rhadamanthys | hxxps://sourceforge[.]net/projects/black-myth-wukong-download/

Analysis

max time kernel
154s
max time network
168s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sourceforge.net/projects/black-myth-wukong-download/

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/8duqxdnh.falc4

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

aspnet_regiis.exe

description	pid	Process	procid_target
PID 5780 created 2372	5780	aspnet_regiis.exe	41

Executes dropped EXE 2 IoCs

Processes:

MultiSetup.exeMultiSetup.exe

pid	Process
5644	MultiSetup.exe
6040	MultiSetup.exe

Loads dropped DLL 1 IoCs

Processes:

MultiSetup.exe

pid	Process
5644	MultiSetup.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MultiSetup.exe

description	pid	Process	procid_target
PID 5644 set thread context of 5780	5644	MultiSetup.exe	93

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5924	5780	WerFault.exe	93
5944	5780	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MultiSetup.exeaspnet_regiis.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\Setup.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

aspnet_regiis.exeopenwith.exe

pid	Process
5780	aspnet_regiis.exe
5780	aspnet_regiis.exe
5844	openwith.exe
5844	openwith.exe
5844	openwith.exe
5844	openwith.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

firefox.exe7zG.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeRestorePrivilege	5596	7zG.exe
Token: 35	5596	7zG.exe
Token: SeSecurityPrivilege	5596	7zG.exe
Token: SeSecurityPrivilege	5596	7zG.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeBackupPrivilege	5824	svchost.exe
Token: SeRestorePrivilege	5824	svchost.exe
Token: SeSecurityPrivilege	5824	svchost.exe
Token: SeTakeOwnershipPrivilege	5824	svchost.exe
Token: 35	5824	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe7zG.exe

pid	Process
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
5596	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid	Process
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

firefox.exeOpenWith.exe

pid	Process
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe
2572	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	Process	procid_target
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 4388 wrote to memory of 2256	4388	firefox.exe	74
PID 2256 wrote to memory of 3676	2256	firefox.exe	75
PID 2256 wrote to memory of 3676	2256	firefox.exe	75
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 2448	2256	firefox.exe	76
PID 2256 wrote to memory of 4064	2256	firefox.exe	77
PID 2256 wrote to memory of 4064	2256	firefox.exe	77
PID 2256 wrote to memory of 4064	2256	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2372
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://sourceforge.net/projects/black-myth-wukong-download/"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://sourceforge.net/projects/black-myth-wukong-download/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.0.296449121\1283654896" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1668 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69a8d481-846a-4f94-891e-f598b9dda882} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 1780 1fef73f3e58 gpu
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.1.1544951602\2077613111" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d375a2e4-6bd4-4cb4-ba50-5bb8a1fb4445} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 2156 1feec372558 socket
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.2.1415566773\1868035241" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2944 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2494b212-d0c7-4aab-add0-bc9697e5ad87} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 2956 1fefb3cb458 tab
    3⤵
    PID:4064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.3.231029960\1629641690" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3560 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6437d4f-6ead-40e1-a646-843645893c47} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 3588 1fefca3a358 tab
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.4.183566066\322101330" -childID 3 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c37f35-f521-44aa-9016-6e5c1115620a} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 4804 1fefe019258 tab
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.5.490160625\1415861841" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ead2e257-297f-40b3-b637-0ae5f5e5f0a5} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 4932 1fefe044158 tab
    3⤵
    PID:2820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.6.22161123\482577425" -childID 5 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad59aeff-725e-4c01-98be-b029d863dd2f} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 5124 1fefe046858 tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.7.1901453126\153373878" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5544 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {427acbb5-2ca3-4321-a51a-3d5dcd3f901e} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 5592 1feff338858 tab
    3⤵
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.8.416829639\1589484776" -childID 7 -isForBrowser -prefsHandle 5324 -prefMapHandle 5476 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb09ce6-b916-4df8-9a12-1eccd8e2506f} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 5336 1fefe044a58 tab
    3⤵
    PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.9.134168860\1632945889" -childID 8 -isForBrowser -prefsHandle 5284 -prefMapHandle 5300 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9fb8818-e0f2-4e83-b4e4-32e76c7eba66} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 5352 1fefec2c258 tab
    3⤵
    PID:2352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.10.125504273\6919615" -childID 9 -isForBrowser -prefsHandle 5388 -prefMapHandle 2604 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3ff6c6-1c9a-4e98-bddd-9020c7971aec} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 5208 1feff335b58 tab
    3⤵
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2256.11.2058264584\1821909249" -childID 10 -isForBrowser -prefsHandle 9556 -prefMapHandle 9548 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ee2280-c378-4dc6-8fd6-463821814b69} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" 9600 1fefc6b5258 tab
    3⤵
    PID:3516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5312

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\Portable_x32_x64\" -spe -an -ai#7zMap2999:106:7zEvent31000
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5596

C:\Users\Admin\Downloads\Setup\Portable_x32_x64\MultiSetup.exe
"C:\Users\Admin\Downloads\Setup\Portable_x32_x64\MultiSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 496
    3⤵
    - Program crash
    PID:5924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 480
    3⤵
    - Program crash
    PID:5944

C:\Users\Admin\Downloads\Setup\Portable_x32_x64\MultiSetup.exe
"C:\Users\Admin\Downloads\Setup\Portable_x32_x64\MultiSetup.exe"
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2572
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Setup\Portable_x32_x64\msvcp140.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\1D4073D0223D64834136107AE7A40623D1A7D791

Filesize
40KB

MD5
af2209467ecc8a79ecce9c8cf0b001e4

SHA1
0d77618b6e2551b900f6d5a04c1f8c5fd0bd3912

SHA256
10dd250036897496d7eed21ebc3ab538cd9f5c81ca0beb4dbe9b408d96d6a946

SHA512
de338887895d6d619eafc4275d2dd96f434e8b678c68eb0f39dca7e1310dd58015e9cd8fd0d8f5a53d1d528ef0e01e9c16662e0984655f5970816563dd9db06f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\AD525AE91F8D63419653596829AB9B1342CB5750

Filesize
72KB

MD5
e53b215a8450adfabdc5f4bc3dff287b

SHA1
dfc14434ed440db967eaa971beae754b0c68839e

SHA256
6278e6376c0c2d836d2359a814df2fc7a498e6d9653da4059ec998c0e1468376

SHA512
a7d25eaf7b3e705bd063dfcfe6c951c5f20f07a350b735673b20d9de4141c16af159f27b578f777e8778c3e74cd8bb7c08cdd9c553d5a7a5ae50c09006521b00

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\D3993138B3FFB511CBAB0D15DA8A7CE67F582939

Filesize
120KB

MD5
a5fb4084d8377adec0f8937fad1e6107

SHA1
53be36fff4aa144902f943e485ec8e1d01995390

SHA256
b9872cb65ccde34f0279b4e3574bc185c3e7375416c5b5d502c4ab7cdb41aadc

SHA512
7a348adfc7111a2efb8e4d5346525e6999a5ad3faab73b94ca58ce11019672da55ba823ffe4751491f425ccbcd86d43ea4d32992550ee62999c45ad1f88c0b34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
fa2cee00aef0aa63df6c521ee0f79311

SHA1
11dab05c7e06940f5d412565bbe2cbfc97ace639

SHA256
4f088b544c58aad2f8857dd228d337d2b40914e2fd11d67b7b8703bc99755604

SHA512
0a518c87120181f0d5227301d3e3fc1469383c853efbad6f1267c099efa61fd8de07bb644c30fae87ab64226796d2ec271d648e5ccef9915f6439d46a844f4c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\1a2d8ca9-d805-4044-9ee7-4a9afaff5a51

