ech0raix | d162a629def814f26631ef4b20d1a7dfb432c9dfa18ca332cd75fc8003ef74bb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce.elf
Size

4.5MB
MD5

db9596e7c022bdc053698d31fbdba579
SHA1

90926cb9d4cc98e823b0eb17942e07787a2af620
SHA256

2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce
SHA512

ca4191f26913c41cb987d62ded327d65c93800bf2ef38d00186b16305435e3959c6a27ae1f84dea8d2d1d83cc79893938015e6e7c7b1debd4775715f2b920bc9
SSDEEP

49152:8G0/KH36oVa4T3lq6e3kUw2PuWD4jOlTv3tKuAb7/C:b0/u3lVF7U6UTY/C

Score

10^/10

ech0raix ransomware

Malware Config

Signatures

eCh0raix ransomware 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\uPx7nHG-.elf.part	family_ech0raix

eCh0raix, QNAPCrypt
Ransomware targeting network-attached storage devices.
ransomware ech0raix
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

Processes:

firefox.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exefirefox.exe

pid process

3380 OpenWith.exe
3980 firefox.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3980 firefox.exe
3980 firefox.exe
3980 firefox.exe
3980 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3980 firefox.exe
3980 firefox.exe
3980 firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of SetWindowsHookEx 44 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3380	OpenWith.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3380 wrote to memory of 3696	3380	OpenWith.exe	firefox.exe
PID 3380 wrote to memory of 3696	3380	OpenWith.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3696 wrote to memory of 3980	3696	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2776	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2776	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 2984	3980	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce.elf
1⤵
PID:1412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce.elf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce.elf
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.0.90639538\1705042787" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f716ef60-61b3-41d6-830f-e265fa8a8e4e} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1932 2a9746e6b58 gpu
      4⤵
      PID:2776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.1.1687056491\647635467" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ffd866-7de2-4925-8752-928b17856ddc} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2356 2a967773858 socket
      4⤵
      PID:2216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.2.279121292\685224327" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 2996 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b6dbbda-ec0b-4e50-9d3d-170a09ace0c4} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1652 2a9782eca58 tab
      4⤵
      PID:2984
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.3.907835264\1818271766" -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ff2257f-1335-407e-9107-f546df0d8eec} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3892 2a967762258 tab
      4⤵
      PID:1316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.4.436504131\295347331" -childID 3 -isForBrowser -prefsHandle 4924 -prefMapHandle 4968 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3cde3a-6d46-46b4-9800-913b4bf9e4ea} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4956 2a97b220f58 tab
      4⤵
      PID:2568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.5.2083362005\1615610748" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f435cb-06ad-45c4-903a-e2a57def93f1} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5080 2a97b221558 tab
      4⤵
      PID:1432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.6.1859048765\1992608717" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5168 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c17d39e7-3f55-4e74-ac04-8f17448d0b89} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5148 2a97b221b58 tab
      4⤵
      PID:1888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.7.229606408\2005741571" -childID 6 -isForBrowser -prefsHandle 5624 -prefMapHandle 5636 -prefsLen 26953 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2042a38-b02f-40fc-b218-dbd44ad4ba50} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5652 2a967730558 tab
      4⤵
      PID:3164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.8.179509580\1015915240" -childID 7 -isForBrowser -prefsHandle 1648 -prefMapHandle 3224 -prefsLen 26970 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5692b365-35c9-438b-aa93-2bf97df1d32f} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3004 2a978216e58 tab
      4⤵
      PID:4828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.9.1594667863\1298518662" -childID 8 -isForBrowser -prefsHandle 3516 -prefMapHandle 3520 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7da4647f-0a61-4e34-bd42-216c8afa1860} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4756 2a979590258 tab
      4⤵
      PID:5188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
6e54a79dd9ef3629a198e25d3627bbce

SHA1
165b6124e136f537b90e324631022f6c62b1fef8

SHA256
deb36fb9c3f84c0fb900b1a7f45aa04b4d0aafec9af8ab0b2be0c4d3a2f55c8a

SHA512
5ce55812ca26b53ad5b5807ae3e4b304cafa3fc2e82ef1f94bc39989778717a09832685768753376b2de13fbff4f40beb7311c5643fb2c4af59f2668578d3376

