2b574142c27e20f6fd8a1285772104c9e13774631d3173f2eb825dae4a6ffe65

Analysis

max time kernel
235s
max time network
233s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe
Size

56KB
MD5

214add3ebdd5b429fda7c00e7f01b864
SHA1

7cead6f1e4c4b0824365268cdd5d168acf56265c
SHA256

0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909
SHA512

6a3541878c3134d7dedbf9dc182cebf12689aa4b4d3f2b4071981175db79114a66336e6f41e73ede21d8c80ec42fec7fd48b17698df0e28feeb81df4d53b6219
SSDEEP

1536:qzwshK8pUMGxo0xwwW9VemFMGfpbbVDoANyCa:wwshK8yMexbW9vJVDoANs

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

Processes:

flow	ioc
81	raw.githubusercontent.com
93	raw.githubusercontent.com
94	raw.githubusercontent.com
67	camo.githubusercontent.com
77	camo.githubusercontent.com
83	raw.githubusercontent.com
92	raw.githubusercontent.com
102	camo.githubusercontent.com
104	camo.githubusercontent.com
65	camo.githubusercontent.com
79	camo.githubusercontent.com
78	camo.githubusercontent.com
80	camo.githubusercontent.com
63	camo.githubusercontent.com
76	raw.githubusercontent.com
82	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 10 IoCs

Processes:

rundll32.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.IMA	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.IMA\ = "IMA_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\IMA_auto_file\shell	rundll32.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Raccoon.Stealer.v2.sha.zip:Zone.Identifier firefox.exe
File created C:\Users\Admin\Downloads\AntiExe.A.zip:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2064 NOTEPAD.EXE
2828 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1896 firefox.exe
Token: SeDebugPrivilege 1896 firefox.exe
Token: SeDebugPrivilege 1896 firefox.exe
Token: SeDebugPrivilege 1896 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

firefox.exeAcroRd32.exe

pid process

1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1896 firefox.exe
1516 AcroRd32.exe
1516 AcroRd32.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Raccoon.Stealer.v2.sha.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AntiExe.A.zip:Zone.Identifier	firefox.exe

pid	process
2064	NOTEPAD.EXE
2828	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe
Token: SeDebugPrivilege	1896	firefox.exe

pid	process
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe

pid	process
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe

pid	process
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1896	firefox.exe
1516	AcroRd32.exe
1516	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 1896	1568	firefox.exe	firefox.exe
PID 1896 wrote to memory of 2280	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 2280	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 2280	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 1452	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 672	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 672	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 672	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 672	1896	firefox.exe	firefox.exe
PID 1896 wrote to memory of 672	1896	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe
"C:\Users\Admin\AppData\Local\Temp\0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe"
1⤵
PID:1888

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.0.410433366\401266351" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1176 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e722c3c-92f3-4a94-92ce-c46092708380} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1404 fcd3458 gpu
3⤵
PID:2280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.1.1545999586\1020657343" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4802c100-1560-494e-b1a2-2375bc969caa} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1556 e630158 socket
3⤵
- Checks processor information in registry
PID:1452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.2.1376284676\1113999325" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2024 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfe2489-378e-40bb-807d-4c3fe1766513} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2040 17183258 tab
3⤵
PID:672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.3.809851999\109766144" -childID 2 -isForBrowser -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eef928f1-493c-45c4-8fdd-41e927211c17} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2496 e62b58 tab
3⤵
PID:1040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.4.835365866\1876534657" -childID 3 -isForBrowser -prefsHandle 2556 -prefMapHandle 2544 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {953984d3-00c3-4629-b386-fc1ed0905dab} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3064 1cac6458 tab
3⤵
PID:1100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.5.999235069\127725067" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76f55ce2-e9a3-4377-ba87-f2c9c3dda098} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3784 e61658 tab
3⤵
PID:2772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.6.64579045\1473133508" -childID 5 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f5bb0a5-7875-4907-96cc-449789e8dff0} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3960 1e8ade58 tab
3⤵
PID:996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.7.1407257796\1050975809" -childID 6 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e612b4d1-5705-4abf-a56c-938d5640a97a} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4008 1e8ae458 tab
3⤵
PID:2940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.8.755594030\1528011911" -childID 7 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c907faf9-fb61-45a8-be10-20317340c345} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4436 1e1e7e58 tab
3⤵
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.9.383339822\1209836963" -childID 8 -isForBrowser -prefsHandle 4384 -prefMapHandle 4400 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b022536-3c74-4dc3-861a-3ed2c861df8b} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4364 e5f258 tab
3⤵
PID:2652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_Exe_BOOT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2064

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_EXE_BOOT.IMA
1⤵
- Modifies registry class
PID:1112

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_EXE_BOOT.IMA"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_Exe_BOOT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\23259
Filesize
13KB