Filesize
10KB

MD5
0c5a173053f13f30b04e3e592473b2f2

SHA1
308664c7ad061dbee82e48ce2b0145722a4ead42

SHA256
c10b284a2ce719b34a3e63b67fa872a866da6f88508e98d41cb7dc157035c180

SHA512
48291b2ef1990bbcee5119bed9b80a077e2f2c0b43c4fde634406da277b27d897c146127d92c0572181262192847ac18a1ff5d343207b890b57d35fe4bebd5b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\bd948d1c-435a-4aac-bd5e-6a47b6ee3c23

Filesize
746B

MD5
f04c16e765f8c335b814c72c44533b55

SHA1
14cd8d31015dd24d2b721f32368e53933d56c38f

SHA256
034c54c87616db5ad1d121168dae4b85dc4d886261600a16ee7541952e5bf77e

SHA512
738c63be58500ae050ada113711536547a157b505f11293b99159a45605a640554f7b7298782b67fb336f3a9a369eb8ec48bd004189459d30629b20f3083d1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
466fa749f9ba9eb326841789d3dd3787

SHA1
5c7f73dd7701140b89667122b2533cc62eb480c7

SHA256
ee37883b3e4d6110081527d6e553cb336375254bf5b76be9b88d373e8cd73992

SHA512
13673f658490c24b935b970aa898d5c4d68c14288015d2a39f5bf81c662b198ba79baaf8a790e9129b3c6d3bcce4cd9bb47a54f7b9d85cd38d7bdfa5206b6c43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
671c3162dc3371eb6062b78b73595d0b

SHA1
5e1f9bd23cd807342093b8e9ea0d5839b1a26cfa

SHA256
6d9fd59e2a029a6838cc20468e92426f6d395e25cc49cf6eaa0a9e9b92f9d8b1

SHA512
dd0e3b856876fce1e388fbd77a40ddb5c1431a6082ad7bfacbcd1190a7491724e4aadfd391d48e6b783d9cca4fe95308badd80f910db153926e3dd053fae8f87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
1834a1cc116802d13b63cc47d15e9d05

SHA1
0d6f0cce4f5889daf40163b67d8c4ce25ff62bba

SHA256
d83ecb6be927d0a6251e1ea9a0b42b465673b18ae198ae47daf1f70f1ec2e552

SHA512
a49cc29c8bd8ec7f284f7b8210164e15e42579cd5b26335ebd2f300267f8fa57f5233661bccb598b277064c9fd32881926d151248ab71bf3328c684f7159b9cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
4ccedf3be785314ed7c104fcd7cd7621

SHA1
e8aff7fa2346a1b4618b02e5490fef14d1f30d06

SHA256
d2c71100cbc4bed037f8e3ba8eab788a548c97ed5f9ac20586a4d06ede810d09

SHA512
7a6f2a9b3228b57397ce45fb6917052e1a2992bc8e02d2270997218bc39f847d0533fe471cf5734606754c9ebd58625484b296d607456ba95898ec9f20ce5f93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
31b70e4426a57d2f3b3ea37f0603a222

SHA1
9b2c9dc5ae33e95d4bfbb10d2c6f19a19d9fce0f

SHA256
828f9a393fe5e049fb3a8eee196bb2c416295b10108d0a46048919d1652d5f15

SHA512
46377e5ea47ef30ae6e0113a7ff565fc5a2a3e5cc1b853500adac08e8d81bffdf7086c76a99129cc364e55e2c36aa39808883427e2b04acfcbd6fd34c7fff0c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
f72c2c8a738f1bdd4a5e24326ff248df

SHA1
d60277881f6b36509d709948fcf7ed3ec3da74a6

SHA256
06575a0a693c9e0f265fcf03ee5b6ced4dd922ac999f5d767a9a7d92fb199082

SHA512
7fa2cc3e4f6e6f9c77fc12e188a0ef4e5dfd9079e1ddd2d689669513bd2e512136ac4485b34aa0ed8587c8cd519572d31eb2496b4091e229b6c339bf25c27d6a

