hxxps://drive[.]google[.]com/file/d/19DejWH4JWANhvtfK-xrmB1SO8cn2KZnx/view

Analysis

max time kernel
116s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/19DejWH4JWANhvtfK-xrmB1SO8cn2KZnx/view

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
7	drive.google.com
8	drive.google.com
9	drive.google.com
10	drive.google.com

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Wexside3.0.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5084	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	firefox.exe
Token: SeDebugPrivilege	892	firefox.exe
Token: SeDebugPrivilege	892	firefox.exe
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: 36	1000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: 36	1000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
892	firefox.exe
892	firefox.exe
892	firefox.exe
892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 3676 wrote to memory of 892	3676	firefox.exe	83
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 4812	892	firefox.exe	85
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86
PID 892 wrote to memory of 2332	892	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/19DejWH4JWANhvtfK-xrmB1SO8cn2KZnx/view"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/19DejWH4JWANhvtfK-xrmB1SO8cn2KZnx/view
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7deec6ef-d234-4cfe-bffb-bd5a4a4a7b48} 892 "\\.\pipe\gecko-crash-server-pipe.892" gpu
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8d91309-36d9-4133-99fe-de441ccccc3c} 892 "\\.\pipe\gecko-crash-server-pipe.892" socket
    3⤵
    - Checks processor information in registry
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 2956 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82999e66-ed34-48cf-aa7d-47161075a196} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80592e1c-40db-438d-830d-55008387362d} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:2812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4800 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44becb2-fdd5-4fae-b6d0-4e61236fe1b2} 892 "\\.\pipe\gecko-crash-server-pipe.892" utility
    3⤵
    - Checks processor information in registry
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a8264f-dffe-4d01-b6f7-d7a2d7b2a379} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02181d43-f796-417f-8794-6d22bf963099} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5792 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03e25578-71b3-4569-8d71-77229ce1dc85} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6132 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f359540-3bab-4174-8fa5-deb8c503fa9b} 892 "\\.\pipe\gecko-crash-server-pipe.892" tab
    3⤵
    PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Wexside3.0\start.bat" "
1⤵
PID:1196
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4532
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I set "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:4896
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I goto "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:1872
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I echo "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:3500
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I pause "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:1376
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2356
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4000
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\findstr.exe
  findstr /C:"Intel Core Processor (Broadwell)"
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Wexside3.0\start.bat" "
1⤵
PID:4484
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:2316
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I set "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:1472
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I goto "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:1596
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I echo "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:2264
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I pause "C:\Users\Admin\Desktop\Wexside3.0\start.bat"
  2⤵
  PID:1324
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2740
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2712
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\system32\findstr.exe
  findstr /C:"Intel Core Processor (Broadwell)"
  2⤵
  PID:3420

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Wexside3.0\start.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
2730ee608e3f1ea9507c0061fe7f4ebf

SHA1
d02d20daba23acc449b85e8bc04bd0b86679190c

SHA256
24d389c1a0e9b5c634bf3856a96a17541ed3a787ecc56aa8f26a775a219c3c52

SHA512
b13a3d8204a873cc461daeb1f5924b98fc685fbb48a25e27e64f05ce97360e59b7aaf5a4e27a520a2d73aeeccff122adddf155dec1cd2a1b31f178d1ee220c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
7KB

MD5
b9a4d0e38e689ba58568455c1b9c0de6

SHA1
74a3ee14ba501e20fa193a17705aa86ec0e9372f

SHA256
3382ca6ff33b5aca1bf600e7d5333bbb0e5f7fcb910b833ffa97e95502b32e0a

SHA512
83304e23ae1697e07a7745cd2b1427c27aaaf3ea638660ddd32296f98f092194199aabd0fa6d40440d70f98088e61713dd518a5c9151b3839c5dcb0e4753dfdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
26KB

MD5
d9b8d50d71cf56ebd0907b3b1564e051

SHA1
bd2f162b50f33006b9c158eee26ea02f3878357f

SHA256
bcb501557a6bddd753e9ebd6cc113a8c8704c4e97cbd9dd34fdaeef2f7ab471a

SHA512
9404e636c2a4e413da6115392692f5adb953ace8ad49ee230822fd9a4687afbcccdaa794375dca1376ec51993aff0daabcf7107b8fe2fda4d7c8645ac6b88e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
9623c3dd2beb971aef9a6dfa8145b068

SHA1
1a0c30872bfda78f5059e9cb7cf4d6df048303f2

SHA256
8c679ab8df7ab8e9856e5c1f26851b707afe32fbfd5d81ab5a0d0d369659f61b

SHA512
0dfc2c0bc23e60f33f145dd572409f9a073089799f3126253be65012843ef5426d09b40cee36d32d3cffc5a0e29e4af00bdb356f1b8967a5d0998de5e3d9ef33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
f61f50c4b2e4d63ee27cc83284911225

