hxxps://cdn[.]discordapp[.]com/attachments/1117770891317743647/1175997204708720750/Nahida[.]zip

Resubmissions

20/11/2023, 10:49

231120-mw4ggafe23 1

20/11/2023, 10:28

231120-mhxf1afc68 7

Analysis

max time kernel
1049s
max time network
936s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1117770891317743647/1175997204708720750/Nahida.zip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3956	7z2301.exe
3952	JPEGView.exe
5332	JPEGView.exe

Loads dropped DLL 2 IoCs

pid	Process
3952	JPEGView.exe
5332	JPEGView.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\he.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lt.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tr.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\History.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uk.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pl.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\si.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.dll	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\7zFM.exe	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cy.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\7z.dll	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sv.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fa.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ga.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ko.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zFM.exe	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\et.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lij.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.sfx	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2301.exe
File created	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\br.txt	7z2301.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2301.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Pictures"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlgLegacy	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1 = 66003100000000006e574e9c10002d4e414849447e3100004e0009000400efbe6e574e9c7457b8542e00000031070000000004000000000000000000000000000000184c04006f8f0c8454515451719120002d0020004e0061006800690064006100000018000000	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Pictures"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 0100000000000000ffffffff	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Pictures"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "9"	JPEGView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2301.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2301.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0 = 66003100000000006e57639c10002d4e414849447e3100004e0009000400efbe6e57639c745745552e0000003d07000000000400000000000000000000000000000018f80b016f8f0c8454515451719120002d0020004e0061006800690064006100000018000000	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	mspaint.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 6e003100000000007457355510004a50454756497e312e343600540009000400efbe74573555745735552e000000e62d0200000008000000000000000000000000000000d6da44004a005000450047005600690065007700330032005f0031002e0033002e003400360000001a000000	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	JPEGView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2301.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\NodeSlot = "11"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Downloads"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	JPEGView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "8"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\NodeSlot = "12"	JPEGView.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\JPEGView32_1.3.46.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Nahida.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2301.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4960	mspaint.exe
4960	mspaint.exe
2104	mspaint.exe
2104	mspaint.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
6092	mspaint.exe
6092	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3564	OpenWith.exe
5196	7zG.exe
3952	JPEGView.exe
4796	OpenWith.exe
5332	JPEGView.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3956	7z2301.exe
Token: SeDebugPrivilege	3956	7z2301.exe
Token: SeDebugPrivilege	3956	7z2301.exe
Token: SeDebugPrivilege	3956	7z2301.exe
Token: SeDebugPrivilege	3956	7z2301.exe
Token: SeRestorePrivilege	5512	7zG.exe
Token: 35	5512	7zG.exe
Token: SeSecurityPrivilege	5512	7zG.exe
Token: SeSecurityPrivilege	5512	7zG.exe
Token: SeRestorePrivilege	5196	7zG.exe
Token: 35	5196	7zG.exe
Token: SeSecurityPrivilege	5196	7zG.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeRestorePrivilege	4900	7zG.exe
Token: 35	4900	7zG.exe
Token: SeSecurityPrivilege	4900	7zG.exe
Token: SeSecurityPrivilege	4900	7zG.exe
Token: SeDebugPrivilege	3600	firefox.exe
Token: SeDebugPrivilege	3600	firefox.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
5512	7zG.exe
5196	7zG.exe
3600	firefox.exe
3600	firefox.exe
4900	7zG.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
4960	mspaint.exe
3564	OpenWith.exe
2104	mspaint.exe
3444	OpenWith.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3956	7z2301.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3600	firefox.exe
3952	JPEGView.exe
6092	mspaint.exe
4796	OpenWith.exe
5332	JPEGView.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 1992 wrote to memory of 3600	1992	firefox.exe	46
PID 3600 wrote to memory of 1332	3600	firefox.exe	84
PID 3600 wrote to memory of 1332	3600	firefox.exe	84
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 2384	3600	firefox.exe	85
PID 3600 wrote to memory of 5104	3600	firefox.exe	86
PID 3600 wrote to memory of 5104	3600	firefox.exe	86
PID 3600 wrote to memory of 5104	3600	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1117770891317743647/1175997204708720750/Nahida.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1117770891317743647/1175997204708720750/Nahida.zip
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.0.32238057\1986046756" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8940b963-238c-4627-bc3d-5720aaef4614} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 1968 147732d4c58 gpu
    3⤵
    PID:1332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.1.29998215\765942620" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2714ec07-27e7-4ee4-b2eb-3bb83adec4a6} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 2396 14773205c58 socket
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.2.1377193878\957549915" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3064 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {324850ec-f41c-4c0b-8549-20eb2f392480} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 3336 14773259258 tab
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.3.496452407\616250322" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e77b2ecb-777f-4e3a-9a2e-97d5daf43c56} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 3668 147780e8f58 tab
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.4.1590957564\167663398" -childID 3 -isForBrowser -prefsHandle 5196 -prefMapHandle 5204 -prefsLen 26536 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00fbdd53-688e-4ef2-bf39-d2b7c1c92861} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 5252 14779cb6858 tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.6.2057167422\997893398" -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 26711 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85efa8f1-79e7-43ad-b8c9-123bd85856c6} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 5592 14779dfe558 tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.5.1858407807\2095594377" -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26711 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57fcecf6-cb80-431d-9339-3db34c859a1f} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 5480 14779dfe258 tab
    3⤵
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.7.1494787818\2127805200" -childID 6 -isForBrowser -prefsHandle 3480 -prefMapHandle 3340 -prefsLen 30249 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91641ad4-dac4-438d-853f-c63a97f93d40} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6064 147796c6158 tab
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.8.1774973807\3820261" -childID 7 -isForBrowser -prefsHandle 6276 -prefMapHandle 3268 -prefsLen 30258 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84244544-e5e0-45ad-9622-66cb472e9855} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6280 1477d631258 tab
    3⤵
    PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.9.499314665\55355445" -childID 8 -isForBrowser -prefsHandle 5636 -prefMapHandle 3792 -prefsLen 30258 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59cf6477-a092-4e8d-91ea-7e6e8f8882ba} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 4584 1475f465e58 tab
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.10.361461159\1935827257" -childID 9 -isForBrowser -prefsHandle 4600 -prefMapHandle 4764 -prefsLen 30258 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82a23f6-d477-481a-bea4-7222c8b25af8} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 5996 1477c18df58 tab
    3⤵
    PID:1052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.11.189134861\842717774" -childID 10 -isForBrowser -prefsHandle 6716 -prefMapHandle 6712 -prefsLen 30258 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8df3d4c6-e009-46fa-beb5-a5490a643488} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6724 1477fb60458 tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.12.603068559\1545398648" -childID 11 -isForBrowser -prefsHandle 6868 -prefMapHandle 6872 -prefsLen 30258 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee16e819-93d3-49ba-9568-22e445bcbb57} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6860 1477fb60d58 tab
    3⤵
    PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.13.1713084575\791403224" -childID 12 -isForBrowser -prefsHandle 5672 -prefMapHandle 5664 -prefsLen 30345 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1c0084-ac9b-4811-8cd7-a4ee1fa9955f} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 7032 1477fe16958 tab
    3⤵
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.14.200439596\1824496229" -childID 13 -isForBrowser -prefsHandle 6492 -prefMapHandle 5280 -prefsLen 30345 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b54499-c900-470d-9545-95eac602d090} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 1664 1477c12bb58 tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.15.1603511124\293697755" -childID 14 -isForBrowser -prefsHandle 7396 -prefMapHandle 7400 -prefsLen 30345 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77130cdc-6058-4a74-93ee-4ac53fc12c2d} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6396 1477c18e258 tab
    3⤵
    PID:3892
- - C:\Users\Admin\Downloads\7z2301.exe
    "C:\Users\Admin\Downloads\7z2301.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.16.1169191706\382215293" -childID 15 -isForBrowser -prefsHandle 6980 -prefMapHandle 7280 -prefsLen 30345 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548816f5-be7f-4af0-b584-6bb4885afaec} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 7588 14780517258 tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.17.2145378941\464462482" -childID 16 -isForBrowser -prefsHandle 4800 -prefMapHandle 3124 -prefsLen 30354 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81eae47c-ebf7-4932-b74b-47b476066494} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 4484 1477b0f0158 tab
    3⤵
    PID:452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.18.1299849095\659802274" -childID 17 -isForBrowser -prefsHandle 7320 -prefMapHandle 7252 -prefsLen 30363 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd54b10e-45df-4245-a712-a86148ad7854} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 6808 1477a65f558 tab
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.19.341766390\1150745728" -childID 18 -isForBrowser -prefsHandle 7660 -prefMapHandle 7068 -prefsLen 30363 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {783371fb-eaca-4a5f-812b-66c30e2b046b} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 7680 1478073e958 tab
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.20.434008697\41685951" -childID 19 -isForBrowser -prefsHandle 7264 -prefMapHandle 7196 -prefsLen 30363 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf5f5dda-e98f-480b-99e6-7f75acc364f7} 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 7152 14780716e58 tab
    3⤵
    PID:3280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3076

