dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Resubmissions

29-04-2024 07:46

240429-jlyaxsdf97 10

28-04-2024 13:27

28-04-2024 13:08

28-04-2024 12:57

28-04-2024 12:50

28-04-2024 12:29

Analysis

max time kernel
648s
max time network
577s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 3E508EF6 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (517) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sk.pak.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SmallTile.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_uwp.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Oblique.otf.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fr.pak.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_or.dll.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalMedTile.scale-100.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg.id-3E508EF6.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\webviewBoot.min.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
12180	vssadmin.exe
13212	vssadmin.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe
2800	taskmgr.exe
4212	CoronaVirus.exe
4212	CoronaVirus.exe
2800	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	taskmgr.exe
Token: SeSystemProfilePrivilege	2800	taskmgr.exe
Token: SeCreateGlobalPrivilege	2800	taskmgr.exe
Token: SeBackupPrivilege	18072	vssvc.exe
Token: SeRestorePrivilege	18072	vssvc.exe
Token: SeAuditPrivilege	18072	vssvc.exe
Token: SeDebugPrivilege	10232	firefox.exe
Token: SeDebugPrivilege	10232	firefox.exe
Token: 33	2800	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2800	taskmgr.exe
Token: 33	22656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	22656	SearchIndexer.exe
Token: SeManageVolumePrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	22656	SearchIndexer.exe
Token: SeDebugPrivilege	23036	taskmgr.exe
Token: SeSystemProfilePrivilege	23036	taskmgr.exe
Token: SeCreateGlobalPrivilege	23036	taskmgr.exe
Token: 33	23036	taskmgr.exe
Token: SeIncBasePriorityPrivilege	23036	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
10232	firefox.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe
2800	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
10232	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3900	4212	CoronaVirus.exe	88
PID 4212 wrote to memory of 3900	4212	CoronaVirus.exe	88
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 24616 wrote to memory of 10232	24616	firefox.exe	92
PID 3900 wrote to memory of 10740	3900	cmd.exe	93
PID 3900 wrote to memory of 10740	3900	cmd.exe	93
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 33528	10232	firefox.exe	94
PID 10232 wrote to memory of 22216	10232	firefox.exe	97
PID 10232 wrote to memory of 22216	10232	firefox.exe	97
PID 10232 wrote to memory of 22216	10232	firefox.exe	97
PID 10232 wrote to memory of 22216	10232	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:10740
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12180
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:16356
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:15192
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:13212
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:15900
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:6552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:24616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:10232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 25370 -prefMapSize 242961 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75106162-ec11-4cb6-b90d-d7a0990b63c7} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" gpu
    3⤵
    PID:33528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 25689 -prefMapSize 242961 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a735e11f-cdfb-4c65-b16b-cd5e6752c0d1} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" socket
    3⤵
    PID:22216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 21957 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be292a6-f613-4306-8d5c-f959577dcd6d} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:7152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3652 -prefMapHandle 3696 -prefsLen 30473 -prefMapSize 242961 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8edf9eca-f552-4311-bd2d-4a3c51539454} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" utility
    3⤵
    PID:15508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {975e16a8-165b-45bf-b0c1-18dfeddfb728} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:15400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 3 -isForBrowser -prefsHandle 4008 -prefMapHandle 2972 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06bd8af-350d-43cc-9807-f8cd9d4d9fa9} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8590ae-3477-45f9-af75-61a4e89a9551} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -childID 5 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db0a9c5-0155-45c2-82af-2a58b19ffaa7} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 6 -isForBrowser -prefsHandle 4376 -prefMapHandle 4372 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8763126d-6468-4762-b9b5-c8e0cfbc00d0} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -childID 7 -isForBrowser -prefsHandle 4176 -prefMapHandle 4192 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b28ec609-a423-4ce3-8912-322121e75698} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -childID 8 -isForBrowser -prefsHandle 3828 -prefMapHandle 3812 -prefsLen 26545 -prefMapSize 242961 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {389ad607-814d-4f90-baf7-ecde995ccb21} 10232 "\\.\pipe\gecko-crash-server-pipe.10232" tab
    3⤵
    PID:19312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:18072

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8ac72383365147b0a8fe2b62ce86a859 /t 15704 /p 6552
1⤵
PID:20028

