4e9fc56e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\799

Filesize
9KB

MD5
a0d647727ba8ad6f67545c720ae84bb5

SHA1
154dc4c737acda4cb1495ecb0a59d9ede50cbb58

SHA256
fad596c90991e47d3bbc4f385861164b55bc0c514bbd2b9a6d50b0f23f1b10ec

SHA512
e3158db3607795aceb70f5876b4274124c30f5de5e1fbd3bf1cf33e33e6e721be9ab1942e851208c8a232ea00f1aa831fe4b5b70457d1e46fe90fd1b56d2d15d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i3thknts.default-release\cache2\doomed\8452

Filesize
9KB

MD5
065e824fc5f6aa58823475f25d2dab43

SHA1
239573a0ffe6c93b581a35254435b43f41ada106

SHA256
73050f982fc8a40aa7a62a724c820dacabb298f760100addb8dfb0fe86d52852

SHA512
47d17f2cd1ab8e8655a849d6ceb66e839514c6018ee6f76a7f17f149b8ef85ca3bc9f1c9d6ee0b6076b32b1bc0ae2d130d1d2fe67afcb99cbed892cea1f50f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\prefs-1.js

Filesize
6KB

MD5
ae536276511c9b0c6e6ed4cab584545c

SHA1
ee1472449a1c4aae2b52767cdf21e3375fe3aa35

SHA256
bfa85da35562521c3774b657a0f577e65807be9504c2f505d8b92c50bd205d42

SHA512
91aa72156073675431d4afe19de200e558902683c4090e160f240b87fb5f471b094270e9dc1e47a536a55fc73ddc39c1360af44274ec205f64b288e9fab35df0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\prefs-1.js

Filesize
7KB

MD5
35b7cadc31250364da39d69a7e911635

SHA1
23494fe9a895eb16553675530260c624c0523baf

SHA256
f6e6117e10040d7c4dcb51a806cd8f0c1abb78447d645afb614077f18ceb3e69

SHA512
db8f6528dbf8c95b0f3f5e77c3b862ff099062800e51c2b9f795d5138f83e1cae5c237694af56da9f929309f11ad399715f1541a289711b3512b32447010bf6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\prefs-1.js

Filesize
7KB

MD5
367ea462bdc2cba0a0d94f551201a963

SHA1
1a322f62d5d79334e336c4f6c8bd5f16a0c9c878

SHA256
fd220794f8e6d9155c54a1eaf5e0fd052490350d395130d5f2188ba8dce5d80d

SHA512
edc4d4a6f3eb170014e873f46ac38854b54bdabf7f8953a164df6741148222de07065403bae8c13de724bfa485d4011e6f5b3b3a5cefed81bb4ac9ba569c5ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\prefs.js

Filesize
6KB

MD5
9d8d7b632dba6a6c1ae035c55fa74a51

SHA1
63a574dbdedb4d663934b23d7288a8c7a4c41d84

SHA256
dbb2874682ea4e22680cddc75e75577c4f75411be8ea60a3c2205a1c4a502fb1

SHA512
3b56d79ac05d98b0d0982bd248863d580048218316df02848a844b786fbef0c5a45ad46adf59143ab8ffec7d0ffbb83573715406d785bb0bcec6af714bb037fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fdd3c50d943de7b43bc67f930bcaf004

SHA1
0aa717e4f2d8a89f7225dc8f99d0b6920913a971

SHA256
8914a7cd1797b68a7e4ddeb53f097f23f5a0cc4d8e95d9b09a61a0b65d96e759

SHA512
831b4571de859789d1a352528f0e342b3194cf4886627ec5756a085ef1c8712f5065a3956e5a0ca2005be9a117b92c1df8e746bdc9c465fc57e6c78c1a8e0be0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fab02a5d5e4b7901b096cc14374eebb6

SHA1
0483f20b8c59df4f03d3d6999ec239b8fe014dfd

SHA256
51cfeef36561f913409fb1729eac51dbd22066304f9c6a1e7e800cd762df3831

SHA512
03f3b06a1bfcf6a41a3e320f1795fef2126afa459a7cf0490867dda9a5da0be288e9e3e23930fffb3db00d31cba8c66542fb3d506d0fa4bcce04aeadf8c12443

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0293ee6a2e22a59ea7f3313ded0a8923

SHA1
f2226d8f72eeef1e3683479ccfd19a8d89f8324e

SHA256
901d5f0340a6ca860aa42d16a6da8ee512adb13d448aa2ceae5246239d9cdbd2

SHA512
ba05e5aa7b0267eb2b0d7e0ca752b71de925f9e18951dedc7fcdf17ca81e181d738bf0861875b2f3864ac24098cd909e2346a757f4afbe510888bb90dcdc380f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
f0f2d9dc2f44b19f47a846044c2f8edd

SHA1
d70cbc4a0440b15415d9868e6f637f98e95f2752

SHA256
997d9d4ca40164c0382cb7b814d98fe6124902ebbdda9ad23586e54258893ced

SHA512
39e5fac0be4c6aed7d4e1ee40fe9937d0a99bbbf8a8763801abe0f210483f89cba98100ae8b2cb7c5cae138ff5b8fad1418709b2e86886680808ee09c15dae20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
eda262256fb3a1c48cf0bebce0fd3181

SHA1
bee442649721c259b4e001fe7b7fcd8ad90c0c7a

SHA256
c3bbd15438feae471d368d5c6632d3f2b83307b0caf29220288e4ba665c40a52

SHA512
c659a4e82e611aea72386028dd2980ea7537ecdb4dcca11fd9e39bccb89dca8c33fefd24e5ad5ff3c20dac5b021f135fdc2dcf0b4abc1b56bb110cc35fae028e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bf2368d358c5aa49ff925e9e6e867365

SHA1
45ae5c45fc483c345dccc89b08e1ed577f77cf9c

SHA256
ad7c39df043b5de4c17817e3b2ac3366737acdb7439f5a8ef7ce86bef6426a97

SHA512
19a88183d7824017acdefcd07b74e9166eb750b61975859e08427fcfcdeb9d36b4b38908ba625e9797208846617c094bc89bd9dfbb43d669b6ee919af1918d58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
cc1ba13192d2287980f28572f06a14bf

SHA1
12b1b52b8e1281f53ee8febdd75076dab34a60a3

SHA256
cb585ae6eb8d062b1754777f1f66b1ac326fd311bf9ed5cd863f27f573698597

SHA512
73b2b5aa80ad9c37cc9e4e94d53fbc8ac90d4685a5bd6fc17bcf2520e472dfc035867acee58737418aa5c64d08a525a58373fc5a4bfef242bb1f2e741db600af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\storage\default\https+++www.virustotal.com\cache\morgue\189\{246c6b9e-4f83-4c90-b551-24ec812d8cbd}.final

Filesize
44KB

MD5
3d6b0eefbb38b66bc543c5973f0409e6

SHA1
9aa04c3b6bd489bada5b712f6a935688ee0cdca0

SHA256
f212658423c303a6c09a85526792434bb392d6cbd603a3bc31491901a98749ff

SHA512
bec4935fafee195843d1191ff3fb5b4a759a51a01c6a83281aeb98237d1c2c03f316d1a72094510da2624305379676b18ea9ff3a041d7b0bbe3a673f0065223c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\storage\default\https+++www.virustotal.com\cache\morgue\193\{23cb5953-f970-4167-8a9a-94dc8c1f4cc1}.final

Filesize
46KB

MD5
2f36907b827d09db258adbfa8a155182

SHA1
643123a19d0ed7528d17e7232284ac0592b2e98a

SHA256
84de421e345150f94adc9e621bd9f08107c9b9b89fa4fa6315df1854bcdaf938

SHA512
c97d033688a04adc64de3a294f0b534cbb9634e4392988f518ef4370e7cb86014e5a2e2930ca6e32393f53930ef556170c35d18843f0de989e6decc56d984999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i3thknts.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
ec18bcc41a4355dd9dc1407ba0d2241b

SHA1
73314d7b9675819ac95927ebd13c1b3a88f3e41c

SHA256
c9950e2f7ec3baf4d2ba39a169455ef678085550b4fc56785e8c0fa14d7aeede

SHA512
2ddc29ceaf9117ff205b1bc2c0aa1232cc01aa08944fc11d91949a9a4c294cee59efa355a434bfbbd14f1feed333f87246dfd2fbf1da556bcc768d03313e4afe

Download Submit