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Nahida.zip\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_32.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Nahida.zip\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_32.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3644

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21860:74:7zEvent10748
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5512

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" h -scrc* -i#7zMap18891:74:7zEvent15332
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5196

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\JPEGView32_1.3.46\" -spe -an -ai#7zMap15536:94:7zEvent24432
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4900

C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe
"C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5356

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_63.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe
"C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5332

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
d7294956ac7db259008d0fb99352fbea

SHA1
672297a89c76d453ee4e982fc0abc98ba8f5b70c

SHA256
2c5b41567f26955a5cd2417ddd4ed21d1c92b1937a3c06332a422403a2fc9a9f

SHA512
f8ac41808d7a78c4b50a7aae0fac3baefe484467b7cd22a2d06c173259faf1fe0f4f7f1db201c878620a36af7a224ddfd07a964df3eed18b5038cb40cc5bcbd6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\17135

Filesize
15KB

MD5
716a7db534f29e2dd15ed9d4d15f0c65

SHA1
d8d28af851b381c29d46900d5651b98348089a11

SHA256
1451ad71bce5709bac2b259e6a3bcfad79778676c798d8783c9bf0337537b957

SHA512
839acb3150a87d86bba71dc95af3180f44117f4b4988aa36e828f79f2e9d1277f82b6c9da3c886713ddc51fb62e09d8fbf415cd055644b4a6fbce4117f022940

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\4396

Filesize
8KB

MD5
b3d308938b11e7bc88bceedf18de5c85

SHA1
fd22f65dd21842abf012f6154a9a5e85ef7cab13

SHA256
a351e799d62f8e5d8a0bc80922c5ee301340ad00e69984e43b96ef90bbba579a

SHA512
d96bcd6b234b45d1e8f966441c601a93cdfc44aceef99898276e0a627c2d61b195fb1671d0660a8048354c0f45cd11a8331ef4f1f2353c3d5629af8be6816db3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\1C86A9243B1D094A00AFDA5F4FA1516907E19DEC

Filesize
81KB

MD5
4144993efe92f8263061444aedfecbf3

SHA1
ee503f2deb916824ac0afde5c3b643526c47479e

SHA256
b66da7bcf2d6725e1f31602e4c3c621081cda8590c4967d37f76bd087176760c

SHA512
c1c7a4a11cf3e4d68c2cd10a8997da9a401973880f53b414a43fea561cc3ea9aaef2d356f2a08bdf5902a1feca218224f4a428d53f9fdcda1ff788c67019d948

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\577A586685F8D27BD5B926CE96132B84424D8EA4

Filesize
13KB

MD5
db0e4c2b5362ca32683d7520c9698a37

SHA1
10b8d9fe8fdf270d49d8a06a983ebd20ee00d744

SHA256
2e31dc350ca85bf5963914e0622e83c80ae5a93b93e7c52fbe0b60209597d437

SHA512
51dbab2e9a09e9fbfbfaa3166e1ba5afbc7a37d3a0a9c7d823a9511d5369d0a84d2fd657768f8ea396bb6d6536a0d16cca91b9d1ba89cca77df70dbe1da191f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\883F2AEB905FB3A5B56F82853542310BFBC14EA4

Filesize
1.0MB

MD5
310b10cef4d2ab72e38ab0446a48bd9c

SHA1
276a6f79c6f884f9337d022567cedd7e644c9844

SHA256
0f8f9c3ed98e713a5a94e4d28718402510727b1c0fe3e7d02ae2bf46f5cb6c03

SHA512
5ff04339ef9639f0e63e9bf409dc240c91d4817d2f44206317162a3600f72fefb62e8de852b05b323794f7dff7596d5a2247393dd553129fa7dc611f605f0edd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\C98AB67DEAE8D43D9EC6D74718442B22C2154B7B

Filesize
4.6MB

MD5
c2c8ab8286edbe93ffe378ed45a367e6

SHA1
38df43790f2301287ed97e6574ce9f10a9b30f19

SHA256
3e7466f38dd8882c188f374c1da38d8960119b97b86467583aaf80960d5adaca

SHA512
486c89815ab60205e7a8bbc10695f2b56e24070e1554d4721fae580f634183105848a795e6abf694cecfac84197e1aa3a89721762bdc8b8df2916f4063df9c79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\D69D3BCD1FCCF807788A4CCEE993E6603CC1D419

Filesize
561KB

MD5
e8d205357cafb8a45a3b986428d26131

SHA1
0e149084bf968d5dfb4e869d9f47d13c5bcb303d

SHA256
b75c04b2ff14c81d7c4dc52cbae9b751db21283e96466930da7ffa9f0c6047b1

SHA512
572564d332c5d826da8a82d509ad064b8affd1c1029f97b1808b0c971ff5f2139eb6d8363c568799aff025064543612ca2b5073ce4d55ded4f6eb76cf2025f35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\jumpListCache\aE+6Trca8RiJVQsYqsqLZg==.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mesksk1.puk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
8b0257dc99f8a2ca3106ff69b71287e9

SHA1
b29c9fd8f5f36ff8e22d535d2a576fbbfe62027f

SHA256
e2ddd469da965769363470069c7731fc6c175ad31bf010be2402764553db79bb

SHA512
7ed3dffd189f3e7b7d45f10306de2f2781bce2dbe0534ded62f824185be33b26033b7445c8e7bb1f2776b986cc9b0f766cff5613779f1ab73bcabee86b5158e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
6ca92729b86e2e7ec0f2d76feb7eb612

SHA1
6a17c1151b47ba5b4b9462d5efc33bd338571e85

SHA256
8f791139566575384a7e00468bc3533044603ba30d890d1d00f16f78a73a7425

SHA512
f9a25d6f09f77e82810010407eb1dd5328b643e529eeda7c281604f19622f5973def951f5d037efdca04ed47d6ee9adea53394cec16b1c85f534cefdacaee1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
28261fba3bdbbb4c171d203b102f251a

SHA1
876dfab5952dc92730027e6a8510680b9694cbf2

SHA256
94ef06354a483474f267f9c52d1b78bb1a065623fda325b3a5dd29e8e081d7e1

SHA512
bc996ec1122a00a2fb9ffabf36ab22ac81425a47ccc964092b572e216182ebe1c2e6ebfc0c3bdb308b29c014d77997e931828c7575c5ff7c36a1ec525877d42f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
bc228a893782282499048ad3d4165c65

SHA1
89612ec65c536de3f4e92b29a8e512d188c1792d

SHA256
f05f4bdc6940131b3ef38df0eec22cd729ce82dee6720ad49b06dec86f78048d

SHA512
af68b759578c62b6133f1853be929d11b0d9ee764d084aee55672d5d457db1deb3fe90093c63e4d9a3be8cc453b8750d7760aa694872a2af3c5096bc0576346f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
12cfcee8246b9b2a8fdb0fc587a6ff27

SHA1
f30cd7bbacdda830d6104f1152356c96b9626f4c

SHA256
2ebf809341de5de5b6e27cfbd6a07998b6fb41598543fee93d13df6f15596eed

SHA512
1ea678a16315e50f0f93eae6a06edf294b23866e5e183c7fa79fac76c9fc0515d4ac9b53eb3e33f09f762a48d506950d2826608a7ec5ff8495e5cea95b66bdca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7fba44cb533472c1e260d1f28892d86b