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\027856019fc64152b89e62c045700617 /t 15908 /p 15900
1⤵
PID:20692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:21576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:22108
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "22108" "1336" "1260" "1340" "0" "0" "1344" "0" "0" "0" "0" "0"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:21988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:22656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2860750803-256193626-1801997576-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2860750803-256193626-1801997576-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:22660
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  PID:22668
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:22776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:23036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:23176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:23268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:23300
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:31808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:31716

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
PID:6548

C:\Users\Admin\Desktop\CoronaVirus.exe
"C:\Users\Admin\Desktop\CoronaVirus.exe"
1⤵
PID:25120

C:\Users\Admin\Desktop\CoronaVirus.exe
"C:\Users\Admin\Desktop\CoronaVirus.exe"
1⤵
PID:25040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-3E508EF6.[[email protected]].ncov

Filesize
2.7MB

MD5
8af88f2933f4b063aaa20fcc932eba7d

SHA1
0b99d0ecfd7471f2f219035af3ee3b9af3b74528

SHA256
5d278c05c1f69a562c69f2e6c6ec2bf90372dd0ceaae29b302c20c4b5491d28b

SHA512
3903dfebce5b22a21806194a425f8e6686a1faa3a76f89bebc585e89d2b91ea557b0238545581cb24beb8aa0719b21ecab3ab61d1762f7f53b812a4494d68e37

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.id-3E508EF6.[[email protected]].ncov

Filesize
102KB

MD5
914abc5f6fded79df0f3e65c1ef28b6b

SHA1
0b48189c8eacc7ab568d8ff53f4c935dd7f99f41

SHA256
915ea412d278c616df4ad34847bfb6ce7a1644e2f35c6fe3ff2fde7bc6a4edb6

SHA512
3450fddadec81885838ee69c94e1756171f2908467db2dc99064697c6e6ddadbb8d0f2d954c6df25c31e50a39e7f316599fde19fbf31dbf833926051343c8020

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.id-3E508EF6.[[email protected]].ncov

Filesize
1KB

MD5
e237ae8e288ab44b1d64294e76c35ba3

SHA1
3d2f0f9ad41cee07c6b68f3cd7908eac885ab9f9

SHA256
813324d5a1428b763293f61fda59c050a8b68eb6fe03d979bb16afa07564b187

SHA512
d2e715f7b081a95c1808f5facfd0110c1d4f54b79faff230122d44eb912872073bc0ab28c2fc81bd0848e363df53cb81b62c42426868ec3f1e979edb4691eebf

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.id-3E508EF6.[[email protected]].ncov

Filesize
478B

MD5
313630224120d4d1e1daf238da3c849f

SHA1
024b133cde9785ca56ada38560f68aca2b0ec71b

SHA256
c047fc6a0c2554bf4798614f8406b2c1620614d9f8d652d0715533ebf2a653ab

SHA512
0f736b83bd1a80125385b418559323cb5613a63ec1b1b4e1557c07dfc2cdf655dff6e77d557b55102b08eb13c379619e818a0602d2672a9b9db8d1b909811a12

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.id-3E508EF6.[[email protected]].ncov

Filesize
1KB

MD5
7ce537a5aaa45e8b0d47c62a5ed60c93

SHA1
4d9d8c2eff4c5b573091d4db6054b1366bc4a30f

SHA256
f7ece98e48d5ce756cd36cf8854c4dbc9c3c0ff4052ab7723f45e14c06e1b2ec

SHA512
d103f5c3fe774756cfbff16501b104d7abe8e2d645fdd2e368ca7ea897f2e4354dcf67413385bfd6ce3b1e9535f1ad1f1236154a8a095865153400286cba7a86

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr.id-3E508EF6.[[email protected]].ncov

Filesize
10KB

MD5
bd0f0541638b21abbec2f254c82c34a1

SHA1
7153beae78063541ece3d6ece73ec916571c9bbd

SHA256
4e895543c80ee2490160b16f991d306079f9f4ed56822f523b28cb4db70c617f

SHA512
6c227879bb98fa565be9300e075d03fdaa55f52f30dff3a75b144abf88ea4fe3b2b7af5cb6de4754bee7d977e0a78cbbc35f4722c00aa6a37370efdc4fc91ec5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Filesize
8KB

MD5
eac9c26cb8f198ca3976496d9804f973

SHA1
f8c303fa54ef7bf1a584d9a522b353397315bbe3

SHA256
be0d48533326ee6af02778198d01d2f216270afa14f3ac869c52950961d045f2

SHA512
ebf953ae4353ff1ad10e48347d4787bb8c5c993bc51bfc6b6c122cf0496c7537876f4ba29874859467962fb8291d7ce0bfe7f3e0a4ffd174ca69761e7a8de530

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp.id-3E508EF6.[[email protected]].ncov

Filesize
8KB

MD5
ba11d40e2dadb8441c6f43a9e782b856

SHA1
d97b040a3264a291ee2b41069a2129c5f63851aa

SHA256
584d8c8099fa39fdfb643830ed859a684c72665410e02ef50efbcd5107527d3c

SHA512
7e84aadb6e7d82b8514bdcc6e45cc023a878b78c833b5914dfe7b902a1e75201863894288279b12ac040e40d5bd0b0104e379aef342d984082ffc5981c31574c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx

Filesize
1024KB

MD5
f0cfabb7648748991ec3d9cd1004b133

SHA1
a1e7521a39cc52725fea47a965575f583feceece

SHA256
59de828fbd9f9d70098988ab612c999c7211746dd9d20222c63bbe4c7501546d

SHA512
55e4067228f9c3a2c9089d5356898abf2b8f7ea60a5b9e5e7b7a5711609b44d75a0b44e96adcb0f725d5b4efc9a49c9d5acd5ca13f5c6bcef0d48ce9998f6a39

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
096b6b3ac97e204e9e44c60589179ffd

SHA1
9844cf2d264d331a920b6706f2fa1fdd486e94f5

SHA256
09fa3320b4fe4997d30d902adf64b001afd2adca03131ccccd7679cdbd669694

SHA512
02efc482d6bfb1829835d9ccc11ad68c2828e3fd0623e8453a54cb0a8c7839151bb6d455ed011b7946dfe1597f44aa74c06964f6d500d12b40c63cb8320da945

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00003.jtx.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
3d2c9cfcab85a99bc4f31b48201c1c22

SHA1
58bf97e443bfc650e2db23a0cd38d6b144a192b6

SHA256
356c4766bafb67dc23c14c14fd2d6f3103911757faf3c9c9c0d9fcf24dabc0c7

SHA512
61c06d6761be32fb4c526740deb96cd87aa18a464c83ac3c424d57d4dc5aee530272063075f88f9583abab7fc8d56ccb24f44eea239748b8a62d95b81e901f84

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
8816fe7a266350a1d9b0d0737f5f6f85

SHA1
a11b342a48cc489f91804efcd70bf12138285c42

SHA256
75ca0c7a176d864eb5517711280773694ebcad5d215471bd646295b1e6e95639

SHA512
fe2dbe1479fce757e30462e9091c45e202b22a34cf6decf3cdfe2d2105f0732404bade803d8f17c4841e4e04bd5a806a95530807cb3decfe67612f6bbda93c92

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
2807f6348cb2974fc161f1e2b22ea16d

SHA1
69894afc648489c9d3a198608c03f3e1989366ea

SHA256
0eeafa8b4bfa6e6fdbf0e2e7ff0003fd2b6b3e855222164091436a7a05171f90

SHA512
49f3d08706dc9711b287f67271507e0c6261b9fe0bf4f07175d884004e9f1a9817ee3696433664a9765de1bbf9a862e6538bb7a7f1a4a394c4bb3c9057f004ff

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
a6175c86cc9a30ff419c34418667321f

SHA1
b57ff19ae29775b87e225483d5277bc7967e78ee

SHA256
42e86a2970851e098eb7953deb96a59c261eac3d2f728d6e362f022973813ba2

SHA512
5b320407786f6db31838c583578eae55b7b03742f4a66b0727ea0ddb3c967f44d69ac5a90c2c46a9d0b69eecce59e8378e13cda08e080ae70310fa61c0ea01c0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx

Filesize
1024KB

MD5
b6d81b360a5672d80c27430f39153e2c

SHA1
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3

SHA256
30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58

SHA512
d6292685b380e338e025b3415a90fe8f9d39a46e7bdba8cb78c50a338cefca741f69e4e46411c32de1afdedfb268e579a51f81ff85e56f55b0ee7c33fe8c25c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-3E508EF6.[[email protected]].ncov

Filesize
1.0MB

MD5
99d176c2d3508e5c24ad8839c830e0bc

SHA1
500b405a6d4799dabd1987a20904a91336d11e63

SHA256
ac275f8d1582cb75fdbbc702f3164357d1b23d531985c4c3775e63b584a58647

SHA512
aa548d0d445ac6b32a43ef7a486f061ddb2b54cf46e58e745fba9d0891a99f875e7ef49b980b67c783f83a922cdf5e2c4738dbbe4b6b81bb2630385897aef2be

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
6f3db15a197165586e9479de37674832

SHA1
234b7aecd5f46cc56a261b5b081f39858c13e289

SHA256
7276780708a41318ea21cf7bf9f495dcac7b11212b29543a05f76a6883e81b20

SHA512
02542c385e2ff473f5b9fb50dc84d25e3b34fe83eba37e744610b6b3f9b2421f0749c0eda7ebbcfae32db7ee695bde520be06b143dab5ef17ecd17973f437fcc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2.id-3E508EF6.[[email protected]].ncov

Filesize
15KB

MD5
b46d4fa668d041ea88005b3e487b8ad2

SHA1
0a9e372e974c074da696ef038810871907b5f07a

SHA256
964bb4912e9aaae7d6b84b3200fab1dfcdd6447ca988d0da5599a51fd3cb225d

SHA512
3218c96c5a0b4692ac33a8caf81206db0565b6f40812a247d83e220a7e8bc94aecf5180314af74bc4043b83fa075384630983dd3ffbe69e0dcf112186f6e7059

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\1611007487CDFCDB9FE43793C68D8984CF7DD7AA.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
b6dade96703890b232bfd53ef87d208e

SHA1
a1dc5a9c43f6c7a3a0ba2526edc1a63eed798dd8

SHA256
8c8510467dd66a3aae928d36bff79dd46d466e2253ce4281b8b1dd14762e58e5

SHA512
e45a4623067d5c9eb4af549eb6971cf8a007fd4e0b7ba5e9df828085ef4fd2e618f8e02f63c156969da3389bce14998e62aab9be44ee0c58638d01a8bb8c22ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
036bd3815e75c6dbb9a7f62b7321e5d6

SHA1
cdfee25150e3615ce9453ac9c24d71b7e08a6a5c

SHA256
2311f333ecbe1921be21a9e00d23dc1c09fb12f984337dc40cfd897e961c3da7

SHA512
48d4abb723c997aa0d9d6b7b9658b6a459eb69e014d10011666b7796de5476b4b888d16998dbe2479d366286539de11b17cf8033a51aa033b14e86a9bc1cca79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\298D53A692BA41D0C5CA5AE0806650D73FF83365.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
1014525c393b93151570d8555a3f8d12

SHA1
6e606a49b1cb931ff00e8255e96d67db573180c4

SHA256
483e90dbe79032043957dc7ba9337bf37bce87727cfdbdbb616ae9fe2d05d151

SHA512
9b4a7cdb482781c69314c09855b6aef8b79e21157e5cc78ea92f3ccccbff7594a5f095a6fb0d7fdb72494729c0c5a143eff731887544697f71223c4a901a5bd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\338F0B40DAF8435FD6D84C103FCB982043FEC2F6.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
a882f34940979f6f85fd1fee54f47f64

SHA1
b8b717ce53e6337598ca5ed59985496b0431d5aa

SHA256
eef6e3798fc65d85e9af8cffb57c23f59456e7dc650090474359a08ab0aadcf9

SHA512
abeb1763690537337c7e34f64484a4ce3397b031c214775deb0c644fbebf87c8b71ca116ab39d9e406179e88ee7062abfe60de27853a5c02ec6472c645e99a09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\38FF788A718C79DDC3D1E23EAA975517D9BA3BB0.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
4db56313c63b188a609b1abcc55e09e5

SHA1
2fbbe12c6cf3d6477c93deaee7c5cbd91efc3aae

SHA256
e4284482cb65ad6c66224386f06860d7c16470696433ee5d0142e04a954157e1

SHA512
49e8a0aeecea71444afdb6076d5b87008900dc0ebfd278afe7b2d996bcc20b762e7a6569a4418df7751c5c12f36e651b3bb92347b01fec7b469dc4b362d6c8f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F.id-3E508EF6.[[email protected]].ncov

Filesize
10KB

MD5
a11c4b9a94c1dd14cef36d100944a71f

SHA1
e35758a71c2d3887e8d2cc96bd3c0dc6d0f32cbf

SHA256
2673303f2d9e1d76f36f6333d1abb37e190f0fd140017adc95dd793fb42f3db6

SHA512
848fc01d8636a8cf3dd5e48e83f4fb6d691de5b639d243cb6136a41fdaea6a1b2f5dcc6b1749054a2146b8c71e347ee58c4475f055664becb338f1d5723d9f0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F.id-3E508EF6.[[email protected]].ncov

Filesize
16KB

MD5
b9ece069963b21b119877ed3b71fc56d

SHA1
b2f4c489827c84594b521cca0204b76c4503ac11

SHA256
ab4804585cf765e5324e7d3220e0502cb083d9024e7ab06001a3e13060613ead

SHA512
d980dad98aed3ce85f76fd3d48c59614931392ae1f87679329ba097836bf96f68d918a33bc138e225a5c5ce377b89c522329f264dfd1411ccc3f616fa06854a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\89C9B59023C6004C5FCA8E641B2BD533BAA7F06E.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
7485070f57cd7742b50cdfc1a05f97f3

SHA1
796f9ac985a9d462a433207a44373780f045dea2

SHA256
5ea8c79fb258f4709103f076da66d68406887200f81da5ff94d947f3caa9ab46

SHA512
f1729ce9cda4470495059645d45df583f8673ac56f581356c62fba3bcd7eb2ccbb5b2869b4e600c2f3ff7aae8f7acb892ceac21ae571768847b7359a92ddaa6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\8AF5D98EA49BFC5F75DBBB8CBE9CADF11B63E0F4.id-3E508EF6.[[email protected]].ncov

Filesize
11KB

MD5
7a44aa4cb62e6450d702b0145f08117d

SHA1
fd2467a67e8401653bb3fff05501eb9986e87db2

SHA256
a8cec00da6fa54090a2dc87a68f2067ad70950eeda3b296dd8b0022c405e856f

SHA512
488cee3e272d3cdc57674382d3ed96e37359d0e3554c8fe2d97beb98043dd86da1002c2615b7a56082deaf063ba9cdb2873fb99cac408c51c9a5ba3bd3e88b18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\90E321EE94230DCDBDCD2EC0B77C695A4FC21F78.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
f314d20649fdfcd248c1cebd54b4631d

SHA1
3ad6fd32c1da62a6b1dbf851879023886172d274

SHA256
534819b4799e5d05712e251c5ba48e7e0639c6e2e8f9defc6325dab6ed60ecc0

SHA512
73a55f28207f6a8b8cad5f0d8dc404870125d9e5f69651282815dbcd4a9b22a27a8ad105e7840fa8d3db2417fb37f67456a53de12b985da07bebc0befed2e3c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\9648808B6C63CD1AAD97A7B68F84F35C95682143.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
7271e110d4e039098d46281b3f12405f

SHA1
6e41dcc5d23de75c424eb6e87f973ecbfe2de7dd

SHA256
db0bd6376c44d5c3438eb3676c77c0369df7da41c8e548bca60b43efbbbc9374

SHA512
899f6916d3d515d4dabbae368adcbd270172e836c9b4f86201b761bb56bf9973417748c85c98b8414daf9fc4e1c5632acdd15eef95457fa7633754213d59cea7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\B6F59826B025251E088E4743F506708A83BD73B9.id-3E508EF6.[[email protected]].ncov

Filesize
11KB

MD5
fcc05bde8e148c8a50623c0201890416

SHA1
9396ac2b1fbfb009f32371e367f37f96f76486ac

SHA256
e817d12e222caf82d578363d89832cff381f999879dd27f48b0b586e108f60ac

SHA512
e4f3405c0cf6976521adcc1d090600661df95713a1dfff908a6675e00fe34a9a88302d5caf874c779225b9c41bd019e383bac88634764ae858c0799bf03a3af6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C.id-3E508EF6.[[email protected]].ncov

Filesize
14KB

MD5
657b31e19fb98cf0ae73731186a149c1

SHA1
137868f6934c6e7d0c7fb39f7c8c755fdc1c933b

SHA256
88ac5d30682eff349a8b9e0d857f3ebb261f224ad85ba621e03b144e6b079b42

SHA512
1ae99ef673c232abd7165fa7a7442e950ec3adc001d5b0a50d9903e05d10741dc5f4fc93ecc7d5fd9b0cb8dcf966571c128566808f503fd5db4e2631fe843ba9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\C982342375C355A44C213031EEAC97222E1367E1.id-3E508EF6.[[email protected]].ncov

Filesize
14KB

MD5
666b5c671cdfa395cce974142610950d

SHA1
7bb8c13531dc2faf505729f8bbae62b0a558f6cc

SHA256
00066724a7ffec14ffd54d00f1c769ac2f403a7ca089dc81f21057472e3418c1

SHA512
4392c1307a745a648e6ed902e42e4927f6b1b071ceec74a7efb7431aa26c6a6bc4697efa17523521cc4cc1a35ce7b50607dad9e20365b0a0c878971aaadeb68c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.id-3E508EF6.[[email protected]].ncov

Filesize
123KB

MD5
41afe4005668e2bbeb806199b73dfc33

SHA1
2c06470cd38d004d4d756fb76634a564e0a27b33

SHA256
2fb9781aa7cfb44d08004a0e22f4c17c67810f902bae6ee4bfa976153d0b3283

SHA512
4f5342829af2efbfbf11e103466a00b09af74013c9f7c0e0227aa39bb53224985dcfd1fa24a3b46ee5afa9ff7352d520ff539e5e4749b263264e98470c68ed30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\D10DDE6FB3D4C14804797CF570FFEA9CD845BB25.id-3E508EF6.[[email protected]].ncov

Filesize
11KB

MD5
c604db8adac170128f43e10adbe478b5

SHA1
3cd714ce67f15c14f504cf2a60d3a912b182dada

SHA256
870520433bc6874faa9788bcca8e954806801ce091925ced2e9156b1eae88590

SHA512
b77d7131d7ac4039c56b775534cadb65c0f3c54300d25ee291f59b01afbba23fb507934077f5422a6b4439cb838ce5deccb286331f1bce955ae436a6762167fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\D3337DB03E4E95DFF4A3118E4CE431ADCD31CE73.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
64df56789b1e3c7c428b9af185ef1973

SHA1
a2c41effc71bde5fcc1dd3776b7d68c6d8b7f1ec

SHA256
4302b2a2c64df1517768a033bd0b00699bfff342bae4913a8f7cb7bf5021e802

SHA512
9d9e5574e0d2b2553bff0719d432212640da317d9e50405fb12b6d4c7dc39b950fbe83f6aedcf87eee50b00070da8b0afa829674cdeb82146d7d9698d635412e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\D6B0ADD0DAEA00708CBB4290B85CCA0E0FA79061.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
f5d72be2d5e52a2b06b16a5a13d18eff

SHA1
06eef5da1b256f0b1cca069515bb93eb64cec545

SHA256
092840411588bda174fb1447c518b2342338e40f7d79acb240450b98f3eebdbd

SHA512
3e4e3c35f39620f3e50b954ca4805171fe481a614a37a52175fadf1ab3da9fcc505bd0c733f66d0ff60cbe2e738e8c4abcebd71ab6b4881fead2d09526803df7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.id-3E508EF6.[[email protected]].ncov

Filesize
16KB

MD5
ae0578af3558df67fe27749cdb28124d

SHA1
5e3cecdee3f927e6a6805d2eff3f23aa889b9eed

SHA256
ddbc347d8483eeea96d0c8bc11314b14ccf11d1ecf1d397e136d6cf2ad951f89

SHA512
016f4538e366aa8265d4a0604e24f5db0e21490d2b957d488b36002f34d2a95feec9a9dfdea9c371128d1e5e945f3f16612308e7388e9f134d1ae3f261ac021a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085.id-3E508EF6.[[email protected]].ncov

