badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

22/12/2024, 02:43

241222-c7x4qazpgz 6

22/12/2024, 02:33

241222-c171cazmes 10

22/12/2024, 02:19

241222-cryejszjax 8

22/12/2024, 02:11

241222-cmgw1azjar 10

Analysis

max time kernel
506s
max time network
499s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz discovery ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023e04-1732.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1548	8909.tmp

Loads dropped DLL 1 IoCs

pid	Process
2628	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
320	camo.githubusercontent.com
321	camo.githubusercontent.com
231	raw.githubusercontent.com
310	raw.githubusercontent.com
311	raw.githubusercontent.com
312	raw.githubusercontent.com
317	camo.githubusercontent.com
319	camo.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5776-1589-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/5776-1591-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/5356-1656-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\8909.tmp	rundll32.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1312	5776	WerFault.exe	118
5200	5356	WerFault.exe	127
4764	1460	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Xyeta.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FakeWindowsUpdate.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5320	schtasks.exe
2476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
5392	taskmgr.exe
5392	taskmgr.exe
1548	8909.tmp
1548	8909.tmp
1548	8909.tmp
1548	8909.tmp
1548	8909.tmp
1548	8909.tmp
1548	8909.tmp
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5392	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	5392	taskmgr.exe
Token: SeSystemProfilePrivilege	5392	taskmgr.exe
Token: SeCreateGlobalPrivilege	5392	taskmgr.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeShutdownPrivilege	2628	rundll32.exe
Token: SeDebugPrivilege	2628	rundll32.exe
Token: SeTcbPrivilege	2628	rundll32.exe
Token: SeDebugPrivilege	1548	8909.tmp
Token: SeDebugPrivilege	3356	firefox.exe
Token: SeDebugPrivilege	2100	[email protected]
Token: SeDebugPrivilege	2100	[email protected]
Token: SeDebugPrivilege	3356	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe
5392	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe
3356	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 436 wrote to memory of 3356	436	firefox.exe	83
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 992	3356	firefox.exe	84
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86
PID 3356 wrote to memory of 1556	3356	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Endermanch/MalwareDatabase"
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Endermanch/MalwareDatabase
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da8dae41-007c-41b8-84e6-2dd8d35eb933} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" gpu
    3⤵
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {776aca93-d2f5-4adc-85b7-b44dbfa242b3} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" socket
    3⤵
    PID:1556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21876f2b-5490-4465-ad83-034caa00aa90} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 1224 -prefMapHandle 852 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5a904b5-d009-4a6b-a6cc-8671729a1c33} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c4fa0f1-3cee-43d4-b324-12d793809a66} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" utility
    3⤵
    - Checks processor information in registry
    PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5192 -prefsLen 33208 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479b5129-b6f5-4243-ba91-04c8483f737c} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65377abb-35ea-41c0-b5c1-80ae199d5b7a} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:1620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5816 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e63f78-a4f7-4c58-9b1b-9f6d69ec9ad0} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 6 -isForBrowser -prefsHandle 5452 -prefMapHandle 5348 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd3b7e04-414f-4bee-92c5-50f7d69256a3} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 7 -isForBrowser -prefsHandle 6360 -prefMapHandle 6356 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d78d95e-a584-4d0e-b4b0-a1df0c398d46} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6672 -childID 8 -isForBrowser -prefsHandle 6664 -prefMapHandle 6660 -prefsLen 27913 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86f560b5-a63c-442e-b54a-16aa9a9e08d8} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -childID 9 -isForBrowser -prefsHandle 4736 -prefMapHandle 2632 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97c56bdf-7a73-454e-9d23-b6ae7fba8ce7} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 10 -isForBrowser -prefsHandle 4648 -prefMapHandle 5012 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4769a46-e79a-44bc-aeff-c6a712b189cd} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:5384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7036 -childID 11 -isForBrowser -prefsHandle 7272 -prefMapHandle 7028 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {534f0c77-3947-4c51-ac4e-634453313758} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7500 -childID 12 -isForBrowser -prefsHandle 6460 -prefMapHandle 6472 -prefsLen 28174 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983cf5a8-a7ab-48fb-b2c2-8049521c331f} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2636 -childID 13 -isForBrowser -prefsHandle 6908 -prefMapHandle 7864 -prefsLen 28174 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {385a1c6b-c077-4e53-ac19-95b0d4bcf06b} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" tab
    3⤵
    PID:2960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:5776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 448
  2⤵
  - Program crash
  PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5776 -ip 5776
1⤵
PID:6056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5392

C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]"
1⤵
PID:5356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 416
  2⤵
  - Program crash
  PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5356 -ip 5356
1⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]"
1⤵
PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 416
  2⤵
  - Program crash
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1460 -ip 1460
1⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3604
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3841894879 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3841894879 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:58:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:58:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2476
- - C:\Windows\8909.tmp
    "C:\Windows\8909.tmp" \\.\pipe\{AE6894F0-1AA7-44BA-82F0-EEC9C352E87F}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548

C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
53KB

MD5
a1a21071fcd6e4d440991a16a1ff0eca

SHA1
6b05b38aa04e0b9fffe0243bd6fa5ab63b5fcb8e

SHA256
37436c02342957f54242d12b975fb67f3c0af22b061dfec1228763cd03ef1051

SHA512
e50d6484f7115ca243877a2665ad201e4c38e37806f7bb7a8c50ec9476ddc0a499c48ee8a6b3d50653ae9daaba05d216822b5371359885ed9c65010979f63d60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\0496E33B07BB9340090B6FF9A653DA5443DBD403

