3dc9d0171b42daf90e93b60a7f5499e8d0ef8d9de3d398db3ea009ef0ea394bb

Analysis

max time kernel
68s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

876KB
MD5

e3b59149a029557d774fc09874c366f3
SHA1

b9ae5008711b77f720685364879efb7b3e03f263
SHA256

f265a5dbdae6716add53c2e3b71033753c837fd676704ad030ff20a5ba6d975d
SHA512

f3e301660538552ca023a90494d900f62712d7f211fc529ab651af1204fd8c3174bbeeac5dc57b63e7705dff154d9d95ec4632f036a30a08eeb736f5e547eb48
SSDEEP

24576:8X7m2uZNPAUjuawX4FZiYsiTupR2DjTJx86:kdXMPqa86

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\.pyc	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\.pyc\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\䣲檌꡴阛	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\釲խ쬀耀ā\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\䣲檌꡴阛󴀁\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\釲խ쬀耀ā	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\pyc_auto_file\shell\open\command	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5560	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3708	OpenWith.exe
5184	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	firefox.exe
Token: SeDebugPrivilege	4000	firefox.exe
Token: SeDebugPrivilege	4000	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
3708	OpenWith.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
4000	firefox.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe
5184	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 3176	3708	OpenWith.exe	100
PID 3708 wrote to memory of 3176	3708	OpenWith.exe	100
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 3176 wrote to memory of 4000	3176	firefox.exe	102
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 2288	4000	firefox.exe	103
PID 4000 wrote to memory of 4796	4000	firefox.exe	104
PID 4000 wrote to memory of 4796	4000	firefox.exe	104
PID 4000 wrote to memory of 4796	4000	firefox.exe	104
PID 4000 wrote to memory of 4796	4000	firefox.exe	104
PID 4000 wrote to memory of 4796	4000	firefox.exe	104
PID 4000 wrote to memory of 4796	4000	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Modifies registry class
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Stub.pyc
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f2115c9-fc56-4f62-bdfd-53bb9feb5677} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" gpu
      4⤵
      PID:2288
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68cfc83a-b06c-424e-bf34-792000e4c44c} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" socket
      4⤵
      PID:4796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3292 -prefsLen 24663 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab6b51e-95b6-419a-ab84-62ea2a2ff9dd} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" tab
      4⤵
      PID:1936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -childID 2 -isForBrowser -prefsHandle 4176 -prefMapHandle 4132 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4692fd0a-f668-4558-bc28-2745f62f20d5} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" tab
      4⤵
      PID:4500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5044 -prefMapHandle 5036 -prefsLen 29119 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b695e605-d69b-4bc7-915f-317dc5d26739} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" utility
      4⤵
      Checks processor information in registry
      PID:5660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5224 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7856449a-903b-44a4-9e87-04126864ad36} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" tab
      4⤵
      PID:5852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6985e9e-7f0f-4ad8-8352-340315d76d3a} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" tab
      4⤵
      PID:5884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f34ca3a9-4673-49e8-a9c4-b5e5f34e1d52} 4000 "\\.\pipe\gecko-crash-server-pipe.4000" tab
      4⤵
      PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:2864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5184
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Stub.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

Filesize
13KB

MD5
c52c2aba2951868f0c8f405cc4078a43

SHA1
92087950675c33583bab3527613d42bd091c3e8f

SHA256
321de7a1975482ed009c8195c18926ac96f99ae2116c452ec4df49e0903c6ecc

SHA512
21ddb10405b688f0b849a2ef707c319b82e6faa9196abca10f0eda38c7b0da0d227c46f10f0887227255577e0221482ef47d2190f4c79d176af36274ea8e04d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
6KB

MD5
da6f4e31b777fd5f1d6665eddbbed130

SHA1
9778b5dfb5df8067b61bb3f13067494a5b7e4127

SHA256
3e25b8b4e3b68f6159137f1a2f034f6fc2b9de546683509240063b55ec1cb6ca

SHA512
92e2326354c8380805949e843db57829871094a56bb22ae447452350b025f75b72be24fe3212939d7945f9a8891307a144e19638150135432bbf5bed1440f95e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
8KB

MD5
3fe41419b937a4e11c447a7b20b8acae

SHA1
2932993216983ff99f941402d9bf85df77aabf0c

SHA256
c2f67c144961297c85bc1cbb1558588a1842e146140abcb6a0a38497fe218a41

SHA512
2e60ab55640aae27f920340d314abd214799b46e0f506c6b603a8b6d25a019854d5d391b03a321c247993e7866c48e72aa2fdde7ac6e226acdf98e4704a9c03b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d3c8ac11a4ba5aed11e7f442cfbaf07d

SHA1
63918c03dc32b7cfd1b03ceab17484fef1020abf

SHA256
41b261cc886282d20b916afdfaefd317edbaf24704e7540517bde516f256cb13

SHA512
c4e04cf32cd5142c991044780533b971fea6f6d656c518a5fd8aa07f2bd802b7fb232e42e0fc498c901dc3198caf47b1c3aba0a0aa56fc8e7dee658dcf5c093d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
2f6a6e7167225dbe42cbd642cbffa714