SHA1
727dce051fc511e000053952d568f77b538107bb

SHA256
14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf

SHA512
1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
8KB

MD5
1e7c2c31b80bf92e9755f995cfdd878a

SHA1
ceee25689b5afa104d54d89f676725650c9f94c1

SHA256
a034c9164e2388ef61c978801e56f2c2bc468c22927bb8b27a5cdfa23ea69355

SHA512
8274ff55ed866fc724ed9ce79b4ca71c8cc132f8f94aa6800844d9fd87bb913c3fd1309c9d377a98a27b831f490060f0e889848131fa4d96d9819e71f9175593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
10KB

MD5
6f9e092b8d24d82eb6f279e2a670180e

SHA1
7a422f651a491fcbad2ae8e7377b62cd4cdf4747

SHA256
5f62dce96cb02f7729ff581badd7c88e1cd16692362edc55d04fb0b7fb87e682

SHA512
5858825a4f15c871df23eb4b5bbfd6940b42a56ec944acc78f6a0c476323009262ef8cc0b140ae1f204764f87eea8fd4e8d6cd5f627f0e4680be15c5eaef982d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
7KB

MD5
688c5a5acdf70c4a303a552f06f05fc7

SHA1
1bd1bfeb8ca4efa212927b4ec12163530c0e9d19

SHA256
2967efbbfb6b58eeb5c89e82daa2a5445e8f0bf6eed2b90794d2ea0d599c2e8a

SHA512
b792d7090157bc63645a7157eebde1da72ade2bb6a380c47daa2781131ed07fb49e2174ea54fc4f3247f619c0f182a7d5f410be37de1bd40e398663d561d6a27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
10KB

MD5
c11eaed49865851eb3ae94e4f106a20c

SHA1
f9b2d4e045b103a140a0ab0f1f722fc59dcda2d2

SHA256
5e8b09c2c034002098099f20e409d50f73cffe0f6efd164c5fe756465c7df4b4

SHA512
64fe6f3ad87e59de5e8e5d89c19daa47b0b69731ab9c5ac37639afacbdec239b744b43a37330780f6ca46a780fd7db21d0fac263057d0c9ce0c539602bb91f50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
10KB

MD5
39e09ae15044fa4b02e03ebe953386b2

SHA1
74d793b4f080770e18e1d7fed63b230ab36a41ee

SHA256
168e135429a4d01ab18d91d4625a1448c26a8fa385719f88862ea9bdc1d6d64b

SHA512
1ac2edea4721f5165dec9e7da9f7656cbe320f103084c6ecadd179989e548af0fd43b67780c2684c07f6a329407077b0b83e82ab3e4332d764ca9139c77c0aad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
7KB

MD5
fc7d14584209da99140a78d3e3c2c46c

SHA1
4991a306cfd8a373dfac1f629d57917bc30ac2f8

SHA256
08d42e967681cae818d4a4a9b82fcc92496eefdca1fa312158583fd09973175f

SHA512
5b4ce45f8593a67f38bd36d74218a40522ea459bb1ecb577a78d20e51feed0cc02ce2915beaed286775ac54b5bf74d24651b7ddb8eada0c8132192e6ae32b76b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
6KB

MD5
a7d1c45ebf06625f54fe31c3f66bfb7b

SHA1
0c6a85d5e60c7672e44c00366a849393b1adb343

SHA256
e72820a6acd8346302ca37d7b8336d773faed3c3def19b9202c20266cdbdc59d

SHA512
6ad09fca4aef40dbc4bf7dd44023903df4e955bf7bb34384165e35ab5801d13414d365f8774969115518675e81bd33bbb291d8d7fba14f4881c8429ff10d9e55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
6KB

MD5
87502c6bd498ebdfa6ac6a8d2492c85d

SHA1
75dcfbaa081cdd2f30664e4d0fd391d570d0d9fc

SHA256
b7bc76bd82547a6f47182ddfe8c56db5223f8af4d64b1efb4aabd1f5ba62fb53

SHA512
299e294e43db07d2dd70bcab8fc6ebd36f274dbf291a44e0077a217d813f1b36f8644e8ae55c0f8221fe177a1805944b1838a44c94413009536c7429bbcbac8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b8b105103dd4c19a477b2f92e2488693

SHA1
8b838aa09ac0c9d7dca6767d44b62ad4862942a0

SHA256
e563407c2257dee4d8a96ea9f2adfc72d7c546a6814d55003940258737f141a3

SHA512
db8b23e49ce43df8ee32306c33254852fb3d8244e6b7fcaf499fa99b1e803c81718b8798932b97a9ad1595d2bf3178fb7c3994723668b1b0bead2308b8e3da0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
4d054b6befdc0d0e1c408926798ba171

SHA1
4d02cbd061341258fdb575aa8a715f8f9c17e599

SHA256
24942fe01e371efc1b9fe3ba9e2612f45d723e8caffd9b5c1f9474d3dd211689

SHA512
47943213c7dcd2fb94a32b81d90b186325c34a5745b24d3b39fea9b2ef053e8c1c2cddc0f58683ab6ce51de598f47f43f5fe872cd92e7b45faac7fd8ed8eda55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8335a84409cf5805e19e81fac8c7ecae

SHA1
e2a743b996b3031c95e7d57692fbcb4a849f6199

SHA256
1689d4c1e2cb1ce37e6ed1ec626bd0998ac67b773d83c24461caf1ec1eaf7705

SHA512
b810b2bd12a8aeea1241da7695f7d8212f0f8670a918d91ecfaa7e2e27b71b39f037aceeb7d6814b4e927e8c2f7e704f09ba4d1dfc397a04496cbd82ebc89dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
77737782489004d5179412df83d79a89

SHA1
12f7367f1c8f0aa21ff0e6c8706d597ac80f50ea

SHA256
367bfaf63f390f0e668cef9077f80b96ada0e41287ac059cce061cce2d1418e8

SHA512
7d2881820696c1beed2c600d803ade26e11e73e69887b74735ea029d135e5088e986d0ae8e1b78d32ae6e758983b9bd1cd8b5c52f3c432a8bda902145d2b9ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a8c75d21bf001b4b3570af11dd2207fe

SHA1
033a1df2beb2f331c33c18d1fe18f6472276882f

SHA256
3006e70705174e4784a5dd10f0912c12270672d0b6238c5b74a66d0a396bb1fe

SHA512
a429b30d4aa8d389e65703753f9e7a1400e8763dcf8df78a929a81e7fb6d04cb0773b3c2916f458f2f7b486a521784ed034ec9c9c3958a66f44b712cadfd47fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e7de7bb90b8777e4f0839a7ba60fad47

SHA1
1aadcce4c4e88b7b2e769fea9bc26d722c9da0c3

SHA256
e8b25144b7fb97950d9ca1141925e6607095c18b4345bb4b8daeef7c98fa3d3a

SHA512
04b268a30cd76d7be51b6c1d2eb092fdec307ac679bab56488669e5c51e2c9caee2eeff1ad7d13e9f7d3ab4486887609b2f93ab873c6843fe5aafb948d4840a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
62e0905e11e92ed14533312f407740cf

SHA1
5b1838291eab8742bfd7b9bdd8a6a02b06526c76

SHA256
6b3d3339889f3dd38277af134613b556e9f1d566d9f274ade79aede14429bdf7

SHA512
14ff7b7aad56950703c314d59100c20a4d619419cac37efdd94a887d946798fa8f8434763d6c0013a295f8335696d08ae64b0212a31dd56d0b6b9b6fa7563a57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7665f5a1751cc69a7713fcac1ff26dc8

SHA1
fe4580b73984eae80f3c4e12158f74edcc72d7a8

SHA256
473d4a75f0b1527ad8caa861b400eec825cb567c54c9578ec47290f85b2718d3

SHA512
b0f60f91bb2bc942ecc5335d563d1974e4f0924e10ba70141bea00d2dd8eea512289ceafa332d4bb809c227b7825cbf9375b4898b597b1c33522a4b68ee22671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
079dc1e72ab2927e781e3a70bff677a4

SHA1
89ad6e42cf608dfc5d8a9ac00fe0b827b042f22b

SHA256
2e6e86df373677838a2c69971fb72e2b40bbeef10707751836b2715d9cef2e27

SHA512
ea9eb6143ab3837c8e10959b959434929b341e8729ac312cf5414a3ee4c7e18357ed4dcfecc4c2ca06555cef3947135031607ac7dd85f8eaf9652db07e933e85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
17KB

MD5
2157d6a0b0e8d4b833415e59a1709e95

SHA1
57fc968b8dbf05a48c9a724071d9e182bed13176

SHA256
1e4654b5f7a5e054943aec9335bf8be85e84ef2736ecbea3f877070075f9205d

SHA512
2ded8f8f883cb0d6f8b6ecefd37c33fed89a4462905ea3cf96f5df07d952071050b08bb0f892d972fa5ee8543d9b80d411288cbb8a1a60644b103dd2fb772f00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
3c5ce69c18e35a4bdea9924aa03b4597

SHA1
ca1d421c99f03c019a4b35b15630c780aff763cd

SHA256
5864b85ef1117866d25ddc916ad320a0c5305671a99c68d670818d9928587cab

SHA512
253ecb62c2dd417a8a356f83a19017303ab231b1cc213db11f0331f98543fe184acc567709177f424d2083f4edd12e3cd8b96e34f6f068d03bad36a9da5dccfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
18KB

MD5
360b64ec508175756d975650cbeee71c

SHA1
8c0ce89fd213b0dc166a64ed539bb1ee2ceb68e4

SHA256
8aae6a355fdab1d4210ca2043881da7feb5071d3047a21a93cfadc9510b5df2d

SHA512
c589947fb9fcfb2a9ef98500d6d5a3796d64d81b3e0dc3efce2c6f533ca17e5dcc4f964e530b16adb3e15e7355830e67a6b3bdfa2906a60f8549da1688714b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
18KB

MD5
05e912e54eb0973cfedff29286453cd6

SHA1
1cac9bc1822566a9ad80540cf1ba63f880eb2737

SHA256
ec7e594edca805b05523bdb2deaacb7580aae24424d81e40434a6d334e02d027

SHA512
a1d9166714c9887dbfc8960b7f281967f1db701cc205768abff749ba830c5a947339c42651b96bfdccd2e389c67b74e1ffee9dbf263fdee93a8ab78cf0c32de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4e076f1030f14b1652adbb1be5f33219

SHA1
2043b12a7033a3de0999d6acc7a025113296f184

SHA256
c45c12a7d76e43cf24714b22ee917ea539a5f2db02ec033598811a7cd768dc5a

SHA512
293fa57d52f13f2685fc4d7e406fc3efeed226583a252d398aad5a745bac694da871080988ffea2fc0947ead7448e19ecf8bfb677700aaf005cd6d4c93345bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
18KB

MD5
86eaf7d6c622afd6d61379b986c09718

SHA1
4219ac0e036930fc9e07cef3109ed1c3eb6bf180

SHA256
238d19ba75e7811733ec4bdb97c832f16bf624027c058e084d7c3ae706517555

SHA512
740f0a12a9653d746cf627a1b3247eaefb502305570275512daf6b88f0fbd8818eaec91e51a66d1223c0a1fcd5dad9f3a1f7c9fcc3d36d98eb9dad1c9c8232d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
bcc96a37400e253511ce21980a2368c5

SHA1
bb0943f81efd20bbea92a25668addeb8f1289595

SHA256
4081899f86b12e6e7783c9aed3f7143dc7b5ae72d1b2bb5e8f626180fcc5218a

SHA512
407952995946a3e664d8b15e23d774038b0b56ab769e8a2a1660509eb595e976ee25ee4fca7ad13b80598fd70859e0cc22b09b8198e658dfc0d5af11600de9c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
80390e0a101d505d6ece2dccdc9a5dfd

SHA1
bc72cf85362437778e1c5b7c93afa42e5b8bed0c

SHA256
4601289640939d4fb2123e67bd77f694aeadaf49e5ece6ecbc1cf23e51b7d5a7

SHA512
7a71cdbeba8975ba23c22ac05b143aa3b546521b5fdda10ad1773be36cd549d100f0df23c9213cf64d9dc6d6af2c0c7e939fcb944325ee1b15399969ae861db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
f787ee016c9c9076839ac965e667a253

SHA1
9b07eae31bb161070a1c58faa79743fe0edd9a40

SHA256
ccd82a5da832b57140b92ccbbc4599a98790b59cc477a811d3a9bb572863a5cb

SHA512
875d84c2afb671a85e162aeba62d2904ccb14f50dd28d3e0ab2c682b700b90ef9927df855b80ee720a5fbbd26cfaaef73cad620414e36bcd399e2cd1a1753ba2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5baec9d803dac5d8400eb3f0cd1bb3ac

SHA1
3dfe6bb4046d1f5f9d278afd655d9f4899762068

SHA256
ec1911e11e6cb1dd6f4398ce8747e89904e7a641dc2a04bed36d0376db74d81c

SHA512
41cf21f92d894614a5c85ad3c9e53415db9a1e1efd8ab513f88c384eacbaf4c8bec122428f6eeb851b1f877264b30ea0d8901321c58a2899a3aed5afce95a5de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
d5c112964ce0b5fc14832f509af5a378

SHA1
ecbb577914ad1f5f6cb042a0a5e4f33ac63da44a

SHA256
c63894438fbf72362ac30196d0c2587d95de324c0ead503655493bf2f412f8a1

SHA512
37f460d8006b50e9777d12e8f77b5b265f4c5ac169589aaf8cd5fddfd73746a351ee4f04c405524b964a693449f768395629d140b224009bd5ce1c9322f69ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a052d5f895cc99b40b6d46e1e47a1728

SHA1
7135290928f6031bce133cd818c8329f26b1c129

SHA256
70e06ab013362fc7c0b23a07284c05bab6275c1740c5b7b80aff7ee69d163428

SHA512
a2eea057e612ec43649facc4bf3ba21daa92243c3195c29729d567dee5486e436bfb3d0ba47e19c1a263ec0360c1a650a833155f0edfa72f556c7f16a5654080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e73caa30d4104b83f96491767c889c49

SHA1
3f7ba55f0e52117af4fd7f0858c3cf471eda99f8

SHA256
78fb071b28e15998bbc12b91e39b0a3bd96e16b66fa40b1953840f29f7466ab4

SHA512
590444170e176dd91f0611df2724fbc081db090701490803e721d1701171a83fd2f98fdee2765aac3d40be3883243f6745d9e3bf462dfb08baa4708b2e465d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a54fcb660ad3ff4686074f9011e75ce2

SHA1
6e622bc53b61360efcf4b0005ee4666a6f816ae1

SHA256
5ea356b4fa0455432b8fe415cf0e505a8715213515952d3bee9ddcfe7ad4e19f

SHA512
d1d7ead11d4f4472dc1e3ad5d774e31d62e047fe81b100e830625ce15f22313cdeff66658effea4f14382e7617b1e360db235e42e0ae3dd1eea4c9793dc56196

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
84dc898551d269ccc6d493432783606c

SHA1
1e68e13c9f26f4b99ddf16991d9d3d39b4df2eb7

SHA256
2b5cf82cebc0a665bdd257448e3b39651cdbd4e5cb1262ec6f2d4242b2d514cb

SHA512
bdc1dbf366fb66dbf1634266620ddf24484674da22c3b698c283ce6a714b7566f26ba96a1bafcd48a1be0b25f96456a32f374f02fe20ac2c4dfdeed576040d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
9dffa516bda86b7f1e6040bff8c8a555

SHA1
2f626d29864fad48568bc6d95eb41db962571db1

SHA256
2d6e2a99ac0e6075dd708a0c445ffdcf6d357386f1b79b53a04e09096990a9b6

SHA512
232988dfcfc825039265f6856bcb8e136d121d92bcc1c6a1a48e95a5783fae8b39086f2e0747902c099871ddb48642c9dd77705bc974c6ecd39b1a5306da0104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
17KB

MD5
18643aa632739738e833735830533fc0

SHA1
62ff7eb9cfdb2de75db63b6ff1172fd5ec46b046

SHA256
826b902bbba6c504451618687055d0951906358f815f4feb9dfa766c482aa65b

SHA512
3c5825c72e4f99665962156e0743c26801ca4036f1635f5ac201eab0bd7e10f8cfa3fd24800a87e4671c837cff28f1b7e94bcae1a5470bd8cdacae6a0043cda6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
18KB