MD5
a062c25b6b4fbb592fc4b66226ed95d5

SHA1
f59ddcfe6056ca7d482af6f9273ed23c8fce2ad9

SHA256
7913b37c89568f5952bd0dc49257f465c8def02d30919518249b65c8106eb4de

SHA512
6a4c2fdab9b1d40ec71453e4b4223a5b8f583be17da5118475edaffd35ac11e67161e778d4d2d6334ce3344dec661306e35e593a3301d72735bec06a859c46e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\27902
Filesize
16KB

MD5
154fc854356658c9c2d026e7f89d5a9c

SHA1
a4cd2de8d6bb1b62d6df283b274ecb843514b265

SHA256
57ad23a4ea89cc8902d0d294e2e65f79f45758d9279c0ca2ef80ed0d264512f1

SHA512
e36aa5168f61d11ffb7d9a311e330b00dc1ab9374844fcdc930be41f32f0d38e9ee1275d43420b6385e9d17eb0c3fca557efed3a9e85a56bb7799be03c2969a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\28126
Filesize
13KB

MD5
617824f788c43031cd4568cbe54e5a39

SHA1
853ed48e423375b72af95c2a1858a7e7bdfa9cf7

SHA256
c8aeeaf0258d3e86cfdc2ed57ab8cedba46ba2616e41c521d7f5059a31feb923

SHA512
b20c723cc8c6fea528fd42c92d975c5810d0e9b97e76ddf59e734cab53b683c904ccd8ccce6d72daa40aad5a8fa3d81b1001d9750fe5628bf8293050d66c6152

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\32166
Filesize
16KB

MD5
16b84e3eaf52aadc657d882f39d49cba

SHA1
28a2f6562958b1c079171cc1cc3165dd3ee77504

SHA256
503b027c1022e1502e64d7bc277dfb61d19084c4e21500ea2c93f9cbc303fa2b

SHA512
887824e1a01f6eb1d7062b74b02b68d0de6131c2fe855c7357924160396cabdfd63b55e93484e296f5e78ecbe6f36fb477c090859b3e1be27bdbeb53d356ad52

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\5401
Filesize
16KB

MD5
069d93ec4f9bce976394607ceb3042f4

SHA1
9a70cacbe24625928a143e70a2a39d48945c5759

SHA256
109c3cda196e73c7a0754be364d28e6e99f241a96e4e06067cda19ca8975cb04

SHA512
e0282312dc16b1f3f15e502d427f9953382412e4f8dd2372648d375233675e1e261d724213f65662596195c8c7e3b44315e0411946dfdb3abe0314e3fdc1c21f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\cache2\doomed\6976
Filesize
17KB

MD5
36108556be9c21b454697cd0ca99a3f3

SHA1
8e55505e4bae65d423205681f69cd51111824bc7

SHA256
91e0f2ffa6d45b61e68af23fbe8e2216ba05b875c18ec3a9bed707945d9dd154

SHA512
dbcb6b6325a3a1d566fb67743b54213225cafe89283a057fd68d14fe97f93c77d1f689a37f6aab8812e141459f2f9f022baca7d0dd8e40c0eb619f3eaf00a855

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
07b4586d783cca3fe556f5d61c10842f

SHA1
e768cebc77aad60b68b5659a6e57b9f7e7e512aa

SHA256
b87c2c6ec1d2e0ad6b644f2f0179bc85e563079568aa5ae8ef6ae154731880fd

SHA512
e1983dc3e5940c9499618f34022cb9b339392f2447c427b371956cc4a165613134749ce741eda218dd60b2a082d4055e905db12a5eb8906ccd5e045cf8422597

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\pending_pings\33932cda-f804-420d-b761-0becb955d622
Filesize
10KB

MD5
6feed068b7cd53d017af7671dbc72168

SHA1
c5f05e9fa285a410fb6b8bfa96faabd3d8272998

SHA256
4088f40291aaabdb8287c97cd1b10059b383977de0e0bf2a1c60e121ad4222d2

SHA512
a6d257b38e077ec51f4b8cb44bfcf8fa5b67eb680bb66b4121b6089de448f70de43de6eabd69ff14cad6782cbdf5d92df29687f556648246f1b72b677136e833

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\pending_pings\d340903e-9bb5-4b74-8cd5-68f5537348a8
Filesize
745B

MD5
45eaa9929b9b549270417a617cf26d01

SHA1
c5b3f5e0c774cf3b7853b3bf3cdcb1baaf78359a

SHA256
a2c85c9c8d972bf6f26666cbcbb56b95ffe127a83af16b4d889911db6f15e208

SHA512
db7d629c1deb2e525c255104835d997c473c3caa06ca6613c613157383b8c3e4f0c54e9ad2fb7175fc5a0eb07fcaacd5a171dfeda6de18dd5efb3d5a2ee0bf88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\downloads.json.tmp
Filesize
976B