SHA1
6c1f2f20bc2fb41eed08c9af95144868d2a13d45

SHA256
d5d82ce5bf2d7b9b33015d606e6e297dfea207a3fe96441c815a53419a9558c0

SHA512
fba1d47bcab692e81379d046500ec3c9eb0f17a2c82327b284e624bbb470c61e9d99291a945075358db963ff29362abd4762d812ce10f66f12ad1647c5a3c981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
574c21b4e7cf1c276639074f91b5137d

SHA1
0eb6970fb37a86115092d8093be7b84bb1b7efba

SHA256
6f37413be7e8b01bc6f03ead04f5772ba7fb6272023d4da303ba02be715908d5

SHA512
ad47e16fbe1fdf0e639633210981a8157509dffa203e65409128b31dbdfaa7ebee6bf7f1bc4082c5f9fa61f73630ccb24ec77ad264954f2b8c51607b9587eab7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\724c99a1-a78c-4ff4-bcc9-6ceb7aeba6af

Filesize
659B

MD5
fbde7371e6b18c8da1df2233af6e85fe

SHA1
85c31a5459242ff638895dd33e2a6e23a9c7e676

SHA256
1d7aa03b1c56501099263776135d14797c72ab324925048426daa7d65173aa13

SHA512
fe2bd1e82127de64095f7bf1fa5cde1445857cb8b918441676a15680347b57b540e2b1582b21c535d19f9ec3435c10b2cd7cd2c55590f3bf6f4b6c371d551f54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\ce075916-9e48-423d-8ed2-8f26eb1211ce

Filesize
982B

MD5
49cf00eb2c83db308c32604d88c2d44b

SHA1
d4253c71b00ee374bbfed9aa2d56ab889b4be0f8

SHA256
211eec5ffc9ac19e110304246f622c301b133e0eebf93a20f2bd76285f114975

SHA512
c8c1aa1a28c7063d0e49d7430912a0a8bf3b1c8ea3f229144b44e125a97e7095749e32123622a0f8c608b6eeaa31d48bf13b32647b0a00348626336bc04add72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json.tmp

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.tmp

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
5984d89744533f657072cc31b0b9fcad

SHA1
0b6aab5f08b530549a562ccd41cac8de60f1da02

SHA256
c4012a8684cd1f5e0c0146f3cd5e97c47a27fb4ca716c65e064d43118f836c87

SHA512
7eee188b7b9325ef51824517f1736208b7f1fc475e30e479401260fe34bdb75a91ea8f5c13f701f8afac5583ad975987a3cea4c5c83d445b56042b1bdb79d962

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
353dc12e94117d94929abfc893808f82

SHA1
c1c5004ec31b6bf5080c5c9236f61a3b201e813f

SHA256
5f3974dd4f81f55c02637848ca76783eff7f5fbafda53bc6f28c1853407b3fda

SHA512
2bc8f8a21fe3f8b83d64fff8fc82e2c59977197e6eee55b23e24e7e5e379606c160fcd47ae5ada2c82a89f62fd6d52de7641612888d194d0c257b5cbfae2a6a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
10KB

MD5
b1eb744914a7e3595f8629338ede08c9

SHA1
fa145819c552b9fa65a13aa94173fb233e8402ec

SHA256
8cdea9bfcf98219afd9c773220dbbd5d54971bc8f79bd589782976e753327e7e

SHA512
1cbc6704063764ef95ecc3cb1649b0b99abd3bf0e462d7c03b7fab62713a7cd17ca23e077dd8e3d9659bc7489668b7cbcc46c948778b5f4e4867c9bb51cd9f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.3MB

MD5
442d341a35eae527228634aba61f6bb6

SHA1
9273691d0e0b48854e5c4b56dd09acbd1026df58

SHA256
d7b2e67956de488284475a6cf78209d08f6866c7ce6e0eaaf99d3c61f044511f

SHA512
885ea837571195853bc021321031e64489c04026cbe45ce9f6d782228cf824340217515ab0e8702013cf2b6b85709d0ba196b4e0e2a17de01750d2d3be925a47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.0MB

MD5
1feb4b34ae75a07d1a034d5d13ef2d81

SHA1
3841935c6041a323f4864e236d963ac1657d6847

SHA256
f506e7587db15f86dd8e769a7e6bb99146f7c98da3589da64807b2c90b5f3052

SHA512
8b3d7162df25f95493bc3a64cb5930ad1da51e967e10056f8735a3846a35bf0f8065b0fc08afd82f8dd1e6c6a8be76caf313c272a483e431012baef39afcca49

Download Submit
C:\Users\Admin\Downloads\WlQrQW0x.pyc.part

Filesize
876KB

MD5
e3b59149a029557d774fc09874c366f3

SHA1
b9ae5008711b77f720685364879efb7b3e03f263

SHA256
f265a5dbdae6716add53c2e3b71033753c837fd676704ad030ff20a5ba6d975d

SHA512
f3e301660538552ca023a90494d900f62712d7f211fc529ab651af1204fd8c3174bbeeac5dc57b63e7705dff154d9d95ec4632f036a30a08eeb736f5e547eb48

Download Submit