MD5
b51cb5257b1f566a8d25d49b530c3adc

SHA1
7a309d65e052094a9f57dfa6e165a8072a345e95

SHA256
3bcc30aa8f5ea172188805f24bf3c5cca45b34e6d02ba291a5d03c21d7c949cc

SHA512
3f5762deae7884e2529a8cb3faa5e2a4ddc68ac6981bf00ffd318cfd1ad7a6d126153b0566c2d7545cbeaa2c478488ca6866bdf62a5e59b130198f1fe33b9ac1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
18KB

MD5
24072954f87bce36f2a42efd5a8736ae

SHA1
bccd7c6ba33ed877f79a4b1845ee484d39a5877f

SHA256
19e51b9decc477e0863b0f160392992514e9ebb96b981f7b932a358f6cf29b89

SHA512
55a2fac68f040148990f64cbc0d99057603c082f6ba9ac1d336cf231e6d9024af066a415e9c1507e3208cd691fbacb43163fbc913c3b6450e495461571bf0035

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\storage\default\https+++www.virustotal.com\cache\morgue\54\{26cd767d-93ad-437c-9483-5159e3c04e36}.final

Filesize
44KB

MD5
485a98a61ffbe32e37140e58ac18c32a

SHA1
8ebc5f4f2ec65dbc6c591d5ba36e0989412ad8c1

SHA256
8801877a5893d0ead967034355134deeaa61a6a79117dd0518dabcbf09fd6683

SHA512
eff3ba8af2a049146d3394e3cde56b50c71bde1c89b900f477db0fbce5bb37723e5ef2c7fc762cad68d7be18255bb2d6040f96b0c4cad5319ad478207db65042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
ec368fcc528eafb8e2af023c57c4a326

SHA1
53e8e48a6c2bd4d534106c032e6ca6aad37f3a5f

SHA256
ce7097683cf04296938c4818347dffde6aca3b0c14954faee6fd49b58fc9735e

SHA512
d6c58683057b63c436711ef703c9a67b9871bef2237cf5840e5bffac031f29c14de4c0fdd48b259b5f6cec2a18c0ac45f07847c2946f9b421e594771a15d533e

Download Submit
C:\Users\Admin\Downloads\7z2301.Q58w3BA1.exe.part

Filesize
63KB

MD5
2d202254e0dd1d0901d0cbc05fafc097

SHA1
b8d8d09b3e46d7b70ea4f5eff3ee649b7520c226

SHA256
c61a265ec931564a3665159d05e932bbeac5100685cdf760db44f39bb39819e9

SHA512
824ff1081357fdc85b3b46d21520449ada5837b28c4ca948b7de832105aaaf139b7f82f282e1f2eeadb4ff9d8b8865b061d359528b9b49d58a1e71c2d88f1473

Download Submit
C:\Users\Admin\Downloads\7z2301.exe

Filesize
1.2MB

MD5
1cfb215a6fb373ac33a38b1db320c178

SHA1
d5d00e6ea8b8e68ce7a704fd478dc950e543c25c

SHA256
9b6682255bed2e415bfa2ef75e7e0888158d1aaf79370defaa2e2a5f2b003a59

SHA512
462876f1f3ee932d3f0363fd65a4043ded53c82a148bbe7b8e939384f752f35d0761eebd71f407cadd0b66ce96f30dadb071e3bd2d12a257a8e0dad04a63532a

Download Submit
C:\Users\Admin\Downloads\7z2301.exe

Filesize
1.2MB

MD5
1cfb215a6fb373ac33a38b1db320c178

SHA1
d5d00e6ea8b8e68ce7a704fd478dc950e543c25c

SHA256
9b6682255bed2e415bfa2ef75e7e0888158d1aaf79370defaa2e2a5f2b003a59

SHA512
462876f1f3ee932d3f0363fd65a4043ded53c82a148bbe7b8e939384f752f35d0761eebd71f407cadd0b66ce96f30dadb071e3bd2d12a257a8e0dad04a63532a

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46.7z

Filesize
2.3MB

MD5
7b385967f19470e7395332c7b43397d5

SHA1
c0de1aba2632a072eda9e71e910697f5f9f1ba17

SHA256
f91c1135dea06acbd3f22f13683433fa3da5a772a4cdb26c5dfe67b082447409

SHA512
44876c2eb6f4c96f4381027cac6c65e7ae8513506bcf451dcd17e7068404d76048e34f95d0c3f6ab0e01934a529c677914f1364579ae51744cac97c3e0ad3c56

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe

Filesize
2.4MB

MD5
cf2b8d9d3fe28106b10926f82e664b45

SHA1
d60d5d15352573b2c6f9f747c36a693e0b59e393

SHA256
0e4ae5a5643671a6822323a42fddfec50059beabd7ab5470997799b64873bb62

SHA512
988fd625c5b12520d026e579031ec075ef1d951e032015b558157c286fd1f8467af869cb45e22ceab34e1268246424cf44aeb2ba72aae33c6ab20ef2fd5714a6

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe

Filesize
2.4MB

MD5
cf2b8d9d3fe28106b10926f82e664b45

SHA1
d60d5d15352573b2c6f9f747c36a693e0b59e393

SHA256
0e4ae5a5643671a6822323a42fddfec50059beabd7ab5470997799b64873bb62

SHA512
988fd625c5b12520d026e579031ec075ef1d951e032015b558157c286fd1f8467af869cb45e22ceab34e1268246424cf44aeb2ba72aae33c6ab20ef2fd5714a6

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.exe

Filesize
2.4MB

MD5
cf2b8d9d3fe28106b10926f82e664b45

SHA1
d60d5d15352573b2c6f9f747c36a693e0b59e393

SHA256
0e4ae5a5643671a6822323a42fddfec50059beabd7ab5470997799b64873bb62

SHA512
988fd625c5b12520d026e579031ec075ef1d951e032015b558157c286fd1f8467af869cb45e22ceab34e1268246424cf44aeb2ba72aae33c6ab20ef2fd5714a6

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\JPEGView.ini

Filesize
31KB

MD5
94fa1adf4a96f59262107f83b4bafb56

SHA1
d0adf183bd3ee36c54596a2dd3c6f70227b49617

SHA256
560de76e5d33f67b0fd39582830ad1fde44202716511bdba68f79b0c54bd5ecf

SHA512
732e7e99fdadb6d0d9ca2bf9b91f5ceee669e0efc8b41cebcf2f20463f8af182a1f964a164a134edac353586e5090948ec2799b71c9ea21427b437e0ba6f21fe

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\KeyMap.txt.default

Filesize
3KB

MD5
167c3f4f84934e6cf99989d17f6b9cd5

SHA1
578a6e6839dbbac46e48306cc859249c05616bcb

SHA256
e47e521e23b295ac8567aa25f4c665bf0b130f77355fda6e92f2d69167533483

SHA512
9de79b579548326e412b08ea24fbed1cce0c9cf938e47935b24a150156e389e97d2d901c8eeda4a5f3a1d711e33a89d823b1efd5f50d7243ea70c385c03e4892

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\NavPanel.png

Filesize
749B

MD5
e0846c4e3bcbe6ed550a7a8c632c20c1

SHA1
5ff1a3f0e6ce35ff793b700aa17b5e2e1d8402dc

SHA256
b63e2fd639e10bfde4c56b15c3d1a8c5e612e88623ad738d50649f5142e744fb

SHA512
f5fc86d61e7ab58e598abe7dc8ed9b4d2e96f53b993cbce5807e882a61030eaebcb6fb7292c2078bb34609d5706ec21a8fdbc72359e21acf2d2b5c94d0ba99de

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\WICLoader.dll

Filesize
72KB

MD5
189415b4a8921717119016347e78d7cd

SHA1
9d465bc1016a6abdfe3360900a08e6bb67450d6b

SHA256
be92e21b54144845222f6b03764905736c3caf6c5aa62c3442c2079fb3f7a3d9

SHA512
0e12a71368a506ed63d5f9f39ccf214a853b1645bf25f4413f6764cd77be7a86e28b2e48f6b9f1418fc15206c8c7b0219cbb16e501a0b1f369efa922162802fd

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\WICLoader.dll

Filesize
72KB

MD5
189415b4a8921717119016347e78d7cd

SHA1
9d465bc1016a6abdfe3360900a08e6bb67450d6b

SHA256
be92e21b54144845222f6b03764905736c3caf6c5aa62c3442c2079fb3f7a3d9

SHA512
0e12a71368a506ed63d5f9f39ccf214a853b1645bf25f4413f6764cd77be7a86e28b2e48f6b9f1418fc15206c8c7b0219cbb16e501a0b1f369efa922162802fd