Filesize
11KB

MD5
a9f357ca077df4dcec940f9a3ecd8df6

SHA1
e96b6e135f037bfdb09dc6a7638ef48a2fd75f1f

SHA256
3db673c17ddee756662ae2d1c25b0e1554c1305a88cc3c694b23a9cb61f336b6

SHA512
f1be26efafcc4cf1ce89ae1a8a9c4a55de8d8826d7cffd5588cacf617db9a253c92c5e992fe829ff5db3cb96dd203d9f107c1542c6615688f8405a0c03d2b6ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308.id-3E508EF6.[[email protected]].ncov

Filesize
9KB

MD5
2125f305ec116ce41c746dd18a6e721c

SHA1
ceaa6a3993e4e2a4540f7222788df5a749d532de

SHA256
f7c0c9821bad92f7a366fce5bf94f786f4049db5b3bf7fe1f6330e93a13eef4b

SHA512
534fc45b9c3fd4497fd785ddb00ceaf2fb3dd757a22d44d569b7ba00803e6a49313541951346683bd94bff167f592b2df1c1668aa420fe9aa076bb46868c8cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
da8ccee7759f0784836203e8783acaf7

SHA1
c009ff405dae3d110b30814235b8f10d07b2b628

SHA256
06b98af11922d9b1c571ce09f51d34cc4ef3132940645c7c891bcddbf23548eb

SHA512
82f7d789dacc550982fef0dea8c6bf9010abb6387cc41a2708d6439fa83bee3ad818ac676a9df7e90c6137fe6a41f56cce71b78d722b79bd06f35b21910feeb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\AlternateServices.bin.id-3E508EF6.[[email protected]].ncov

Filesize
4KB

MD5
66381728ab266ccd3fdda4b8fd6a97d6

SHA1
0c74b3e729cd85cc80790f4b57aa1a9d3d95e9a4

SHA256
f8209ce4cf04a4f0a23adfd0fb1798808983adc61d360d3660f00539496c4cb5

SHA512
5ebeaec442031d87cf0a09f9098e9d846a808e7e2c3ce7eda50006085a4fc85ebd88913f9a9dd480ccba7798c37db8ef2351de239a094f1693d77c34feac50ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\SiteSecurityServiceState.bin.id-3E508EF6.[[email protected]].ncov

Filesize
1KB

MD5
c260549541e1ce7a102779ec05754229

SHA1
241739b50f36480789edea463445d47d4598d52f

SHA256
6a4536daa9d362cdfeb962cf2c757bd34c186aa8a8842ec79062785daedda907

SHA512
41b754fc699896941a0a92966d7d2c5086e38235eedc6db166992db1b67744d7fb763cfb4a4930f038ec1bc821542dd93586adc50cdc70928366270a1e984c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\cert9.db.id-3E508EF6.[[email protected]].ncov

Filesize
224KB

MD5
e7be5ae13e6785954c5ef05eb8c1bb36

SHA1
287ff097d81f3adb79a7df4e8e6f4d055f86dc3e

SHA256
47e91c3fa9137f6ee2382b6640fe4c2fef4412094d351c88f17770c9428e8674

SHA512
32e414b3cc9c7970bc9bd6580a43d7e361b8833bfa70c14f27b5f364a839534613a33973c499e472ccafcc1ace5cc3a4f50ca2182861cc4fa86d2204a03f2f46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\compatibility.ini.id-3E508EF6.[[email protected]].ncov

Filesize
454B

MD5
b04121866fd49f542fa0cc2f4da7083b

SHA1
80d777167fe82e520e24b30e0a5d98c4bd6007c7

SHA256
8be8be29e4a0fc0a2104456854a805fbe218358816f1825db9a730169bc3ea96

SHA512
ed544382a85bf86e33f393009a99d077d110a9841641f534fd6a0b6927f0f0f0ce65c68e13661fdfc45050c5cb55b45715da8dfd6d70b9a85ce5c2b80b458a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\containers.json.id-3E508EF6.[[email protected]].ncov

Filesize
946B

MD5
72d5adb1de48e6bc6ed9fe41de02c6a0

SHA1
21e2826bf9ae311e4a2af49ab0ec18a2ce637839

SHA256
7325bd44c734523c95bd942f901ec6c35214db595827752776332bb84d9d2ec5

SHA512
a81b63f2b577c7b65c00a44728f2b54578a0c470d6cfe9ef11d8a9dec3bd13bed2e9af4818b7826862b17aae576687d04a03f36b1cddc425c938711ab99f42ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.bin.id-3E508EF6.[[email protected]].ncov