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
dbe3f831f04c82635e68a64b3115909c

SHA1
5e070d7ec6b6f2f32cc177b0f76aed01c4585332

SHA256
b75b288ddb9c1b5b1a81b4fbf33550d39f2d9d113efdd66fae68177102ccbf96

SHA512
6c6d68de52c5c46ae1fb25f442fe0c564ab3c4d265c814786c29ce962e4db2b512c7a4b9ce4ce618327dcf0f047965f564651af2d7170deb162b959f480bfbb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\10087

Filesize
8KB

MD5
8452b7b8bcca7b09fbaa39bb50b7b1ed

SHA1
5e2a5bc1714f4a29519d8ab063b43d6606065ab5

SHA256
3b1bae683772c8046d5f080941f55854494d65bd19629e3d18878025979e1e29

SHA512
9930b0ddde704f8c10e4a88c508a45cd16eec548c348f99656dda560f00dd3db9d1399bf15d2a7b60e9ad305b1513aa3159de097ac8934febfc9d92ec6b76f22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\10429

Filesize
8KB

MD5
3d1ecd357a2baac893cb05eeb71dfbdf

SHA1
8d9ae3889b26946331bc4045ec663be70a3b7c5f

SHA256
28cfcde67e6a591ab20fae71b6d6c608f3d9e74c421bbdd64648841c2f69759c

SHA512
81f807db112e772386f2b3a2039b0b0555176c1bc9668a590d6e937a2275e6fd4e4cacef3be60c189068c266d617e9809945922a1419357788fdd3981866338b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\11917

Filesize
8KB

MD5
728421cb90048154f3ee05958ac9b5c1

SHA1
ea100673d2aeba06c58c6abceb9609e87887fa03

SHA256
6dd6daebd4e631954a2be96fe6bca7d898842aa3ca0313d3f00c70011f2772ab

SHA512
ce3a4eb999547c08448209afe4d3d9e95777d9b044ec1586fe97ddc733b4bb2f12db167d0d7e8b841df81a839a85bff3dc93452a2345319418103df36d6fa41a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\12118

Filesize
8KB

MD5
31c621a800c4fb83a636b0e0914805ca

SHA1
10bbdde6e03493e0bfa85c783b591ac438fba9b9

SHA256
62838a70e8a90e67da479c66faa85d13cb1d9f8987f8a5705cbf7578cbb09417

SHA512
ebff3b482eceb36afa794dc7334ce72f49347e80cfa142208281bdb26b950bea79357adc94fb6a22681f990af28bbf8d7dfa12dfeec2c05ef030710139b26797

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\12684

Filesize
8KB

MD5
b1c2ba2b692526fd1ac046cd69e0848e

SHA1
4c29807a4abeb450ef1d9ffd48f1f451dcc75b2c

SHA256
46e940e833668bb3264fe20da846681aa4281cd69addfe7ea052b7ad71981f66

SHA512
0ec3c4135d1126fbe71532ab8d9bf7c7a9116584c58b13e905e17c46a2400506c8bc98fdd50832cfb17d8a56dd11f59fbeb0b64841e4cd7ca06be9112e3c600a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\1305

Filesize
8KB

MD5
4562a31a3f54a85b4bb2c009c835856a

SHA1
ae3c990b76875f1d856b5fc682b419f21a4f0903

SHA256
addbf0b6ffd65298fc26b8ddddf7a5a3a8c4999c0283ec06bce18e35ebb99f5e

SHA512
f6dc19584da2ad725eab8d6eac98269e9e8ddbd8b31208b892afe79a901543b2933fb2c21e8ffd3e1990fac5f5b5acb3474ed2708e7794d4bd454fefc542b9eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\13056

Filesize
9KB

MD5
85c2808b83280bfac263922d107465b0

SHA1
7437960cf1516e0f591d86bae930a73652e783dd

SHA256
8803f731cb6e5e96dca629de431c2a3bf4d4d74190613155bb1747229c69ec2d

SHA512
a477431914e91e1fc7c6152a48f297676cab52736028184ca6152efb73c7aec7f296cbd517dfc70eee3e12b65e45d0430e7bd03a5d6342fbfd79021f314b2832