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\WICLoader.dll

Filesize
72KB

MD5
189415b4a8921717119016347e78d7cd

SHA1
9d465bc1016a6abdfe3360900a08e6bb67450d6b

SHA256
be92e21b54144845222f6b03764905736c3caf6c5aa62c3442c2079fb3f7a3d9

SHA512
0e12a71368a506ed63d5f9f39ccf214a853b1645bf25f4413f6764cd77be7a86e28b2e48f6b9f1418fc15206c8c7b0219cbb16e501a0b1f369efa922162802fd

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.3.46\symbols.km

Filesize
4KB

MD5
551edc7409537d162d869a5fd14f75d2

SHA1
b60c93ada2628ed6eedffdc4089de1818d387ae9

SHA256
40bedf58a0fc30abc468a869797f7ae7cd900d38b577ddb850044aeb3c495bdc

SHA512
4ef0e7c604ca8b23883bfb58590a3cc6cdd6d629532b2636d3b75134db64a2c8cc953e7272060c90ed54ec59eb48ba888fc6381aa63492f49b8df9e3a46d16f1

Download Submit
C:\Users\Admin\Downloads\JPEGView32_1.YZzqOBT0.3.46.7z.part

Filesize
6KB

MD5
e41988ae7f5dc5c1835412b5e37e8078

SHA1
0fff72e39bc64ae5bfed7b6911ab55097ed22d45

SHA256
65e486e9c2900aca035ceef4510a011d6a7103f1b3afeeda2a12b5c497d563f8

SHA512
82a05118ad449ad66dfd76a54ea695a5ffbad00281f87cf191bf845b03c661055bf38f3deaf1b0641d1911c04d7499ed34420fe0a501cb45831367349f28e397

Download Submit
C:\Users\Admin\Downloads\Nahida.oO-GPdOf.zip.part

Filesize
97.0MB

MD5
64d5b473cbe2d8ded837a2b7ed4264df

SHA1
bb09e69453edcdd5cccd20a8e0d6855d4acbff1e

SHA256
4cf94c9ed815008b823bd48b9690b2d36908715d379208aaf4927b716b52a647

SHA512
d7b26817f685f8b629093d77d3fa4ba820fa37b433393927b3a33cbf1b6bd8ded727a21cd8d418cf96f8afa614256491af4033a1fd8549d6f94acb8d6efb8e1c

Download Submit
C:\Users\Admin\Downloads\Nahida.zip

Filesize
97.0MB

MD5
64d5b473cbe2d8ded837a2b7ed4264df

SHA1
bb09e69453edcdd5cccd20a8e0d6855d4acbff1e

SHA256
4cf94c9ed815008b823bd48b9690b2d36908715d379208aaf4927b716b52a647

SHA512
d7b26817f685f8b629093d77d3fa4ba820fa37b433393927b3a33cbf1b6bd8ded727a21cd8d418cf96f8afa614256491af4033a1fd8549d6f94acb8d6efb8e1c

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_1.jpg

Filesize
2.0MB

MD5
5dfc3166847493ca410544941c539e20

SHA1
6a9a76bc1e61abada179f6b492a9996474b0fcef

SHA256
0b54699e6a9f269ad7b278bd542a80aa09966651b2994dede5081b40aa5f7950

SHA512
666dc9a072496b4e33e29800abba61810922a8e28fec2f33c06fbbae3dca9fbd29a85d00911a590094d3339f938aad48e7d86eb382d4c269479b544c85b64e8a

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_10.jpg

Filesize
1.4MB

MD5
b3931cec7319e38aca961c860f9528aa

SHA1
988de34ae426a299d343cc02a5e7692552caa385

SHA256
dcf4c707f0a2e55f17cef82579e3ceff478235ee4340c73b6b672a7c8e6f52ff

SHA512
06912b0719138d19e5b792aa5a55538bf990ff1a07b4c91e522095f40ffa9a18921e8b9c843ad11163b1141f58d056ee04e2dfe22e4b654a1f612a38b6948d94

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_11.jpg

Filesize
1.6MB

MD5
efb81ae484c27a15df9a0db73a8ddbf6

SHA1
1c43ae88a3370dca3ba2db4e7acebf833d90ac66

SHA256
e4b121a6532c9e005047474a3aeefde6739e00110d95c5026316f6ebe86dfa17

SHA512
9e64d72d9f92ae710b8086d617062157e0ba0701f7768e8696052402eaa18a282fd24ae84609673af66b6bc4046d2ca04b98c3169dac37bc53d9e2b229bae713

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_12.jpg

Filesize
2.1MB

MD5
517bbd57433067119b1731be71763281

SHA1
4f7b8a042bafa30f94ec021ee7b7e888e69d41ce

SHA256
222c08f3348c2e5aae04bbd1ed494edf881a0c0878033ee145382a625257debf

SHA512
2402f46a144a6dee8609bfd90aa816a85f7b852247d4a1ca7a4c6283ca6c4e44c3a294182e7e366f4be32e2ca9e1686ddd32d9e392a97116d7225c31e09506c0

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_13.jpg

Filesize
2.2MB

MD5
e6aa37370d5f002b9a7dff4954070625

SHA1
5513f4c5f95859e5a9eecdff6af6f04918e3b862

SHA256
e9881e637656d4195d4fe2f1cb1a8a3c91a4336cbafd4cef93aa1b73da3e1e50

SHA512
0b09dc0fae8a73e9992d91e1e3a8cbf836bcaca7b912eb8bfdc57e25c5ccbda2a4357d366d6e5728b02b0ff3e915e716e5e935984380b7d3a98e7dda500a51f0

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_14.jpg

Filesize
1.6MB

MD5
7cda1876a7dbbd7c0e1b3215a9a50f4b

SHA1
d1de67fc66ac455f1e648e2adb35b720c15f9f2e

SHA256
afafd1faea81d0b95d530508ed6226fb7864562d0878e57d3c654961c8424924

SHA512
9f748bbf8ca193190c91983c1fce58ae0223f047476d72ddf5d6d15c44a91967200e5d25bf32cf39f4265101428a61000f8daacc549c4baa37cc3e608cfe1fcb

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_15.jpg

Filesize
856KB

MD5
b1b7c0892317d8127bbaa39b9ce06efc

SHA1
77f97cec293a8e4d2c0b01f3f80d846d2a0882e9

SHA256
7b21a790b034720a1122448e2bda4d2b22494d0eb9ad33c9fd389cfb7390ef5e

SHA512
59dab9acb6a363c961f3aa2ce75570a9a3963ecc706ca2c0f1b8c0bda4900483608dcbaf12eddc72a56c2cb9a01d789dee2bf1f99577d8103a20e8213d74765e

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_16.jpg

Filesize
575KB

MD5
e04d42d0fa194c1a1f74146e74c221c8

SHA1
6d62f4bf513af4ecabce5a902c3fb93fc90205c3

SHA256
ea0cc7862f9a647841eee2622debedd4f76074002e5443f5b185d6386e19d7d7

SHA512
25708f1170cc00760b0541e300512cdee29ea4820ff7d7d84e66380fbc4f2caa2d4b5d73f4efc67890392454ab0ee2c9cabcd29692d8ac381c85e6da1622ebe5

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_17.jpg

Filesize
1014KB

MD5
2bfd4fd243405b22d99140ad139efa61

SHA1
228f304e0fa6c8694f19c2b010c5b7e139129957

SHA256
312ee610d4dc2c411ab96766eb6ca0c987b0e13292044386b5363ce8faa3e569

SHA512
b07edd490772f43a8ff2f1048b6af193842bf947cf8a656da9b164ae690bb229bfc99c47815140023811fd8282600d7aa385539222c55abf3a499b1c72e0299c

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_18.jpg

Filesize
1.1MB

MD5
f45293707b2e3a8cbb6d0c4210ef787e

SHA1
abe8a44bd9d6dac61d3ed13970ab4b1654f64839

SHA256
aab0fdc72827cae47226908026cd47cc960baacd834715d13c2e01c99103e596

SHA512
4fc340c031bc8adac3be765919df539da5f8b8196312fac147ea68a49754594753945f438a7b1637db1c76ecb08f2e63467f69984d6bcf8e05d74f8a24d66a91