MD5
c35b7e7bec4044093e4cc0a977b43cbd

SHA1
dbc423168f0226d43bd4467959921ea3d84917d9

SHA256
23f23d68b33fce84968a7b83fcc66a627c39f8613891316ea0487877dbfcef9c

SHA512
f5b5c563442a2bf46054edfa7f3b039a487179a255c92bcd67c8d321e2aa03d2b0e41f00e40c8c28a127217ffd318da46553f83e31abafad71fdd33b596e0a48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs-1.js
Filesize
6KB

MD5
0a650924b2d844490b3c54f9363501b4

SHA1
d0478b5fd064ba3c41a89b60e7f7fd9d0bd1b992

SHA256
a8526dd5f74b404662b937ba55701830bd44a19b816c0caf337e7ac867970fa1

SHA512
8f5739ab584d5c8b31478699c79fd462c3ccf6c16c4792aad3b091466b5346700dfa8408326b6b8125cf9c1b3c78fcb9d7049cb0cd18edc2f8afdd66b79da3d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs-1.js
Filesize
6KB

MD5
c191fb974f0682b93f9700d507acab10

SHA1
f881613e5ddf88a296a98dbf2dde54c3b2407b89

SHA256
56f391b2de3daaba6ef289d7fb819f35f8411ef95f01b8d82a04a7a2fbf4d969

SHA512
1c680f5169061746e144f97a9b6608f4f937ee815650fd1b7171ea9539dddc250f05fae92ec7bddf2ca3d55932e13ab54cc38a522ec85db903b13cdd8a23d64a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs-1.js
Filesize
6KB

MD5
3d74169eef07dcddf0682f3f2c8052ba

SHA1
310f4d9a8e0b62fc4f4d7e5f7f586a2287b88eb7

SHA256
7d4f0666a2f03943209cc9454aaa6c10d208a3675971f4fdf948301fcdb82d84

SHA512
84f1bfbd0c19d16b06b1f4fa01dc55914813f200787a4c5bf88778dc187ec6e47a5dcd8337c0724ba1b6da94e53caed9047751fa6ba5e6607ebc6cc2ce2c9e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
4a9f3ee73695c66d1d990c64eced2687

SHA1
84c66ebac8268e87a2b4f57e06545e1f93d223a1

SHA256
cc802b73271b89c1a5dd82af86e44ecf939fc86e95a2a3ad54dd4e11b415644f

SHA512
ca1d0eaae11fd53b22685592a7c41f1004a13cbdeec614aec15ebedd1efda0f13f98b297e6a1c80b86536d5d32ddd0d5637d6ce485e1c79d6d9bc0e64fb4e39b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
5ce4761643f2c1632d3846262ad5dc8a

SHA1
d344124c9e30126815d3ca15c0f951a223c6a27d

SHA256
5a75d70313b73f19dba5532215a36726dfaa51daa219c5d7cefbe28a13f87e70

SHA512
9227f426fc1e099cd83e1ed6f8f008ad653c2829c7299a5aaf48e25cc5293f5f8f0c4cf517b4d276a25d9b7f645c5155e725150de1648d1b91c8b6c4d7ed0796

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
8fb83377c77d151fce5fabbc3d1696b9

SHA1
90f53515c77cb0ad91375b55cceed998d8506faf

SHA256
268a86e40913f9af1946a3cc3cc8db72bf9710e7cd4c16dd162c9b86edbf3824

SHA512
5e1960e602404a11643c062027ee58feefcd2c7d1ef3b8b1a0b911e4a47f23990ede9aecb605add857cbec7dbbdd29b008f1a614a4e98d75ec0d2505984b012c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
26306d9ba0598d1826947a8772331a21

SHA1
d83f4eb8e63a739abb8314032e6946f1c0281b52

SHA256
31d94563931b0bd212f9e2c1dd641ff1b7b677bc7503b5300e876150c47dd6e8

SHA512
40e3aa150b01f9a00140546e75a82eee80d52fd18912b9ac9cca8052a0d7fdb8a3f49a0593cb2b22e768bc55241c6638ac02578a4f59b5019a607ad967c886cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
6c4e6e3d550831396028d9b1a308ae54

SHA1
75027b09b09ee92fc84426e57c92ab265d6e4062

SHA256
9a5f53ccf75eaa29112ed103c1d643f65b45f13214bfae3ce5294c306c5f3698

SHA512
48c45e0558ef39f45df9b4c0779fff0eaba8c71ca5b94b12770142424a5ab9149d8abd2b2bc114854f0592446e350d5764136e72e284820c1f1939cfce820ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
4e10b5499772a2419d42d3aa3a2ebfa1