Filesize
224KB

MD5
ac41a7246dcebe48363e36390497aef3

SHA1
f6f498a713f72cd3c9ecfd3a8fbe4280f489f4a0

SHA256
5cab269497986f3f665375762369c48e78c20eebe62f8c6add5e5a1393a64fa7

SHA512
c2767459b3abf7fb8c19af787a31e426357a3a7b931cb90b08851b7b4c9c855acf1393874a0c802e8b4383a02fce4f620cf6161954b0e7e8150d6f2bc18406d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\18BD674A4C9A3C8C7F262ECE475621B894B172DE

Filesize
25KB

MD5
d932f0490d2e73bd702591ce6f316f25

SHA1
752da5463e9c79f5d73dee3f98cac4bf84a16611

SHA256
55286db8f2afb9d64d141bbe5b37d3ff24840d07c59211182b51fa38233d537f

SHA512
951dbca129f56d764ce5228fe24bf6109208531279a0b20148bb6a2919b52809c90a2c779d1ac41fbc95975f27dda89b682d4e4064656780c2fcaee8b57ea164

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\2681DF1C05D8B1BC372A0505C935A59887AC240D

Filesize
16KB

MD5
c40c80f3320bb8662adabc712e80ac74

SHA1
c49665898c80446f16900d860727ead47ccc1c89

SHA256
3658c566d65373af3cc1c915744107d66251d8f54a84f37be0e742f1601be7ff

SHA512
5c4c605d235ece34ce2ee61fe86916816c22457b97b44d399382dc0970b859a02aef44d8e48eefdd60992bb26c30a8e356a75c67defdecc9fa0f6c88217f9fd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\270956E1F5257251B3210F0F1BEAA4744C1FC8D2

Filesize
34KB

MD5
bab43f347d52babedd8cc9bd87dae9aa

SHA1
505afbdb152f1099b913c0bfd774c72705e34722

SHA256
3f957ccb7cbde4deb239ac744ed687fc426313d0166743488160cf90aa848d1f

SHA512
e43b3f2e11db9868c5cfd8442c7bb14b9d222f1f6cabf84f6422617c0684d9410d1374c9b101586e6bdbb317d76bb20308214f3f722f9574dbf56abfbd1705ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\28C80F7CCCBCA07AD3B3CA41AFF9F6BCFFCB2CF8

Filesize
30KB

MD5
1853657b9a92957c6da3b2f25c3352e9

SHA1
da13561cd1653164c88613b683800c6474acebc8

SHA256
b0e30870095ed25483e7564c8cdf6197450553d7270035b5fdddc206b6145313

SHA512
fef0f276c73e336c38200c07fff379be6bcf6dfc8ef838fdeaea915837a80db24e38d7daa641136d3409c4995bdcfe191a3ade139be484a1329119769cd5d5e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\40A8F58CFC1A23A6BAE836E45F467F9B93975806

Filesize
15KB

MD5
18cee5cba1318c606d969b81f2d4ce22

SHA1
a58f4ee1a11a944140737754c0629f20b59d12f7

SHA256
e6b4e0e27e70ca60a1757af95dc7a8a04ff420e4738e8b68e29c6a36d795a978

SHA512
74f1916cb1af015cddab8545c870e74a6860b8897c6cab401cb364a233b85db1577979188367ca70c46fb496bb08370dccf354caa73d7bbcba79328a17aad2cb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\48A773B8B92BFF039D7CB5A9DA03A6DC953D7D7B

Filesize
18KB

MD5
f63e7283c901d4619e2b52bfebedfbae

SHA1
4c5c38a31a2a2254cf5ad4a4ac0bddbb6da6cb89

SHA256
6603cb4ea07076c2f0baa4b7cc4df839b0fc377a27d3947b226ca4c5b81d702d

SHA512
cf38074e570b3e085a5cea66aa8add008e35ef21cb7c448b359b5eb4e650c83cdc46ea2d455ae8fb8857616e08230e9ec8267ed7973e7050e7be881ae4b6e1e3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\510407AB3C8BC4F8A99A166397489557725BB000

Filesize
181KB

MD5
a1c1d191e7f1374d56907e624f4bd6f0

SHA1
d1eca440ed111c52dce66667a1635633ac72e9ef

SHA256
3b4dd16b942a3cbf56181dcb3e2833583a9672602a439490871dac187aa8c57e

SHA512
45d0a5c5492b1276b67a216a7483cc04e95636c6f2b97213b8a80fdc98e6a01ffbc972924756c81607f9a617d3a942de2bb35b252c887ce03d6abdd149c183d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\530089FE4FAA547B281FF0C851AF7213122D2AAD

Filesize
37KB

MD5
7f364f395a01fc7e30d04b8e37094b13

SHA1
dcadd7df8542ef0af8acbf852921ecd242c8267b

SHA256
f31162f40e6238c743ae4d1bbd867df904ce0d8da1aa4d7c96d8ee9c46145530

SHA512
73ab8eb1ee7e723ada660889fac3bf4342e7c52f236d7a69ce65dcc7d977b3028f9f0217559c67f8d8bd0081d2aea5e46c97fc8e6842a085e257cb756d0a9a09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\586D25A03895848B0609C1B0C9097200E0CF65C6