SHA1
e95e7c2e53a8d6868e2cba9190f81f9cd91ecdb9

SHA256
30bb160493fd84f08f9c808bc955ea7359aa17075e69bed98f0fe9386ac4c04f

SHA512
9c03aba650e8b1847af9a942715d0f68a9cbe16985fac5538cbd060fb174d35e81a61afc37b8e18048f51a366d79e5a58f5c7f75333a79242667c04951a8381f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5e7120f73025cb6a5e00b1d560559736

SHA1
eb261ec55cd33f3bd42edb5e8a9aaa73d31a76f2

SHA256
dbbad50bec49f8961043c3fdc9f36251ff0b55f3d30199e5f8b9c213ce6c4503

SHA512
165ff498817489447e8618f94a1d37f975a972d56beec14589d90a43ed828ded36effcc39c8eaf31e3f088cf78b2e2b523abde68dec598a4dbdb796b67e288a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\a71f7b31-c963-4970-95bc-f7586396061b

Filesize
13KB

MD5
a732852e9e096e2c44fe878cecf476ee

SHA1
b1dab3c3637cdae5de6540c7c18bd26b7117c4b0

SHA256
dbd9ed0a6261471725237192de09836190de8facd35b0c82e1763e46da1da5b1

SHA512
78763cbd452d32ceb98f2ef3912d4187e3499d02ff5103f13d0ee51dfa6636e3c84c248febc3731a0f71940e5a31276877cde085fc5fec676afe0d62f2bb094b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\cc7ba920-427f-40a6-b2b2-dbd6cb7a4453

Filesize
671B

MD5
98084917a467f1c14a0b64a6615149a7

SHA1
34fe746ac03f883d8e89fd7667f82eadf577b8b2

SHA256
6f07608c5f3d61aede317bf18a84dc9d0d495a425c6639a30d666369696bb37c

SHA512
8c4a4b753d87a91078dd01cb29cf238eeaf1b7f8767ce0e43a9a6280bcac2661ec6c8db750d0644838ab8ffc0daefb4032deb6b94867058bb21056585974372b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\f09cec5b-9b08-4fc8-af51-ddcaa91d97a1

Filesize
25KB

MD5
79cbcdb67c2cf8477e557d735f35f1af

SHA1
34fddd6fa7b43efb092db958ab4d197ef9cad66a

SHA256
7db779794083f104bb75e51955586fdbce848245fc03267c889c6a47b2281d60

SHA512
265954fff29b160da361a7de314f1981794a26458935caad007d7b5d1a6f52a2820755942d6b70b1682bd3bfb35958febb7bc040e790b41565fec5cb97b42c95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\f180df68-95e6-4a5c-af18-16ef8d6c806d

Filesize
982B

MD5
cbfd1f891e1e607b9e742b2f9a07e242

SHA1
67a62c049e21e901112d41496fe43dfe3db89171

SHA256
e1b1516baa61c3ff7d39a05546a52cd3a6cd627db1a9681218385b7cff9a24a6

SHA512
164d833b5f62935fe2f99daca30ecfe4024423503b0d69e62434c34a68eba6bcb46dcc8fae903124c55ed40153d644b5bdbd2feb1251645126f8cb70b01cbf46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
11KB

MD5
19b2658ceef43f7f1f3ed2a240f10200

SHA1
7828b89cf0b4326efda38284f1813b6c90f20eb2

SHA256
2fd10cb6fc1042bc72da2a3378ddf85b99ca254cd9864d33cd18afa758b6d0da

SHA512
c975111a9b457f55e5a92858ecadb94a36cd397400668a8bc3f50257206209b2425b9c51c51bb9f78e5c5f17759ba3564a5a7bafee7185fc14821bbe8d27182a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
f79d2b08ab55216e06f22582cbb55627

SHA1
eb8572b1481fe608467b9c1a4d1b3d6a14aea16e

SHA256
665310d034f2180966ebce3471b4e682f16aa9fd6146b70cbdc4fd7fc57cdb7d

SHA512
16c76f00cd06088f19455a29e5598644e88cd7b15d5a941e02f64d31e35c7ad31e99ea4a98510e8631685b582f2eadcb5b97cb6230cddbbcb23d5945fc622aae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
7540677446f32429e2c60b04f8aa78a7

SHA1
2bdf0cd14520c3295712e92504255c42e68d0e57

SHA256
ae75563b7db9ce1d844c5218b011ac81ba3080b0f6886955eb7c9f3b8d4606bb

SHA512
0b58b25b9a676f0af4f595307b7cef02c35ee93ea332c2882439276123e100200cb2800bee419ef7ac13b1de6985eadc8a5bf8c1e152d99300cd11aab04d49eb

Download Submit
C:\Users\Admin\Desktop\Wexside3.0\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit