ostap | hxxps://samples[.]vx-underground[.]org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar[.]2020[.]08[.]7z

Analysis

max time kernel
1114s
max time network
1163s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.08.7z

Score

10^/10

ostap downloader

Malware Config

Signatures

Ostap JavaScript downloader 1 IoCs

Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

resource	yara_rule
behavioral1/files/0x000a00000001da30-3307.dat	family_ostap

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Bazaar.2020.08.7z:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5004	NOTEPAD.EXE
4712	Notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeRestorePrivilege	2676	7zFM.exe
Token: 35	2676	7zFM.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeSecurityPrivilege	2676	7zFM.exe
Token: SeSecurityPrivilege	2676	7zFM.exe
Token: SeSecurityPrivilege	2676	7zFM.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
2676	7zFM.exe
2676	7zFM.exe
2676	7zFM.exe
2676	7zFM.exe
2676	7zFM.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 4420 wrote to memory of 1436	4420	firefox.exe	83
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 2660	1436	firefox.exe	84
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85
PID 1436 wrote to memory of 1812	1436	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.08.7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.08.7z
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1808 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d838270-57e4-4905-b5d0-d678ff11b694} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" gpu
    3⤵
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36a4d765-cd84-4df2-8550-78488cf2e0aa} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" socket
    3⤵
    - Checks processor information in registry
    PID:1812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3216 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3156 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f488d76d-41af-4559-8ee9-077406ed8faa} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b334c246-155b-4c08-b11d-5c7a013ac12f} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
    3⤵
    PID:988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4628 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4384 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b32ace7-f21a-4265-8879-ad66330da333} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" utility
    3⤵
    - Checks processor information in registry
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5448 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8265a7c3-df2d-4c76-a76d-a671fc3b3964} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
    3⤵
    PID:4632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5628 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cabd5b9-9e3d-4a97-b840-86d3946d20f7} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5808 -prefMapHandle 5812 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26f23f4e-9380-4c35-9bd4-556a0a1baacf} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
    3⤵
    PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2536

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bazaar.2020.08.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dex.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5004

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\waiting.jse
1⤵
- Opens file in notepad (likely ransom note)
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
b0b49a1ca6b399fc2b546b4aa39fd537

SHA1
1ff58b9bd1fbe71d641aa50f0d55a8649c8b7e76

SHA256
57c234117d388428093d7999cc316ffea0eadb6e7e087d60f7beeec3a0d32d43

SHA512
ee3695145be9405c1e85e226a1c3fe5328312f12cfd42a3bbdfc7b81a2a6aca88e85cdcd0b7429f349c0468f3caf6f97928a02a5ae796885202bde3c276c90c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
8a384f4981d8ead58f4438e39e019a6a

SHA1
9e482a12a06dddeae323b381d443d45d02bb3704

SHA256
e6b407f8fad5be94f8feb5885cfa4967204d33d54b27b8255048150e0613b7fb

SHA512
55f127d1514e19e889bd41b7f6dc722d4dd1e4fccca123f313d541eb63024f398a77cc21c64ff62be3c0e3e5665545839c88aebe7744c141ba49c8c3b10e534b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95FCC3KAHUSU6SMG0MWS.temp

Filesize
7KB

MD5
80b2a4ec299e249c3d0f13de2333060a

SHA1
360868dc5b40ac4fb2ddd74600f4a0609b4843b4

SHA256
ae292ec45b0321a01411d76e3049ccccbd711734ed09734f398bd9df91d93311

SHA512
41e2e5b1f5fe596c2654da8154dc60b219ed1142085466cba7a2551048c1d04e8f3f3675242db170a95e3839f23a930a184f3031361d9374d79aa36cf3885092

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
6KB

MD5
fb4f01ed46983c0e22a063acbcb8eecb

SHA1
4726aa28d1d6d383b0b8591a219e2e0b65c78d3a

SHA256
a92439caafc8148c9ebabe9579b492a27b345bb08c4f3a478e98455d01f581a1

SHA512
f0bd33bc00e000ac4fdcc29acc34378d64b174f37023d2ba218df71589bfe4341ef13439df172b9ba544e91594a6f6388e3422a9ef2a1b89b7cd96204c68178c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
8KB

MD5
c2826360585378c71d8df944cc8de160

SHA1
b87b647b39225abae4d2b06072ba5d024938d39a

SHA256
d35571813c2ae8b72e45173ea8d2e07889393d5358045b3e1fbc25e3b541f377

SHA512
402682a74bc6f96e036bfb30190cf470823a78612260bf4872c83355a617852efe51d8eb26215565588e9db1d82faeb6aaf9a70dd71f097192c70906a15f19e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a9abd1302033baaad20449b1a4bc0d4d

SHA1
fbc54e4a962bd202400ea4d929ef8349ffc2db33

SHA256
6ac7ea0ea9eb3421f918209c63a7782639eb1124db72d4f7340a5bb9de6346f4

SHA512
d30c94db3fe619c65771e48346758f32956cbf88e83904632308d8deb79912018619462b17afb7447c2b443d29b2ebfa52166f404c7fff2cd356f163294f50f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
120820b0bdf7baa33e666138637ab1b5

SHA1
5c444a862d6fc5788d8afc6c57a56f02466c74ca

SHA256
0141b70a155fedfccdafa451a06dd3fe9986e60a381fbf6eea970c9d44e897c5

SHA512
e642fe164f5a7bd89958d51ae9a512982fb2935d13fc5e5e14aa6ccf145156fe32d24696ce010360d4cae8a7a59c1981d548d12862c4ef04527cba0bbb33694f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
11fb2e54943082aee56768c201511d94

SHA1
099150fd53025e5badfee04bcf4c1fc96da8dc53

SHA256
c403af58cc83ca12cfd7e15661eb055b1a6cd303d17fc1245a4484baa2fe74b0

SHA512
3494db5a2cb4b7d74ddfdc6595b70e434cb64f3c852bcdbc5e66b75cd3abb9583d6b3de51b620c92b60ae81d243733ae344a769b879cf25d042784bef4828f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
9eb6e09c8a5470c534264355d4591ecd

SHA1
5de462704add66fbc093d81eb41e6ed29593cb65

SHA256
84473318720e859a9565248b45e1e4253b773c0924a2c5e8492398a4f933c664

SHA512
ecd0e168c68c16517d511f23aa83954a5f6d99a8d35a86bd29b9f0b70fedccbefa975535881a706275a59090be2af25be7ad5ca5448a55ebf8d0468a7f67a9d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\0d2f7b4e-0677-4af7-83a2-d337563e02c0

Filesize
28KB

MD5
cb2e02f343527391f01e3c6a09e564ec

SHA1
47147f43c63fb729fbc8ea24c4892c8ef03d27a5

SHA256
00d68a3f56bbe5897bab07224779ae91d377dd1c3840e602d2c6cbd3973d9ae7

SHA512
07d607ca7b7d61ebb4cf3fada617dae9f90309ce37cbb917b2ce72515f3005ac928683d933535bddfa708bad468069b4eaaa086a21b83e6d4bb261c7b55c0bf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\e33c5365-324f-4216-a9ba-6ceba6d5398a

Filesize
982B

MD5
dcaffadf44252b4737dc46a464209130

SHA1
afb1b93bcd066f7745236293830ead4110a4d276

SHA256
df78ed07121af6200cdb8e1c17673ff29931fedcd7105c1ae8ebb258f81a3836

SHA512
348046806eb1166f39292f4cf604c2710c9d7a6dda9584f4018da3b3c18a733b67637d2d1695c244ae72868776f0507ff53bf1054fef67d7088b0a43d55920ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\f8189041-c85c-4993-9f66-e77883791fb5

Filesize
671B

MD5
e92546c5dee272516ae9cbd8b318deb4

SHA1
c4ba93f9da2f3b09a3a0cc1316a2bc43e2c0cbd9

SHA256
7cb1e0446f292f029c7a18bad0427d7e8b812b8607e8e9f0e600b32054483680

SHA512
8a27e3aa5c8a4a657b4f3734626bea22b880c6ed211cc34dab0ab6b55150c43c0d81be0130dfc9322a96dc63c2ee7c5a546f593a6d1ebe5b7f5a1374ecea2125

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
11KB

MD5
e9834b7692bbea2fe2f4c2d33fd801b3

SHA1
11992621bd3acbec868c2b0ec818331da2404113

SHA256
1ef5ae901e4b2d0efb5ec554e00f9cc43ff47b650a6c02da89a4e966c8c34fda

SHA512
438705d85eb3a6f6845a563ff191b9ac1b9facbcb74dfe9dcb3a5013853d70e54b244cd5bc5ea5bd277514ca725c5a010141343962fb290510b0575fdf76a220