Filesize
55KB

MD5
6b6402b544805a29cef61810e9515194

SHA1
9aa1ffb19da692c0c6091a9d07013d0e4e9fa44a

SHA256
486bebee387c3cf58fc3c927c75debae034fa2f778820f95a8d7bc8f3444aaf7

SHA512
f854aa6be077c41d89173a6e259fbb74c7082b502c1da2afe1e2fbbca166ba18b53952f3aea9fcbb8e2e477073336355ec7499d49e7141804e582298d324ac8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\5B5F81C77EA4A0D4425E62E3D6F82E571526EBF3

Filesize
14KB

MD5
6ad94ab20e6dd7b06950702855fae202

SHA1
f119aeeb7e7148a22d6589a27c0d1e08b73667da

SHA256
fed6f3ccae258ba37fb1954107a0e3b6390b19fd73f2d41f6c778ec433387bec

SHA512
fb9af9a3826f3ab79d0c933959f89bfc089b32aaf1cbae2fa7a2acbcb9b3399a2e7e378a3cd1c6dcd96e6c392bbbe32aaba82e4b05d644bd619121a44e67f07a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\5F93482F2BB5CF21CCCB04FC19CC2408523275C8

Filesize
432KB

MD5
01f05ce0a4fb7c12e21c228e1bb83146

SHA1
71135c2ffbc0c1981bed945e0c357e7a62e3bbde

SHA256
8000e3bd9b2d73342bab0b52a9c92afbf8736f57b5b416872361fa0d87d59e62

SHA512
624a18bf45e2ea649ab4940a6935bcbd61a2134fcecec1f0c1fd9baf58b992afe9155b646edf7cc3af49bda3b0e10ac594b2bc70021e44da05005b68d879702b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\84C1243484572ACDD0BFF937CF7585B66B1350A9

Filesize
53KB

MD5
ac3b320e09600a194e863202455cef4f

SHA1
ba26f82ecc284bc1f1dd67a262463b37436c1e8d

SHA256
9d297e5f71371b3a9c2deaf32f65136398b62cbf373ed049249ab0b1c342bbc4

SHA512
bc2f1a68184c5a8db468ddb932e8ca898e4ebaf3611200eb4481a7f04800fc6b3d9a64287a19ec043bdf9d4df5f1f836fb7afd1c1c447abe6f4f7207e0d08a33

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\85E9950EC94910F99A919A397C7419B57853D6CE

Filesize
34KB

MD5
788019e30aeb3469b35a8d6339fb20c8

SHA1
00c1f13c224a65a71447a23ceab2c7a66f826516

SHA256
f572e406b84f15b270d6842a5edb075b0ea7d16d56f683844a5df4fe92be5518

SHA512
029aeb01b2b2177440b86475f570c2dacab01cb5bb51bc98d33070e2a60bab68e2a790ee7418a9c0daaa5baa3d52e70a108190f849f7ea63bdb98734146af0ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\9B5DC42D011707A272F4010AE622B8F276F1ED8E

Filesize
45KB

MD5
aad67248fa8990078032a0eb686568ab

SHA1
ecf991263d395a018b28f3b8bdf7841da769d25b

SHA256
8d2d0b4ad699364cdf985af7c8818904ac1ff009e38092710787af2bdc2c871a

SHA512
3f00e20ea1610c8224397d6f8518b5f12a9b80e76c6217544d65443384cdb59cec35e8c276568fd7a51eb782b78e8fe8b9be453d8262fa19bdf9be27133dec84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\B8819EEE043F8A02BE187BA733351E7EF002832C

Filesize
67KB

MD5
38865236a05ce6d582f6da773cb2c32f

SHA1
baf6c433c77d4dba2d12d5f9323949df9de758d5

SHA256
bec09323401f1e362e1c646f84a2b3de404ace95d6fb9bd913c4069118b36e39

SHA512
d6bf5a4bcbbf0eecc2a2f8f73f9066a7c1d327a29280365459a7ddcb169779e6e0d8bd9b88f4984c02a75b118b0677a50531416034d03790c2102776d44a1527

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\BB355F3AEBD6411B6F9B9A84FC9C0310AF448D87

Filesize
27KB

MD5
8d7e873c92679f40c77b7ea384f5ed00

SHA1
115cfff03850d2b6d05f9d2e7f20b553adb3c5d5

SHA256
1e52ef457b2f2de778c5c296d7204beca920fb76b3b2ad3b8817f3d8b3990230

SHA512
cfe12517918853e6192d367890b638a3abc1b09f3d88a4cee464508ae528d92977c7d2ef42ccd4004ea878bb040ee357472c26746d351b43107e63574f6f483a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\BFA4CB471B411750D6FBE48A5BFCAE6D137A68C8

Filesize
154KB

MD5
36ef4dbb7f78274304e3f1af4036fa1b

SHA1
27ba8037cfab509a398d6c0ff0a66f08dc7ecb69

SHA256
5ca5db082dbfae6ec955bd13283095dd076e8a3a5dc1b6752d3344959ff7a6f8

SHA512
4d0b39296cc84cd3e80e7b53ef23c60f5ff73a9358c9fa7b658d5e33c82f26484b1bfe14ba90886b1a13073de29f9c72786bae3b79c40b788b9ea9d1b7f91ea0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\E03191FDF4572BB7BE59D089B62E32A193A010C9

Filesize
37KB

MD5
74e762ed896c052a69bacc70302867e0

SHA1
d08ecdeef897af7c709252957e42e805d35895aa

SHA256
0f677b9e9d3ff245ebbd9aa3a6dab80a402b76543ec6917c08839ab3925763ba

SHA512
b732066e1533695bc25024b5ca64ad7ed5fba2bc13c44d9b97bd3298ded5c59c5325eef75fcb0ff097e999e51a9c2df69123fdd82241970dda563ef38e7ebdea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\F6AC07F99F5B73E7F7D8055F3F940277F10064BC

Filesize
19KB

MD5
d21b30a0d4032e90f61b65ef74890d94

SHA1
94309e080f5a90a005927d174235f7849165a60f

SHA256
34ea304236801aadcce48275e55e7fd341c2e825210dbc6c98e8934e587805f9

SHA512
f9236ce7497b7ce1dc104214e857397d11ddc4f870eccf81a401caf3f26de697e5377cc2d941da64d28e70ffc8c550e507434e138f3d903ee5baef7a6dfad8a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\jumpListCache\0XOzSgHbvoFe6XXOpKZCaaFiyoGWJQuRW3BZWwHdiyk=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
4f758ffa04f0c8a433b8194e8148d108

SHA1
da4133b11982984aafe512f07681cd341de1aedf

SHA256
b5f4b4451b979c494519c102aad583b418f0f06ea907978df4024ad137924347

SHA512
83718ea02d4549174893a33582ee9096a9fb46ec59f658c814f0755d4ca037ce3f6dd89b5d69b3d079458b15512378200282ad95f6a479805a051f58b72e6203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
0c1ce1369866ad1b52dff0e41eaa96e9

SHA1
1e94962e50d67bcf200d186ee7e14709503ca5d3

SHA256
d0373d077fd5840a8317b72dbe3a8154149384ee4f29e36c598cc17ad60c677f

SHA512
1add63aa358cf612bdd4ed99af951ef777cc7084bf76d973b60f9951cde68a5c1c189fa04dfccb05b920b8f5d8e4c20369055a4dbd19b081e9b02528b74b36f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7W36RCRU88MASLS3DHNH.temp

Filesize
18KB

MD5
38d5655d29cf6d2ec0642c68cb0effac

SHA1
ac55844e149328f10c97a266a2e6cacc0154b73f

SHA256
a6a014fb41d2f78ec8e616d7b90d5f34c27bdbeb755245d4f19faa3023301255

SHA512
df5560546682e7a750a66902cfdcfc470d6853f88e0f8e1a7a2767ec5e8ad6cc42a9c63b55f8d6b1db6566003a11217c88beaebe9b4a188a71c3a08eb0eb029d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
18KB

MD5
8b8c4c19fe407850f3c0e219d240b344

SHA1
759c3d67427634d727b397f2d14f03e5d6571b85

SHA256
c7c62f7c328bafebb15855e706dc41eec3d34d9a14ed4e968d4657c2e77df172

SHA512
33591dbefb2ca30c18b2cb5da8e90e64e65abedd468e389af8b0803b455f49fd6db4b5445b4c562491983e67cf33088eff02a50be983337abf28ac949cd538a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
93444ce7bf9dc33f2e62bbc1af9da9a5

SHA1
60d714a2b968a8ede686375a021f2c8186594bb1

SHA256
cfec944c90086f8de80198109d955ed230408e423f1bfd5b2e28915c709b75fa

SHA512
0d27f10e94da0243141afe368d004b90840ba26670a52705fed4aa0d71cfc86d2f2b9a26e13f875b6517434935cb892406ab80c42fd49ab4297e296e9c14c884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
11KB

MD5
bbb18599c2eaaace0c6707ddeb56c8cb

SHA1
3ca6622de9b2937c29d9bdc5fe7d50273875c8d6

SHA256
1146310fffc0bf68df77b5640db89db213894cf1ef65d9e5783ac72b62e306d6

SHA512
87f53dc9ac7b5a22f9db91507b9364e0e71293b88a0f244f0aa7188952d560f922c87abbeab26e3bb50a98a9e8832905e6cb8add309870111ac846907ad0a97b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
12KB

MD5
46faa1d5d2004c80852fb8800ecd7703

SHA1
637b2104c802aac4b218eb63713f36d3b816e012

SHA256
b7b77087df969fe3976f3991d4d5e8b05cd08e5dd86214f8bbde45c5ada7e362

SHA512
26ffb6109a5b4a7a082792c708ea0ed2d7a65898e758130368e5da963d477c0af216624fd6753c58c4158827ebe31edd5795600ae0e0e81a6c389f92d9442479

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
91c94db4ffd6d8804b6c8bf88f175d04

SHA1
f7c8491a2b940451d9d5844a7b8a15c7509ba555

SHA256
7f16ca0896204024bc7209f39d3bd79b2fe57a8703f91c2015fa600cbe88c45c

SHA512
7e95e3b5311141341c983e9a7c56893462da61a49d1709d042627b066a4af626eb47e624723e73f0e033e3af03ab79c2fed418ea4ff9ec3a6e8257a48c4f3e07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
2c19f837642c31a3cdaa34a884eb5b1c

SHA1
829ab4a29952ef6cfe04d92db80a67dc0dba41bb

SHA256
84a661f950288fbbfba242724bfc7248db564edfb8df039dfdcb6bb392ad339b

SHA512
c7d0449950020a0527dd4a6a64438c927301d57d54fa36122db878833eb35c583e923d0981a876d56ff8a77094fe12531cb54a6ca2cd7694c0661d8dc459b4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
4967db8dad8025420ef378fb25839792