Download Submit
C:\Users\Admin\AppData\Roaming\appverifUI.dll

Filesize
635KB

MD5
f2f0824b4f3d768d1d8f702001091be6

SHA1
f337d720854586ae060e4774eb54c411720e75a3

SHA256
1302f2917acb4256484988e627703ce7ced5bd12f6c0848c233bb096affe8c52

SHA512
a737dc68f832e692d8e785517b6092a568e4cf1480b2dbf3a54b6247692ac0cc6a25aa84af45f56928e6dee601c01e7412c3c3acc039be6c57883f7040ff23f5

Download Submit
C:\Users\Admin\Downloads\Setup.uGkYXcwN.zip.part

Filesize
15KB

MD5
7cf510fee3205ea0b0290b5e57f67396

SHA1
5cd4e0a26e7b8e7fd795c5a8fbfa8657dde9d743

SHA256
7986c1a0e257345565c7c5756738988880a71ef15a1d5b31a52e806875636fd5

SHA512
cbadb4d8c34e11b2d59836e004f747cf50fbeb82472465334c9dd9ed82941deabb2a2e941692a98355fa83b7ea7530f686754dc1b9d1f1cf377ecd4cb2195f49

Download Submit
C:\Users\Admin\Downloads\Setup\Portable_x32_x64\MultiSetup.exe

Filesize
251KB

MD5
c1a3d106465641a743a729b06acfb7ff

SHA1
398444912a7b122accc1e4cad233034559ef0414

SHA256
a8e11e0354c88de274289db2986965f4b37abd37d46a381a52ece76ad094f4d4

SHA512
88817b0c8b92600a4eed433e34f2595c95889e22fb37988761f3ec254f10faa39ad815f9f1489e560363bf07601e785839d574a15a0f513d7a5e47cb85470087

Download Submit
\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
635KB

MD5
86d7e42cbc5d43857d2bff3c1d77ca66

SHA1
021fefb9215f05cab1dc6d5191f76092d81b0f5b

SHA256
5302bfb6fba2eeec6184798838dd98b559e607086c07819e7523ded9d7b877fa

SHA512
e33e68d060360e9285d61f4099c5fde9920ea3a9a93123a3861849a267a3ea9954ce215034919a11eb77367eb30bedf67e9097f80f9e61b9d0b04890a646b4b1

Download Submit
memory/5644-896-0x00000000759D0000-0x0000000075A30000-memory.dmp

Filesize
384KB

Download
memory/5644-895-0x00000000776F1000-0x0000000077804000-memory.dmp

Filesize
1.1MB

Download
memory/5644-902-0x00000000759C0000-0x0000000075A90000-memory.dmp

Filesize
832KB

Download
memory/5644-906-0x00000000759C0000-0x0000000075A90000-memory.dmp

Filesize
832KB

Download
memory/5644-901-0x00000000759C0000-0x0000000075A90000-memory.dmp

Filesize
832KB

Download
memory/5780-905-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5780-903-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5780-909-0x0000000005E70000-0x0000000006270000-memory.dmp

Filesize
4.0MB

Download
memory/5780-910-0x0000000005E70000-0x0000000006270000-memory.dmp

Filesize
4.0MB

Download
memory/5780-911-0x00007FFD38830000-0x00007FFD38A0B000-memory.dmp

Filesize
1.9MB

Download
memory/5780-913-0x0000000075B70000-0x0000000075D32000-memory.dmp

Filesize
1.8MB

Download
memory/5780-920-0x00000000759C0000-0x0000000075A90000-memory.dmp

Filesize
832KB

Download
memory/5780-904-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5780-907-0x00000000759C0000-0x0000000075A90000-memory.dmp

Filesize
832KB

Download
memory/5844-914-0x0000000003260000-0x0000000003269000-memory.dmp

Filesize
36KB

Download
memory/5844-916-0x0000000004D50000-0x0000000005150000-memory.dmp

Filesize
4.0MB

Download
memory/5844-919-0x0000000075B70000-0x0000000075D32000-memory.dmp

Filesize
1.8MB

Download
memory/5844-917-0x00007FFD38830000-0x00007FFD38A0B000-memory.dmp

Filesize
1.9MB

Download