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_19.jpg

Filesize
750KB

MD5
37a98a82f8214dfe23712bf253cb9ef6

SHA1
d8bf9deff88314de426b5e4ef5c5648b9952c3a0

SHA256
7fb1dd15f412b94736becc3d26c7583ddcc3e9507f7bf24c894d3333a24308fc

SHA512
b28626b11828a2344bea9f89cc61cad85d1e99457c7eb0565690808ea4a422d66bb135f22ceeb4f94f22efc536aa910f73c6ff1926858ef264b60c399ed4115d

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_2.jpg

Filesize
1.8MB

MD5
746cf5276eed61760563f342b767d112

SHA1
f46db0229298f020b626ddca71d600da6e798640

SHA256
42948ba3647f47d385ab3b2cc7da731f885dc4762236fff56e841461159989a9

SHA512
617c01476e592d9392f67e03adb421d6e8164e930f6ad569d10eac1dc03b35921bb3c1e8eb3ca7200eaa64038aba07b06731f2779b932fe059daebace2bb89e2

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_20.jpg

Filesize
965KB

MD5
27fed39ff292e8aedc4132d56983120e

SHA1
df266c0346a04afa78f14290912a99524d088729

SHA256
3527684408d4c563b72826e7924d11217399423b8bb8af43d0bd68b56a0b07f8

SHA512
4be7c5bb2b091523ac228984f675f9612c57b3a80fb157a7b7db506f74a8c4fe414c8ce6d748b20091ee6815ef673dd4f5453e5708202b8d335551d3731ac5d2

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_21.jpg

Filesize
1.5MB

MD5
eac226e0cfe258f4df150fe07ba43e1f

SHA1
dd0653ce1bae38ef3a01b85d54e4a7b9c49a6fa0

SHA256
7e9d804f0052abff618339c5e3def5b9f1ae9688e28a4b45ac52d387cc0422d5

SHA512
81395f2feb94483aac4c6f44050a2a0452daa10b8774b26208c938a6bc3e3f5b0c761f70e5828cbd37c4f30374fc74a08c9c7da9d37f73a9eb3f0ca3c612b8f6

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_22.jpg

Filesize
867KB

MD5
c8363abc8d7104b8266ceac248fc461e

SHA1
adab82ed0f0216e3a5fbbbf10f9afe7be7e18798

SHA256
a50007cb7838ead1a9f356e4e2ba08b8ddc47e3d592830af1e6df37ac3a52dea

SHA512
df34c47068e2ca44bbba68b52827b5e06545800cb3b7059fde0c06b966f511573f7c2f9aad0d0a60669116cfcf1f08f583300328610c6ee6d83c1eb46ca6278f

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_23.jpg

Filesize
941KB

MD5
a268407200d5935c6d3d554b3a2ad8cc

SHA1
62db10365a957cceea00c49627424f81e2d2e9ce

SHA256
928b0d51959615b2886e98ea99baf588e2d9f31069b1bd42ffe6d1b3813fc0bc

SHA512
2b4edf21fe6f0801d92a6b5fe941a74441b28b16c785cb6bbc72aa1ef45c1275a2b334a169ef236ab085d57d0e7564a128b538ccb5f50c2e1ce786ed09441fa0

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_24.jpg

Filesize
2.3MB

MD5
275121496178562f57efae5755a1c941

SHA1
f5a4a9b559e63c79c4fce310bc126d4fa6e4efce

SHA256
d3f1eca503696bccdaf18a70678f25c0d1e0a5194820170c16fd71435c3a9975

SHA512
bd14760bccdd2dbd78510bef285a10db9a98db736451734343b85bb9cf4d4d60dd10aa89e410a1c5014ffa5bd00d716ff6e1a5da0af0a66f59584c3e3fdadd85

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_25.jpg

Filesize
1.4MB

MD5
926e7a58539b16e46d890f657cc484f1

SHA1
5fee3993b36c01fccacb849398aa4a54b09a3188

SHA256
cd2c8599f2361e9a43d200fd919eb167ecc3d218bfeb264434aa951f61d39d88

SHA512
454e4c4917040a8b7b57b30f37bd62710538a27fa252afa2c46bcfb1890f7f8d37d5f5cc97521e58d98f76503931ebceda67c356f64b40e450cf896e1eb7f236

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_26.jpg

Filesize
1.3MB

MD5
642a04bdf71ac8ff5ba6695679b33748

SHA1
bebde9291bb229b7e5cbbce2bda904af42acc0b1

SHA256
a227cb518eec25765338eb41696d194f728236f2bf8223636041454539059960

SHA512
82144c0c8883bb439adf202a43564ee1131f0d1d2a3535779ab37e48adb305a03f9942fb229700d8fb13f3244bad78c1c720a60aadaf4e130c0009dd7cb2c872

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_27.jpg

Filesize
1.2MB

MD5
4011a98baa5c9940cb2727c3017298cf

SHA1
5ee7a4fc406c101f29d980918f5eb9644a4eda5e

SHA256
a885a05974c89cd791506231bfedccb3bcf68fc77a493a290a89f5c75644c38b

SHA512
e1361065d764cc91796d220e184695b947d7e58583b5f03e20a0112ca4eecfb7571a6cf62e8e27790cafe86701c1031ceefe043c19da4011f19dbc9c940f77c7

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_28.jpg

Filesize
1.1MB

MD5
448456092466fce0233d100e449d287d

SHA1
2d6cc7fabec1534d655463986d6831f6abf7db3a

SHA256
5c45a564ec6866d0736089805c957ed6e1758dbf21e1b7d08b9aacee0e64a57e

SHA512
5e7046486d5178d601b73790ddbf5e0ce5d64973370c873447f1641ba3a4c78a86b74a3a3e7130f96cf4f78beff4ae0fe18f8a8eadb9cceefac34b5e5800d445

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_29.jpg

Filesize
1.2MB

MD5
86a1b407cc420c597ab47d3514d32e90

SHA1
a0d51fb7a4628e504647adeefd6109161b16f07d

SHA256
ed6b1c8d68ff6b0eb8b6d7d15e4f8cd919ae577f7de74cc2272418efd1c5f120

SHA512
48a0a912bdc5ac90526ad3634b7983da512d9f99f9d7a71cf9a4addb42462f33bbf7b5522d5ae33b8ddc506fb9ccb72e898e652b232d498573789fd82798b808

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_3.jpg

Filesize
1.3MB

MD5
29eeca3e5848ec9d37727ba2caa15879

SHA1
9ef1582a668742c08d91dc67e470a13bc40e8c0d

SHA256
2528d6f81ac86661a5b2329275babf697ffad8023d0be00b5ba8a00c2288fa76

SHA512
bd89e5d0905e3df9d23c2022ea85af83674c72b7481ac49cbee3bc57046f8441199a160143e7e8176371c40a7f21aa5e20d1e65fa1fc471d1e52bd1fdff55532

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_30.jpg

Filesize
1.1MB

MD5
72b6cc92cf59aaf6e4a7a4f75d457ad3

SHA1
7861f8a39daf9fc534aa5d06a90dec9df160c560

SHA256
7696841355cd677cca95e03b86307c939725548e9223c346e71a9c8cab1d4239

SHA512
65144bf9676852b1a3e7824fa1e37dac6c8ab85ae8b0db4b31d62275510f7cb8bc5f9f0e3fc2c1e1a4b6e93c52ae9ee0509889bad26d79a40832104c239b09fa

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_31.jpg

Filesize
1.5MB

MD5
11bc87fa122f22023a773e713df5f08f

SHA1
f431693d1c369ba6828c5c42e6a2b84cd8e769eb

SHA256
178ab183790f1f645694c14d706e6e29957d71ddb8dcc79c803a5287680e29f1

SHA512
f808293e7012f73783359edeee6bfa65b0a324c0241d2395031e25fd4964dddc13047e45b50ed9205eeb14b7b3082de7d6beada4e08c9c45b5f2ac86e5db24da

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_32.jpg

Filesize
1.1MB

MD5
fdc2809d9be2e4ac83cbcb739b7e14bf

SHA1
678c894e8a8a56dcc6eeea16323c2e58a80de4a8

SHA256
d83c6329189e5efd95f5508ebdaf8fa1e2b426323ca1868619518c01afc50cb7

SHA512
d42259c6427a1521f8a707ab4bd48304440c68b9f0908d0e089fca4bd3b37f247232182134c5fc4adb1a47d882c901a3fc7cbab8b39fb6f535b3d10678f13a8d

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_33.jpg

Filesize
1.1MB

MD5
65d54f00bf2fb36f30e06ec7f34008ae

SHA1
a45cf5c3c751935aafd41eee63205b844f624d64

SHA256
39006205add779c2d8e02c7171754fc4b132503a28668a05e8d2c7982a31deda

SHA512
21c7a4d9bca7d319b0d0650199c9fa02e50c47b16c177db98789ca93f0ad41092f9d1ce2cfa472508e8408eadb5791ba5ff9facca1717b82e3a15f76f1c42529

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_34.jpg

Filesize
1.1MB

MD5
f110814faee4aaf8c0c3a8e100258878

SHA1
12caee62f41da0b2ca8bedc8db824a858d15892d

SHA256
0b7b6c55f09024839756cf8a1baf78c63aac1a28d48c1354899afc6786329de5

SHA512
c03e9011ed550391641ffea7eb966a4d1925c8a56ff96664cb916d2688785080cf58ad8c1b1011a124e5a5c3a467e71900b84e0d7b1aacfea8ff3512f53b9059

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_35.jpg

Filesize
1.2MB

MD5
04371c609c970a0997d93a51d9cc49f7

SHA1
5fb58415322b824c27c688b2d5cdef3859b1890e

SHA256
da61dbab67a34f0f1030d1c5ca40739bce190a4b6d62adba9b2e3aa0b199a8fd

SHA512
2802c50f6c561475c80a0805808406d911f1bc71f63f8664dcdf2a8019aaf531febe43714ddcd010184365d9c2f02d134bcd7ad7a3676db4cd35f1d2e9d35bab

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_36.jpg

Filesize
1.1MB

MD5
934ebd67badb2aebccb0c2c683b8d3e9

SHA1
e2528c0dfbd11fcd1afdb585fbe2beae8fd6e296

SHA256
7c0e2f0c71f6e458db07095b03078f6d2fc0d074fb8f12102bab1675fd18aaa4

SHA512
f35b1631c6fa9d18993a04106a9612ccc643344a349dce7c4559f2c7553faaf64dadfb43c589936950a54841036f7d2a0fd6dc171e9048ab96e19eab6218f09b

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_37.jpg

Filesize
1.2MB

MD5
22c5108e6add83795a9510a041e0b9e7

SHA1
c4d62aaadca3f29fc6e0d40797714522285a1998

SHA256
01596ec2f6d41d4c59ea790a482eef9fc58f43b34d264fd041a8d3058b63f7ca

SHA512
839ae4669de570c04e94f7f94576214db40ebe9df90b46230eefa34cf3228b012636556df3d2ab75cfea462913579ea1284a69b8564894d5d96f331d90c4534c

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_38.jpg

Filesize
1.0MB

MD5
6bbf27a107e7134c8294f17f927b659a

SHA1
6aa6661864e40317916297e39788e6064fc997b8

SHA256
5c86772bbfe5287fc4554d87d4aeccce7fb0aecd265367ef54196ec656c74c02

SHA512
32d7f0bd26570156691461b8382fb110e2ff00119968abdb359c7eff571e470a4ec9286fb9229eba35d3057ae67ca840e4827bb6cef5d24d73d82568b828dc4b

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_39.jpg

Filesize
1.3MB

MD5
790efd2d011156faa099bfafcfe56fa5

SHA1
90cdebeff985b9a3d7f08e9fd22332449858a496

SHA256
daa8bca7805d297a37b90c060364da74592e7a8775b318e84abdf1a0a385f8cb

SHA512
60338eb595764a86e8b8b5b75107acf95f8a40e4b17373ffcf58d2b7128557f22bbe6f655a715fc7358878001db87e3179641c3e9c1002a7cb9755d54f0b7f89

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_4.jpg

Filesize
1.3MB

MD5
b2bcf29eee5151a3247d24ad07474a18

SHA1
f0705005218cce44a0b09a3fb1cf9abc506b8065

SHA256
d212f0a2beaf4c2bb3d782f7e7212bf3e3fa1bd5ddd5e178ffe60de8bd332e0c

SHA512
74e57690d7c00acbb7e4a8dedf3aba098d8f1784a4c21efdb250c761213e07f5d2f2d2813f0588e5c5eece4906d23f04a8103b80058847a59f9b2b4ab0cd4574

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_63.jpg

Filesize
761KB

MD5
b5078803e938f6de011cf151a6301e36

SHA1
64830313f0ca1567fce319cf6b98f0329f0b1a8b

SHA256
de479af1877f40d3ad63c6b45dd998943897563ed2065053498b798e6b912326

SHA512
dc926134b64a339dc60f8938818bff417f13a5006844df6c28818b73a4dda79b7a0deeddddc50005b480601dcdd40e07bef2a4069c53ce2c5f4c244aa3a9a899

Download Submit
C:\Users\Admin\Downloads\软萌兔兔酱 - Nahida\软萌兔兔酱 - Nahida\0408_9.jpg

Filesize
1.1MB

MD5
02c37998045d1d5f9a932bbcbc62111f

SHA1
f6d4867a72be4791a2fb2c800cedbbfc049a2dae

SHA256
14e1f6cba1a33de60e979605a53b5b1a15fc493eabc63f5e8c177414784430e1

SHA512
babf28b75b658ba971f4ff3c63ac212e4714e21b6f426ef16b0aca54ab6e6d047a763eae6bdd8f814a477e1c195b8442d4a0c1dae25b6c3d6863c60e8202204d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk

Filesize
8KB

MD5
767026e1cd4025e5b0ac3de13552526d

SHA1
11e3c36c9a129802f9478d227871b95a642456da

SHA256
d8d4f45dc51e93c086b1b620e3b90cd51ca5f5c431649bcefc16e72cd469160d

SHA512
ad4276fa678f393c04a96b7aa225b5ffe87005f404e870ef2d81d88e79decaedca9e11eaea85544a3324b11c3c1c412c457e8201bdd9b5487b93b7d9788e0a99

Download Submit
memory/2228-2025-0x00000272D3A70000-0x00000272D3A71000-memory.dmp

Filesize
4KB

Download
memory/2228-2008-0x00000272CB660000-0x00000272CB670000-memory.dmp

Filesize
64KB

Download
memory/2228-3834-0x00000272D3AD0000-0x00000272D3AD1000-memory.dmp

Filesize
4KB

Download
memory/2228-3829-0x00000272D3AE0000-0x00000272D3AE1000-memory.dmp

Filesize
4KB

Download
memory/2228-2012-0x00000272CB6A0000-0x00000272CB6B0000-memory.dmp

Filesize
64KB

Download
memory/2228-2019-0x00000272D3960000-0x00000272D3961000-memory.dmp

Filesize
4KB

Download
memory/2228-2021-0x00000272D39E0000-0x00000272D39E1000-memory.dmp

Filesize
4KB

Download
memory/2228-2023-0x00000272D39E0000-0x00000272D39E1000-memory.dmp

Filesize
4KB

Download
memory/2228-2024-0x00000272D3A70000-0x00000272D3A71000-memory.dmp

Filesize
4KB

Download
memory/2228-2026-0x00000272D3A80000-0x00000272D3A81000-memory.dmp

Filesize
4KB

Download
memory/2228-2027-0x00000272D3A80000-0x00000272D3A81000-memory.dmp

Filesize
4KB

Download
memory/3984-2306-0x000002B60D1A0000-0x000002B60D1C2000-memory.dmp

Filesize
136KB

Download
memory/3984-2307-0x00007FF88B820000-0x00007FF88C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-2308-0x000002B6254A0000-0x000002B6254B0000-memory.dmp

Filesize
64KB

Download
memory/3984-2309-0x000002B6262C0000-0x000002B626304000-memory.dmp

Filesize
272KB

Download
memory/3984-2310-0x000002B626390000-0x000002B626406000-memory.dmp

Filesize
472KB

Download
memory/3984-2313-0x00007FF88B820000-0x00007FF88C2E1000-memory.dmp

Filesize
10.8MB

Download