SHA1
bd3a319ee7e719ee5312cced6e69e269d2714393

SHA256
af569291fafe966c82924c9faf0858fd54cb1d665b987ffa30d1062d455e1435

SHA512
baa1e5a6232c2054d349e54a884eed7c9514e10e792593375704afcf2b7ea05ebd91318f572cd2c851e5d5a293972db9965a753131405a7c357899d1cc6c96d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
d028c01ac4d22d9484b6311c411fd784

SHA1
763db39addaedb76e3f38268db97d032e96f5693

SHA256
c426900bba976be9e6d18aa0c5e0b5ba5b326110c33b9fb99ba200ceabb83c0c

SHA512
f23df741b281c7dd722346accfcbebec3781925745195416a18bc5d8a22ceabc7d2accb9f7af3eed88ba6f0dbf3e630d667d1521df704f9924aa93f523216f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\events\pageload

Filesize
4KB

MD5
8aeeca73fd7d6172f3cf1b36375a5373

SHA1
5ed96de75f1b5bbb8a9f318db2b162cb99d2f122

SHA256
3811b3e9683888212f27b0f3cf3cdfc86dd3fb737ca3ef00aaa3822870e12146

SHA512
4194c80bcecf867f599cf8664018c3d3b0bbe855f060108186d3c34b87f83bf173dd5012fd8cc77a05abde5e0dfce0d09c3f4e16c2cce742a6c34244b94b2e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\1d364c6b-c9fd-4126-96d5-74c609f892d5

Filesize
659B

MD5
67daced45818d3ec432c8c9936a6cfc0

SHA1
a6e57f8c27020919403360a73f2efe78b8233a2e

SHA256
65c58487a032e490b87a7b8606cf96b6b1d97dd79bea1875d0b7ae835e408661

SHA512
daed66ede2b68a85c47e43d37a3e2a0c1f09e1ab1e05dadb2dc045c5c5b160420b087956ba4ff77b7973f5b930828b62923c0175dbe7e60f81a6239d7ab80ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\908281f3-74b6-431c-998e-da3059b93a0d

Filesize
847B

MD5
08dd340011fb68292c39e335d605abcd

SHA1
2e626bcec70bc0510a924bac7d0f9c3438ba928d

SHA256
8c54380d28b00d4f540b802edc04f9ab66af29602f986c16ddf74282eefd9bc8

SHA512
5753f1f33e0ac5cd56bf55866c61282407fdc76aee86ce99c7c60dc7c6bc2685477b87a339bb99339287a0b0d41e2f6213ae65a4a509f2d5e6581260ed570617

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\e0ad2e21-b3f6-4d30-8490-810c9b923c0e

Filesize
3KB

MD5
7f7389da7fdb09d10aaade1f11ea9538

SHA1
cd3f7b8b1957b9eb9ef8fa7bbec2d7eae41595a3

SHA256
4c3c4938290673a5cc96fac59bfe7775d9608eb47f02791f06473c8852ba91a7

SHA512
584173134a8982d98c93d633accf0744a1ea6bf6620797dd285766b8dbda29b6ed9fb4ee8fee452fddc2974a63c11347dd3bdca25e0b8a2af4ebeea84811f4e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\eaca457f-b71b-4956-841f-61a9479332af

Filesize
982B

MD5
b9f15529db5e3388a9aa407dd8cd2152

SHA1
34b2cb7f9899edae1b62de79a96ae7d441cc8638

SHA256
0f19a99467faad9bac3f5e16cdac8f5953aef264c6d35ca585591f9e0b4fdbe5

SHA512
c57469451bd703e3b83411d74fafbefe7f80fda87047d935e550bb9576598d217155e296085d0cf873b91e17a8c846b8014868eac209a2950ca08c42ffa66b62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
12KB

MD5
71519c073771fb5a9df73f53cb98a027

SHA1
b1c61b14a65434be3fdcae8bb528264038db2646

SHA256
b1dbe44703240463c858eaabddf8e9464f78cb34fb1c18de77192e9a2b48baff

SHA512
98a31c198e952932462e15578e91277ccdf025e7a0dc3b9e1151d79f72f16377029446d91d2c3b8390e39fb0ed3a2b153661261d72c81f945d34c2e4b99e2339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
3a3274f6701bb9f65a28d57939c7c9f2

SHA1
86704c096223cc2c64dda7f367f65baab04b372a

SHA256
68ee430e6014e76ba5a26bca5d547b1b1ac2767f28854ca6b89698b1250a3927

SHA512
6c601aede05851758041790d0d74178f535047cb444f00fd3882cee356cfa22e4106a8aee5c2b834fc2602eb31978d471d05bb4369d3aa15367ebb8f50ec9cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
49d6c9a5703fdd88ffec31827742442e

SHA1
74ee50ab6f2d3b919e2173102185dc618585571d

SHA256
1f49c4a84c15e5480a422198ed88e0b21a8a5d9c44256bfc72e6eeedbd049218

SHA512
8794f264679f50cabb60ed7dc63b59dcef2bb003316e27cff7d66be913a9143400989347e8098d2b77b29c2d6b7e70a3101ea58047728fe45edf24b31f0052d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
1200ce381eed9cc2d76053eba08c8d05

SHA1
5e9d7bcc19e4d1d8c615f7b02c849fc416c6f195

SHA256
9b547f7ef9d4144dee8a6a15f508c17e27a472ab706f8fe3360c64f95e5e17ab

SHA512
9754aaba0692051ee85c4061fbe7c4d3e2b1d7636efde2dbbfe9d1dbb7e9dd7d31b4f429f16e749d5d5265c5b66f5622417d6a0320bcb8244cde2ec5fa68438e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
2b93705db201ee912bceb3c710299894