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\13582

Filesize
8KB

MD5
06c3f0bc353a588c643d1714947ae4ad

SHA1
81fda0403ecdc5d62ce5898f71f42c30f151199b

SHA256
dcbb8e30caf22fc4a7984c0a78aff2fb3b2e03df421f61aa722bd28c4c4769e7

SHA512
19fb9eac12a171d9c42193b00902592b8c050606dbc462ae267ebf387d226a94019a43e47c6b6375c80ed27016615403e37ac164b6d91bf0e18e4511cb9b05e3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\14475

Filesize
9KB

MD5
e44b7f7a9ebc8397a790df9680382549

SHA1
42bf8157fb4a8774c897f9432d4d269cf2369a31

SHA256
1c200215d7376031ab30f591ae1fd7606f5b4037898696b9a9eac6346e94dfb5

SHA512
9a864113a8b97ef155eb5005bffb692c7bb1eeebe98044734acbdf1334daa4bdaec1d9ef213a8e5ac5805b9e1330fd0c3b737c5fc00c90a339d0cc37fc5fc7ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\14811

Filesize
8KB

MD5
422e5f3bee0653c526fe7eef1c1b7223

SHA1
21c744e8334ce130b47302971677c05c2df6bda4

SHA256
ea271da451a8d1dbdda5eda1ca8a34edabf0cdbe538bfb76deb913fa598afca9

SHA512
fc7c7199bb0fd14cd9e710648178cf7bd8a22933439e172969b9d0e7955b2472879290db3db3e790c99accb696412d614b3c4f614afc7c42441d694cc9a18ad1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\15176

Filesize
8KB

MD5
5042bb605fa412a932cc8e39284dcdfc

SHA1
9ef68a8a74bcd7ddc8f761aed3cc48d5f2f1189e

SHA256
68d21f2b53d338dc898c93ab3d9626d130752bda9c2fb5b96ca78ecba562201d

SHA512
cab8244e28e41aa806f29d58d4457c0d479b8112ac4e633d0d746e0b197e7889ac6614d809b3e9efddb099a6edfe4dc04fa1aeb35b635591f61c447b6997469d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\1541

Filesize
8KB

MD5
baab517b87d5432b5edf96ed7adb28e4

SHA1
f0af7eb25c57efbeef521b9d33ccf729e314a0fc

SHA256
6f79f27a12d912f42139301ce7ea4b6169e283d1da39c4a890e2abd58ed06820

SHA512
e1a341c34f1691e0d6a51e3d478aa154080778302b1a1241ff6627c7864124e463a2264845a92fe9545077756e172da88c5a443ba10e907505a99933ce2b6732

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\16719

Filesize
64KB

MD5
d6234c5d05d04e19e20f1cfcb29f14d4

SHA1
3b41706385085f2d38bc4a6a0b98be5a3076c1c0

SHA256
bba1866012cfbe04a55e58a2199999eba1726f344025a9bd0cc0e00ed31cda18

SHA512
524bebdc448c9b0d44161e8fb36bfb485c48b2434a66baded88bf9cfb58e6031fc4647c5857d9bae38fc59a486109ae41bb413f89cd1ae68d804d6dda24986f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\17740

Filesize
8KB

MD5
114e8eecd7f24bcdd357d814b63a7ca6

SHA1
26a14409ad634ea54b546245aa78a6815367a294

SHA256
d17adc06be5dae202f696e71687a4bdcc4492ea3d6afe1bd66325145a009bb46

SHA512
8b91a0f34525023e95a7e1ffd05e4af065eebbff39b268c0f3692f749627bed2be770b509dec9b3752d3ace325493450528aa3d976e56f759b882e924c77e45d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\21006

Filesize
8KB

MD5
1d88b4ca73719c9ae8242ccd818d02cb

SHA1
4f47d37c870a3cbedde7e4e2a3d3be5ec6a3a19c

SHA256
84a3aef3baceb76307a9865a24d83cc5f4dd1e6cc953d3a9f81955c23f040b8f

SHA512
3feac0f6b8e512ed83aef899fc395e0b73c90168b242a477eef47eb307e525b07b5adb2bb922845ead3abd0c5d6be1743d4926b9905be2bdbb6dbac287afbc38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\21141

Filesize
8KB

MD5
721bc11944eddf12b3c9423c9a1aae34

SHA1
b9c0cda5c58ddcbdb958461d8ca158b6a3558434

SHA256
598f7d39eb66a749b3769533d6143d9bbbde03b9829fafeeb8d35ec5ce9572bb

SHA512
c2d03f6db587492258dc81bfd8d1feab0259c75ed0335f653b4246ad566732960bddd723cc156763d634020289a1a026ae5b056cfadd0d079020489287ac2514

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\2238

Filesize
8KB

MD5
b7ca1eae5b805cea04c5c2f259bd2f09

SHA1
d92efc4d4e3b4d916f1ac101d985b4abba311325

SHA256
193d6be0885c2d251d6a6837d71cc93ec9be21856170537b0bf3110791c8a791

SHA512
f598e0610994225e06b97c481567e29ac22a8f181d3fe1437bb0e42a8f36c46b55bea40052c440baca8845287a676ea677d6fefe4fc13119835ad5879ea7bc40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\24199

Filesize
8KB

MD5
44f845e094d3aa5320afde4006b31898

SHA1
78b39dda4b2ef3ca91f7e80ea0dbadcbb9b4d7f6

SHA256
fa2da8093e1ba0c60732b7509efe1ec7692122ddb70a8a9f598cad21c65e16f3

SHA512
00b07d8c4ee47c13a6e31b19cae24d5e84f2e52d197cf94b7ba348ce9bac78d16eaf0b8c4e1c83f6deb9825a800f45629c0fbc49449b03b9749b476ba3389081

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\24271

Filesize
8KB

MD5
4371d62c34bc4e0e958d3c0079660fda

SHA1
a60330e6ef25d33e2118b36ecbd31e676039c31e

SHA256
051db7535328c258b706b8d756873ebdeece6943bac565f5280b0afa36088299

SHA512
ea5a94452619b48705695a45d0d59b38ecf53d924682f09c6b92e7fcd797448e48b3c3ee0b74371f7e132dbd620e8cc397a8e91646fefa0b8d638cd390cebc79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\27093

Filesize
8KB

MD5
902ca4b85a127b4788b274e4fa0e3942

SHA1
836ba3e5584489c8b36b907c436616eb859f0114

SHA256
673bb10b541beef03a2be05888b48c32f9b56d68d4239a6adced0664e84a0890

SHA512
6cde6f8126cbe983403b1ce451a94c2841207a5f68504447c1ff840f0f677739e8b283ebcd9abf8f3fa20e2061a1711a848e2826d342dcdc722b8e8411f74567

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\2894

Filesize
8KB

MD5
531eb755f3872197758bf334e8484b42

SHA1
2f5815498e0a24e6192c32e0dd3aa65c88a5c4d1

SHA256
3c08ae39b93f53a257d2c3ff5ce1a91ec0b50300fe74fa3c901a87c5e5c4b46b

SHA512
d0c21e7c4baefa56057d9936f7fe4d0659ffda1dd53cf9f12dfae884c7be12a0c02bc64b6b683ad47ca98489f4618ec50d904b483961f27232f23c0a4f947a6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\29893

Filesize
32KB

MD5
3753aee277d749472467e49fadf83684

SHA1
75e1f549223e29900a25ebd6ed9f5759f94d9205

SHA256
dfde70124b14b33c65e798f688d818285832f5049a756ba9fdb98a4c163c0161

SHA512
e96d045ac17ba46395b207ef3d768582a71c941087d130c9dc2f5c9032706b771ebb077a7028973d7ec4ef18e52a3280a8a3abd2ae4bdd4043b19bd16ad64543

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\30365

Filesize
8KB

MD5
08bd2dfcad5a3beb67aefde917cf604f

SHA1
d8beac56fad4d15fda50486afc73e3fc0ad72bd0

SHA256
f0fb579172d06341a393d3a265b5784654e5cc972844894ef7cb5ae9bc8eb6d8

SHA512
f8e86d46fcae2c2105151856f2b026589c828357e9fbe93c4ca4da2d228a86d97ac96264cdb17c7591dc4ef2d2e8ddc940e6f96e30d2e52dcf2db30009245f84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\3467

Filesize
8KB

MD5
6fdd5c85b6de41eecaa021e8476126a2

SHA1
f058a5994ff78d82b99d7ac6fb88ce203d0cf382

SHA256
ea49dd1d353b9f86c63ad25e43672ee6c7819d79542b95812eaaa79cae21829b

SHA512
bbe614f74ed5d323a2ebf0ba025622f695ef561ca9933fadc922c57e2c368245d349d61a7ad9e8d382cc8c339979f163f352951af5247cc1d78b201efabf773c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\4010

Filesize
9KB

MD5
e89f5591c7949087ccd4dbfbb4a142c6

SHA1
94944b5d2be76bdeb3f24feafe28be67c5be2955

SHA256
cdf97531e1b4c30b462b2d0018d2d4a7096a8f07ed841b5b137a8cac59259589

SHA512
67dca396d7c7f04011dd114627a44057b61376f97c118d287e673248bb16ec9a0e25e1f06edefc7a4d3aa1c1a6e68e132be0efbca89314fffc07adb09a9a3f45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\4039

Filesize
9KB

MD5
aef51f7a0219c5a1721ba29db4565357

SHA1
0c9701c064b0da3fe92db983a00279112c542cb5

SHA256
85f7a2cfc24565a061e98d168262d5c1f266907c4036909f7ae60e36f505d11e

SHA512
8f25486b944e464dd1eeed261ed8c9e7a557760ed49142c1d607dce7e859d5cac8e7eced3eab66df369f0ec1a9594f88e445a5943e023e6be41238b65d67ceae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\4683

Filesize
8KB

MD5
3f6eb91bbe92f55bd4415605c631e100

SHA1
5269f73f962459b832bc2c1ae85ca01bdfd0e5fa

SHA256
3d6974c51db3e927676b2f03285b3e403c3c47395a73a20500a2af8530f595d5

SHA512
3ab53eb551d9593f4a6ef0b4c5a8aa0b900ca3df7ec7acc524cf521e4da89a158cd83d7d5b4f8bb8cf335ab4ac9ae0d631ba15b0211c95f3c75cbda5860622b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\8280

Filesize
8KB

MD5
115c9ed244f79888679baf49f69cbcf2

SHA1
3dcff1949b0b87f5f8b0ab42853b80d58a6ab71b

SHA256
2a6d5ec51c736a4398f9e11da62b3e78c94b9150db7d0f85cb04ebe976206065

SHA512
8e410cdf7189a50a9cf121685160fe32f89603ca65684bf4230fd222f9f6f3e76e9da673fae3a29ca2df35005184100cce7cbf50ca68d3b3422eb8dc12d3d070

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\8769

Filesize
8KB

MD5
b0dea63680ed253baa5abd9974d5b168

SHA1
c823fe15088247d6e480de41958807b4ead217cf

SHA256
2d346f920f16ebe18b82725a652d7694b6639f3eac292528b7c601af9fc91ca4

SHA512
93ce485f4fea7de2eb21ea6924b1de2a3aa328cdb76686e1a12c9a367a6ddf145a9264042cbb91eb0e5d4475c92ecd65b40be46b27309d6cb4766b11e47ed5ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\9991

Filesize
8KB

MD5
584bccb3072af08e6b956ceee2097655

SHA1
cc8c841371921ddd5702201f1b901732f239c15a

SHA256
4e995b6c6ed9df51046e483dc36260e91818ae57475d0e90a32bade5de32bd12

SHA512
31888325d1890cb09f0a277ee56c1ffd949073de229bbc67fbd6294baa14edac2ce473e434ff39f477c683eec3dca68a9e1df261ffe9f1ea4d8bb762459544fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\250EE2BC03AFF526F1A1C3DB212A79DE3EB60D5E

Filesize
14KB

MD5
7b82288bcba7aa5c8b22c8252d39f13b

SHA1
f71ebfe1a3879ac851f4c87e5dc20d7e04f2177e

SHA256
055674e40e868bde73c715558219e4cbfb51fc040e6e0f657c4d59949da8ca27

SHA512
00abff00f982e54c194856d6ba0e9d8ed5b1ad7dfc0446c3a2de52129437922ed807e25fcb14d0ab348f4b86ce480f69b96a9c8342508f7185928bea605c2add

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
4a8c4f391d0b2f5d47cb820b1e857d8f

SHA1
010af459523268b134061df51b355747a4344853

SHA256
39677a2a2fed9f618fe4c53b3964d0faa57ba141b8f7d48b3b16c441bf640773

SHA512
7f59d514adf3456a91e1949021ee130a430916553e365e1b273720583d3e0bf2934e6909070212ad56843dee902869a0e85470f8b4b27ebabee57bdded11ea8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
803e0fb1a14ec2160580534b9f4b4252

SHA1
bd229ff97cc9751d1a4710ff6aa66c3dd7da4b7c

SHA256
492ba3be99cb3f5be2c5036994d72f348ed5420d56909c033b2dc59f799cc39c

SHA512
85332d58891462b920c417b344e7f0642eaee8908a57295141059027d0ec4e1779450a05c21b51a75207527cf712c22e611a8138b00bba8b1ec8242a55327b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
7KB

MD5
bc739ded105ddfc56e7e2087e51fd868

SHA1
c6e65d36e84fb9906dca99ae65f3d093ed009611

SHA256
b94130907e580b7bef3019535e5345581dde122ffe95879f75d2e404a410ca0c

SHA512
7aa347787390a558ca38cb3cafbf6e9baafa1462a7006ef4acac47d774341b4e4a0f4e3f84d3a53622b6141bfe870fb303d723b4a494dc2a0ff53fb63797b833

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
7KB

MD5
135a95b3f8766727cae81824581a99b1

SHA1
f5c00bf6fab9711d82f71cabc4f0e197aafbbee7

SHA256
d75faecac4d3d32a5987c6cc404333eaf9f782dffb1670c6fc6b2a1b850ae362

SHA512
bf25a4ba59ca56829a7517c1e00acdad561d2040950de32b4395f1b7cfd60c57ad08fb5e3239b725ced85af5b953d6a1df06e98d57e220081e075a9b6a4da227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
8KB

MD5
ccb8278dc94c6c219f14708574cdd527

SHA1
cf0532ff2714beed49db7d441643df8a22738003

SHA256
1717a898456761bbc1dfbaec98a4c9ddc304fe0532c637157beb8aabd389a5a1

SHA512
7abdc4bca1f7256cc67244afe07de8719cb4aee80ae5855f6cd172e656e5cff673ddbe695ef5f2ec1d33c5e712aab43ac976ecebafeca15fd683cacbff362c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
05f4e32148c5e6998d218b5b2889c9c0

SHA1
927b62665d8dde58d19ad6739bde78ab04c32db9

SHA256
72f2ccff37549a0d006ae7a5dc075bee2d53963a308a64ff0a50803190ffbbdc

SHA512
a05d1f0b5246d11a892144cf5f81add1f26c85ebbd6fd1fcfff27c67341386aff1bdb95726f9c7749a04bbcd8409da876b2b4dd98b3a7abf559e41fa5d5ec154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
73e2606d93639e873d7c3419ac29e2e4

SHA1
6b905660cd01d9dd27f68d91f1381e5d5b4c95e1

SHA256
3d4d91aa1aebe36d38eafd0e08bb6fecc19d3aa38b28efaa46272f9b2d92f01f

SHA512
8c0ff47bb10de57fc764d4d291a3d885a42651815b4dfdf3d6ae35808a335dedac7b7d7612b7c0e70d4c6c61b621eabb5903f8ba6c3f0ddb14669c23dcabd442

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
af0174067489ee57dc8c1b4a76f87f09

SHA1
278617977772646605ed7d6ca232257637d011e8

SHA256
3891b724d1569784553944f2f0c4f8900e9367fbc5b66308397bad901daa2255

SHA512
39f88ed11deec2b7c65b4511acfe2a8636304f72a28de2c1c1f6a7b5c3406dd64cdc1f913d906205a3b82f330708bc44b3f98ac802c20588831972aa3b5db49c

Download Submit
C:\Users\Admin\Downloads\uPx7nHG-.elf.part

Filesize
4.5MB

MD5
db9596e7c022bdc053698d31fbdba579

SHA1
90926cb9d4cc98e823b0eb17942e07787a2af620

SHA256
2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce

SHA512
ca4191f26913c41cb987d62ded327d65c93800bf2ef38d00186b16305435e3959c6a27ae1f84dea8d2d1d83cc79893938015e6e7c7b1debd4775715f2b920bc9

Download Submit