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
15KB

MD5
81039cd8a8e1627169e09325719805b4

SHA1
2f3457db4bca2e11e2910e43b7b65a22a3fcab1d

SHA256
09b876b9f8b138ec625c13965d4a0dbe92ba1c59f033dc878c512d4556225405

SHA512
7c6c4cf07cef4539ffbb0b4e807616c8745cfeaf69ff6e044a33816cc1638d36df06473789e9f889b2fd9fa4c16560d15e88fb110d106514b8e8f4d723bce392

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
12KB

MD5
e97e6729587a015047cb97b388a7e189

SHA1
167613974421eadebd83334f3d62d54eacd3ac80

SHA256
39bfd07c3bb237b8a3a57040bb6e3655bc6f38370ed343f260c998ad3b868c03

SHA512
53780b3c8e5f011acb0216dc51395dc2c380d7676cfc4a516e8849c2eee7993dfa0924a0868c7707a44635fa9c971d82f7d7aca74648456da4eff547fae8fb99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
15KB

MD5
c8b8d3c2f5a128df14fcd94f98312516

SHA1
52afebc2b3fe10537be00bc28f41f2d1ef4e3d55

SHA256
51b5e7836dec56d8901c5030b3da1efc9904d339a93186a1d332dc92f71334ce

SHA512
876161baabc5b9f296be8599cbfeced8af5f000e52ea4aedd4227c2a8a651d6dd69108bf31f63ae01ad5b4f9dce270acf0f491622640b2f4d25ca4330392c4c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
15KB

MD5
edc983c1206143e33ef71e40d9dc9e01

SHA1
efe6564f712b2aa2e2a8bd5f799b5f93e7068d8c

SHA256
ad7c0de83b79d701ea2dd40ed496804637f25e48a3ca06a414c029bed8a9d389

SHA512
dce96c8b79ad45b0eda2ca85d14eb4f4edf96fc50cc4c32bd0b843ddc03961943aaefb9d04e07ba2b83ee09785b2f01c2ea294998fa0c0c2453708317e72e853

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
92a069a3b48709f6e1541f098b82fa3a

SHA1
cff03f6c0c78c9f3d065bb6cff825b931b6854a4

SHA256
0fd1999cfcc285d44e052bc46bb5a855003c2978f0851425f6df7abfe5016669

SHA512
9495926fdf9b10f93fa205aa95f42468fab1ba5e98102d5d4ab8cf57b55edb8ccae2fc174e0efa223c972fe13c3b81260f9809908bfe9dcbcbce4e39fdd2bd26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
a189f92d14d5ddb0fd5ca892254188b4

SHA1
4bfaa34f1bf8141b7f135fe837fb38fdd60050f3

SHA256
268e69f8b71019289f38aa11e55094d42d890f84a2ba1c5ae6c17e912a1fa04b

SHA512
a3b1fb9df9d4eb7e612c0c2f523479e0b7eaa3c1eedd82be85172ad59bede077d23cac2c7d90026df0a09d254bb953fa50461c18932200b5df0c7c36629b123b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
784KB

MD5
7b82cc5743ec4952a4b5480f8d03a410

SHA1
3955f00b403bea17d9fcb47eace7d802b578b154

SHA256
a22e5fd28d8664fccb6163783a6cf8aae83c27563610628a7c6779e40fdb1a10

SHA512
325abdd390f94927e9dc3bc765fb12f0cdd31905e4499e8529af7401702a35a70dbd9da4371caa648e26ad0e7bb80247a74236be3f453a4e36a30145ed6240a1

Download Submit
C:\Users\Admin\Desktop\dex.txt

Filesize
171B

MD5
339ce91fcc14d02545d0bfc905793e97

SHA1
4af7080d52aa23b0eb75204715b4bdfdeb551490

SHA256
f6bde58aca61f8d9b5790d58737713be415bb3ae0b6766265f252eee2122b1a1

SHA512
3fc93c8457b8630d39bbaf111869276e9b5115e7f8d8f1ab95ebc6fd4ad294d7914db58a9440d623ab7a53c935a23e90a3f22215007bf5dd89144924e28d49ca

Download Submit
C:\Users\Admin\Desktop\waiting.jse

Filesize
694KB

MD5
40e8c77f38d2be287e12ade334a2b831

SHA1
f534c5072f63acd888e1dc0e287f973387cdd320

SHA256
ee1484721f7727d6f402cffa4e7dd5bed09ee7b2a17b769b4f551c47857c9f50

SHA512
4b921c215f304e65b591ee0673a42726c9ba04d881c62ee8f4f8746289f0dfd2ca171e04be0523c3715a72f6f1232b7a022b3ed264b867c708003640d2225fc7

Download Submit