SHA1
380089ff3caf9b1c06c0491bc3f9be74be6b56be

SHA256
e9470112de759a74226b2826942f84d48bea9ffdd81332069a94c952b99f9bb7

SHA512
232c4b5c14fcd9f482f342f518439b483ba30a9c6728709d070c4a394b6e0d8b4ddeabc689e78857cfb9ec6e8d02409b28a6105ae1375b7fe7db6e9150b1df3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
944fcf04f8b3cd13294e98951441a1d7

SHA1
a94074ba1ed6edfe61d8eb6e626d43b582f8ddd8

SHA256
ae0610e03940c793c429333e477cd24ddb8fa5420264136202f55cb6430bd28a

SHA512
62c17bb84660262b70e46f5969afb7b410cec58abd451ac0d0500718eecae056cdce52386267230ce206e27c558bbb4b74ba6361ced04c7ebc92e6687e6625ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
f55acbfaf7201bb83a67f8134b5b05ac

SHA1
c4b618db77f60e22b68fea36839b0962aa11e00d

SHA256
ca65b317cb1823af52e8e8a2a818783d8baf273d0ab98749917be0153bb1803a

SHA512
0ad0d7fc59527f67075c156941195249fba4a8f15648762b61f2f0c523aa9e0c124c2147e4293e7279455858e591fa91c1859a456361c1ac99d2d4ce9f2e5c09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
01b885a1f861ac2a93665b7188073b67

SHA1
3f192ba9a2048c7d31d6a0905c94d541e0833a5e

SHA256
97e0dda61ebecbc41e42fa6f30cf63fc93e8dff41359d5f4ad478b6dc804db90

SHA512
d029e6065aeee05033441be182d2caefa9f0a8e8ca2b7d2ec242c4608f482b10f16da2d1a9c579adff9d276973680d7aae0a3c854611a9cc85720c30159e594f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
3fbeaadddecfc565380f3a330360beef

SHA1
deb49fc75624892773e719a34defea0d2195081b

SHA256
e03210e3f5f1cd6a4c422ea8f0b923249f64c809006cb62c61dbcd5bcaade693

SHA512
93732426642596acfc4645eff336cfe90801f6b3283c0d8fca8a8637ba9ee62dc74df1c3adbdbfe450a1a890411e7e0b21dca0b0c06c70714593e62785512fd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
24ef81d1d44aa87a83cf61c79193617a

SHA1
e6b8418868619ac3ff97c62a96e47e15aa069af9

SHA256
b9028ac5b4d8e6226dae0eb9592fe45c58c930342ce4c5dadd743c188ef9b465

SHA512
9e0de5268f5fcd0b8faad23dc0525c908c77f1f47c625d5a7029129805b4e34b5e28fecb2925b0eefd09ae7f809f3d97ff7926645a0e359945360e1a71529a0c

Download Submit
C:\Users\Admin\Downloads\Raccoon.7zJOyvxc.Stealer.v2.sha.zip.part
Filesize
15KB

MD5
bac4c0dbbc4c6a51f7a7b086ea888618

SHA1
6666d820c32486a4d1e527256f52a87f2a6292bb

SHA256
b1ca27a9b5dd1ec373e6370b81e957a14dbcde93317d882dac5be4c2aec41520

SHA512
a2648eeec594f166d307c12331ea07c6ef752b92337c49dc5eb8a7d0a810f37e4e66477eb34e2614fd831d16b67094805f13e722433c7fcf66ff37f594213d77

Download Submit
C:\Users\Admin\Downloads\WinX.4f86ypnj. SignSight.zip.part
Filesize
16KB

MD5
b39dca2050d979919d6b6138f316799d

SHA1
35dd379debbc1d6d56fedf76b433eb6d9b47bf4c

SHA256
3d3a9103480cd4131706372c5b3e61a99cf975a06bab62e892b33fadd6af6db2

SHA512
0a32ce98f73a1dc1d119acff3b5e98ec016ea19bcedbfb27cba498b24fae14dd0587133df4cafca63c7f2dd53f93661f60e36d974c8bcfe2d53d1a56e757788c

Download Submit
C:\Users\Admin\Downloads\x_J2jWSD.zip.part
Filesize
3KB

MD5
8cee47cd109adfa5c5816685af873909

SHA1
8fa3b60ea7b526b46ca22fa6544443a670a7de46

SHA256
93861a8aa9a4f42489d029c64bc0599c208971891c70a9b2192b60e20c57d3bc

SHA512
b24d2f10927d10520e017151c0184fabca08691119893fdc04852c7caa775fbcbad29c7e6a20517c7791036d42e18b0e4b4ded2babd1707546612cc12265007e

Download Submit