SHA1
4281c62f6d4551ae4bf99c26f1cf102f370cb6d7

SHA256
77c2ebb701318baa2a22e064065d51057902e077e6112351e4564f5bf9e704b6

SHA512
4f7288df50c10dc4bb599d5c56614ee105b18572161cae53b6d22707e2c5a4121a41fbaa1f355227bb33760ce5473fc1acbf27cded72cb42e0933b6bcd343287

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
2541ba09271e77c81ba99782e4ac6fee

SHA1
3fe465eeb9c7d0aab9cb7640031a6f92d9773f61

SHA256
b7e4c0f170fedea528c3161822c953f86a6ed177e01d3c0bb2c5f9d9e873434f

SHA512
0689d3a7d4a4ae27a0aa711307727dca1ddad7bab53f7c1550b6ab6f982359f4273c9d1b14eda6d81a624c0db2d1527ace6b291bfce1967ee78ea71867881b25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
3deadafe52cf77436ea312d7e3d09087

SHA1
026d7cdcca27d4cea9752cbd897a1d02239fe323

SHA256
d97908b3d8a011d1ffca392744e5fe4b28b70d761e45458b80e9226ff5e2868e

SHA512
dc68a7e82d1fe8bc09fe46fddf3ad38903f0487bd0f4ba102d8fc72f6a68185a865679acec1ae6d14a3af447e894b0a8ebb3afa80bdbfaa60cdc39097b6ad4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
1cd0e430d35c5a15a18a2feba2e6ca7c

SHA1
fe9cc59823e36979bbd52af3a2cc91d5be6a4236

SHA256
513d6afe9118bd80cf64ffad693ac4f7c4dbf53fa534ee58c9931da58f4fcce3

SHA512
e3bf4849ee07f1aee6f222757da63410ceedcb7125f97dc1f3d3ee7159aa2cecff8ee983bfebf9fd9aa1ce985fd413622381d8f9aab02f2be103bc8a0201141b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5d1b2cb518fc0523f78dc0baf7f801a7

SHA1
cabe0f17020c7ff6a077f8c8b0af8bc5234bd0a7

SHA256
d470f2ad38d6a135d10c661e874103cd4134c96a3a50bfd634e3fff1e740723c

SHA512
98720d0c59ea5698d0e8fbc4df40bd1c8157ac6f03557bdd9991671b51a337b2db4d985fc9ed63a9b3f0ec1502ce6dc73b3ed88cb250e8dab2bd9b68f54aecda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
71027b6443fc225ed9e3899df5d45acc

SHA1
ad8a88d5ed4ec0b44ac6e8fe69d9c8ad980aeb2c

SHA256
f17f30198ac6823a1b71dde7551bf4c63368358c336ae1823974081b851ca632

SHA512
7be007a62cf3dfe960306216d1bc620035a2abcfc81a7dda51ff843786172160836786508deadbc756e8aa0c2a318e827b9e8d799899182fda290db783af5096

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
00cd6743fba844f3195b08e3824756c7

SHA1
aea0bf6dd9092b2c5f314e6ddbdba993fe041a7a

SHA256
a320311573bf33279d556bb4be9960f585c3578fb36a1248db794bd9516ff3d1

SHA512
b8311c10f3ce4a8d804288aeb12f2b157cb6966cf5443e92a5de38abc38468c5a760274b7e5eb5515642588fed759d1548d7194e2198e619ae11a155c9e56175

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
6218fef83307aeca7468ea7a0ddf9a39

SHA1
c943d82c6d26f8ea549d95c9717058dff7699476

SHA256
dcde0c04a0f7fddf5a9c7d6e65bb881b42ee9d2da8261c964d77f0709b69bd50

SHA512
fbbee04e07b3e06737ffe4e1d75c1f3eeabbbcaf3354925ecc1be96af72d5dca60186ef2fbd883ee6e9fbf207cf6557bb2844837825da39dba9deef745449248

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
de99660750be66808f4ead8e012aa209

SHA1
8a6f96c689604cd40dd364a403ee8a7ce67a273a

SHA256
2581e0150009df1c4e0b31c03536a4704d1a6128fc460aabbb9f875a00714d69

SHA512
962be133e820a4b3f052b3aec21ecdbfd6ea6fca6b926c028be8a75e15a2831da44421bf3e78bdaddf0a75995482e330348337f0689d5452bd9dd9ef054417b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
d2904bd79441bf2f4f048de4b0f6c62e

SHA1
271846dd961e7139a822111a906a1c110773a502

SHA256
a8e18ae993fa702d34d8676df23088bc85a2a54503313c3f68150e77435161c4

SHA512
912882e4499cd3dcf7d1b8a0846414722db1142d1862050c60401b80e910aee9638773cff0fe503ce47b6e8d530a728f0d47fd5bc695f04283b1bb16a333eba6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
c472687c1a87dbeff1d9e84196d3734c

SHA1
032ea4ebc2b152ff60c58184778c4303e2146286

SHA256
814b2941d2db430f8b82179cfbb24615984a0f8938fefd14fcfc8ad21fee2021

SHA512
60bb5110c0aebec4b92ce2e4a7b4a393d64679a6809615d81e1607864e514415ab39ad87d47b03ebd104aa062926fe14f9d68a13cb119e6cfc95ae8f69365dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
4b4a217f68b3c8fdd1f436dee48b17db

SHA1
dc791ad7b30de5d6a77f5f5f7adc17a515558c9c

SHA256
7b140780f817297bc3df33a406794265d8c3fff86fc6cac186dba79aa9e73990

SHA512
a8165f3661caf1a41b8ae1331f73de5e77d2612cd836094a10edcde9ceb7789f751c1d6c576f5f07cc4bbf012f984b5a685fdb1a978a8688dbfde4fdbdc92b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
fa139f6fbafecc8720839320587643e2

SHA1
3452eb9971f6dde6bb90bae4dadb29fbbd49e18d

SHA256
caedb51f6ca4068cb99fbca937cf4ac3ea7979007de72e32ece86a30194cbafb

SHA512
3b0d8ebeba2f61a7f11d6f70a93ed19c74729a03027fe57f1741ea6b4b6fe94a0a4eca0fc241ec225e2c1d1e23f10a72119b09d877e9f8f6a6458587559d9fc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
dd47cc83d4dff67a0aea2e55afb5d047

SHA1
ddcdb3bbdbca4ce58d0951594d20e99d91d372a6

SHA256
d46f2011a96c5f36262f7da11a7c88f134f5f2de9dc4e69017202b3eacafe3b5

SHA512
48ee35b353979716d5694dfd53027453f55063fc04cd6937bcda4dca977273628233a46e4391bd0e9fae6e9bd76bb1253598c23130d237cf2d6cda7b595c01d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
8b3dae2054d9f256ec1f85fc31b98858

SHA1
74578d5f26db2a94ac00a0e6a0ff77983ab78581

SHA256
c89151041a14916a684e12696df6ffbf9dc54cb6cff65be194ea822c811f6ed9

SHA512
b7a2cf0a1a9a7084c2f45639b18dcb20d8af906ef5d36767e4b27996b0681cb782d16ebde3d88723836899f88d35ae632b502e312e2aa4eeb2a0beb0d0a214fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
376dfa9db03e6d857aff3d33ba9ccf59

SHA1
3f7112106cfca77879f155f7285e317ebcdc1558

SHA256
39e8d980c5674f52ecf5ef693dfb742cbfd1ba24e65efd44e345cfca9e0f682e

SHA512
4f8f92e2ca3407b9d9fb881b327257595330a998b9313f7c65aa74031f27b57555bf7d09490a611d718b6c7988820d756c8674d733105c515b624c8e0aaa4be8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
5b94bf3fdf6ff2355c0bf35782608164

SHA1
33e5eb93aef9deea403f53f3cd2272af49c11159

SHA256
fffad7a2cf869142ef541d94fc7b83cc94813819a6fd0b218e84fbd3bcca8094

SHA512
58867c192195dd9862e4688faf64df60e186f2dd9f1d7b859b5d2a3b6c4734d6405e610bded742ced7421e678ce9839545ed878d39c2acd026da817d927d05c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
f65ec2a6512f46d1e33713f4899b1d4b

SHA1
912de613c17e1299cd1aa13094b9e320292cc888

SHA256
9fa1c7d71afb73635efec587d33be113a8d6e580e10b663a93d7948e84a2fe27

SHA512
45a12d38f4340036c61c27e547a5fe9dce0e541ee42d134b952389996e3790a4902480ad1f3d260ef17dc7b7dc8746b1284188fd9e50f42d6203fb7e59b91c50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
2d295bf57f1177de56a5f7b99425ffcc

SHA1
5e4466beab52a8d02df57402b458755f676ad3fb

SHA256
9b225b72049c4c96257212098474fdfb37a7495a37030c46baed66393f3e5171

SHA512
a20c38c1e44488164f40aacb602becf723ca27c7af8cfbdeac0f73a4b7cf8b1ba644d82b72f50ea6be79bd65fcb3701e09cb2f9faa923de81a552455e0172272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
b74271fc0d42c3adc5c7ee6b2781bb9b

SHA1
dec39b5630e48999945dfd762cf129875584cde4

SHA256
93bd3a102b75689c028e56b8391fee61067a43550188ca03bd4466c7d371eaa9

SHA512
0f91f65b7536d70db7c608d20035e79e096dfa9c194a614bb687f88ba78d434a51592300ffa3ffa00e4011e90e334aa31377163491a14ce1de670731bfbbad73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
897483168a75f20f2343b76793baa30c

SHA1
ce683a6f2b3016f3f33af58196446545cc87a720

SHA256
3e825401b598136c25add5996299a2680e7f05f650e92a6c13b5d59de5c63619

SHA512
e6ad06edfeb9e8877f60dd8e5747c4f81214618f2d9397644401ef20404755cca7e75ae75f8fb1f7baf42d77cfdf294c08e7bcadf68d19659470f639d08d22da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
00afb2cb3d2f62c34e95c40c6037e006

SHA1
eab91f809a8def04a38a09d0368f1dc1bb562882

SHA256
567b858caab54ed9ecaf7bb6ec2e82150e599835fac4a6506051209460c679ed

SHA512
790bb81e317922b57b19f7ca5f0f56b66cc9068baa3113cc734c9942c4250aa8b4b5f4126fc7e748b622b19d3df7e669fc5d28cd97ca0a319278f24d1fcdd22b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
766b4e6b1dc48d26ecc3dbd84629a9a6

SHA1
465e36259cd2bab883dcaf5128448625ae1813cc

SHA256
0f4ec6956af11aedcf29a28030c3197753cb9b4ee591f1c6b3e2d1c92c13326b

SHA512
ace2b57943fa90e5cff79959729e983c9234972e90ca7ce0248663488d608f4ed4a022cbaa7fc5438fcb10d50600723eb7a45ae43b38bd9d594f8b849162ae71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
d1bf514b432362ed2ba13ed01aa0492d

SHA1
348f891804c7658c0fc6a23a5a011733de8f2e6f

SHA256
5634632e1b6c2ee8f6820d2eaa27e41172c2064680364867062cdedcf373e000

SHA512
c6ce60459dbb35cf8939218d4a5fe15ce3355568fad8ee042c22010e9f26246c36575254e7cc349c85a556b2a0d0987c9dc407e1fcbea2e0b46a596e0a90fa8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
a0aa96eb1787a98852d25c9fae6cd450

SHA1
2d51edc2480d9fbcb2ca84f8e9363326599a8da7

SHA256
c78234f91ed962d29dea345a4f3d15d34df9e1e573900be5aaa481f795302040

SHA512
fe259c5eed7d5096b2c87a5471f0ff0215ac8692e726481024deed89ffab4a10b71802efe333461b6587cad376e77c2e7700df0fc9a8352ce365d3e99085a9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
d3b54a5690f27ad69db5aca8e46b983d

SHA1
334385d440d47dc985503f09d383a26c4f88846e

SHA256
339550749b0a17abfdc10d772f57ad57480a50b71940c9a7306b7627a478d7d9

SHA512
a44238f55664037bf12a9e0f2704b724efe59b049947cd51e473bb5ca82023cf725b5e1cdeb2e25ed16200eabeaeaaea1f052f48f5e32cd3f60307c968cc09ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
d3a06f619b8794429d26475977e4af5c

SHA1
614a3fde52fd79fad23ff179f67833dbd653fd83

SHA256
3d93182a6cc6d8acea2563f7e757a4e3062ac4bbbab9f7afd23f8e8149c6798d

SHA512
f7adb8a778ff5aa55e01bbeacef4f25d6d683c48999d37f9f9259240e7c0fb0d5c091197ee7e2f933c9d6c587f3441aa7eb19a8f39ebc84472ce9a1f156bb764

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
9d5c8d7255a68ef8690610fb9114aab6

SHA1
2b34b2acb3a6a5679861555ea1bb646cbd74210d

SHA256
03e7e8ed04883ea9ce00f194a9b2ee02ef69195a4e46da9d9a6f95e841938858

SHA512
5f9ee7f7745828d47dd193d21b4add74f8bd34ad97628a67539d626337ce44759c9d41b0ea48cbee0a8e9fa39b761dbdccaab6c27d44bd1768df589f9a12ef8d

Download Submit
C:\Users\Admin\Downloads\IKb3cHrw.zip.part

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\Xyeta.zip

Filesize
75KB

MD5
9c248fe8e3709cd35bfd17a02c7375d0

SHA1
a18d45a0b21d96922cbe01570fdeaa86575434be

SHA256
ff2a1ac3cb55e49a1d6af58d5bd2c389389b7c3dd858a47e909f1bba40289bbe

SHA512
65e879989ede16ba3238c1b8c3e0a3212fcff8836e31cc5ad6960b44f0f69b17a61d0500f0f9d295a573c153e872955a1d2fc5f0499b0137714081121c0fa241

Download Submit
C:\Users\Admin\Downloads\YUZToQ_a.zip.part

Filesize
75KB

MD5
213743564d240175e53f5c1feb800820

SHA1
5a64c9771d2e0a8faf569f1d0fb1a43d289e157c

SHA256
65f5d46ed07c5b5d44f1b96088226e1473f4a6341f7510495fe108fef2a74575

SHA512
8e6b1822b93df21dd87bf850cf97e1906a4416a20fc91039dd41fd96d97e3e61cefcd98eeef325adbd722d375c257a68f13c4fbcc511057922a37c688cb39d75

Download Submit
C:\Users\Admin\Downloads\tIsA-Oyc.zip.part

Filesize
604KB

MD5
9e94a2a8c092b611420f8bfdbac7beb8

SHA1
38e21ee8cfa81fd26dabfb0923b108b54db6f409

SHA256
8f8f4fba17fdb1538ddff73763cf6bac274f2dd1fd53c4656d45f496ce690f12

SHA512
dc550716d82bbd3f44ad25f67d8d894d94e5cc1e15c996c9a6e3d9fe5fa9acfe5d2b9134736d72c4e2a72434298e6419987319242776e7bd68e0a87783c0fef4

Download Submit
C:\Windows\8909.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2100-1916-0x0000000000B20000-0x0000000000BDC000-memory.dmp

Filesize
752KB

Download
memory/2100-1919-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/2100-1918-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/2100-1917-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/2628-1723-0x0000000002C80000-0x0000000002CE8000-memory.dmp

Filesize
416KB

Download
memory/2628-1715-0x0000000002C80000-0x0000000002CE8000-memory.dmp

Filesize
416KB

Download
memory/2628-1726-0x0000000002C80000-0x0000000002CE8000-memory.dmp

Filesize
416KB

Download
memory/5356-1656-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5392-1645-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1649-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1644-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1638-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1648-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1647-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1646-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1643-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1639-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5392-1637-0x0000024ACD420000-0x0000024ACD421000-memory.dmp

Filesize
4KB

Download
memory/5776-1591-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5776-1590-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download
memory/5776-1589-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download