Filesize
23KB

MD5
ff5752edadeaec2f6793f065c91071ec

SHA1
75a6a1eb736475e67a6f1a836783e20a0a846ed7

SHA256
9a3637caaa237e527ee04eac6ec2b544a71fd2cb609afc2d6c6902a5e001e4fe

SHA512
e1b6e1f18a873343588cde90d0c0e6fcdd99e815690d226dcd12f71b03d113e37b7999c3dea333c2790343fbeffafe527e59890b0b4887a6a7edfa3814fd0ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
1c3c58f7838dde7f753614d170f110fc

SHA1
c17e5a486cecaddd6ced7217d298306850a87f48

SHA256
81c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d

SHA512
9f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\events\events.id-3E508EF6.[[email protected]].ncov

Filesize
336B

MD5
980b1fa2b97ca1ff6692098727789f04

SHA1
388a8592106a8afcc42ff6c88dec32532678b2d1

SHA256
38cdde339fc55425fef76b75c8ff1fdc6bf34ae029bcb8f731444287628e555f

SHA512
0f99b3c5172544648ffa203b29b3cd1aa96ca8e36070f6c040365ac5c0c0fdefc1a35250107a8d6a651128c2f5e49bb192af96449b319386d67f121b0dd0de29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\extension-preferences.json.id-3E508EF6.[[email protected]].ncov

Filesize
1KB

MD5
ba446ce6e71767f545ad2ed6520c2cb0

SHA1
ea0da225522b5c705c864b1b3aef366935773c22

SHA256
13894760ad7cf232304a6ded09a0f9ec6e680244aabf048995c0640122a1d647

SHA512
aa943ead59b7f36269ff2bb649cc2ee3b080d9b6294ee002a4942783233c325a76e32e6dbbab60cf8903ab9b6bf01e76e85aac706643c024f6b5ba28dfccf4c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\extensions.json.id-3E508EF6.[[email protected]].ncov

Filesize
37KB

MD5
54d6296c94a79370c18e439faee69b90

SHA1
e94e8126d9316cbacc50f96b12b1572a24e4dd6b

SHA256
9db1c8b37bcc3e927f455991b08cee2cd5741400e518de4386465646f8442d80

SHA512
afb66a93590c274b4d679d520be052783e9777be7f8326f38738a466b9db58ffccf306a4be0d93c5fd77f6fcbe54886e995b6c562013414e827885bf97832929

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\handlers.json.id-3E508EF6.[[email protected]].ncov

Filesize
622B

MD5
00c32f93d7a46f144b455523c38e0f91

SHA1
28b4f95fb3acf13a97b5e64dbcbc0e592df576bc

SHA256
f9edfcae08b1617f4cdb80d79292b21a786c15dcaf731128e3e60531012ae083

SHA512
53e09353749c46ef1e6aaef44a4c2063cf72affdee4519e3fe8338af52ec65a2899e8428d5b881a61bfe5b2fdfd575a246bc2b21495082fd7e4ca296e85f4580

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\key4.db.id-3E508EF6.[[email protected]].ncov

Filesize
288KB

MD5
ecec9f6bfd226c6ab92e08f1dab5c19e

SHA1
c6fbef69d9eb19a3c717338d69fa62dff613c47b

SHA256
4eb01ebb21e525bcf6c224074909fcfe01f245cb5870a68903dc43204a31fbf2

SHA512
cef89ca2d3a05f2eca293e1e2ab2f5ff2e211e26e35836d740fbd8f8382e86b35ecf1634a69f26ed043b87b4fb1ebc2ade1e9b3bf3634f278c500825b8000f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\pkcs11.txt.id-3E508EF6.[[email protected]].ncov

Filesize
760B

MD5
5fc01a7c953e7bcf53c1f5a38eabd641

SHA1
899fc3915f0d81ca6474399a377be041b4812858

SHA256
4e1c8deea599b99c935e679c528a63595c2d3f21d96e451c744fa7e4a4b9a44e

SHA512
9d4345768d5ece0ba26adc9ae61709adf8558d01a8c62c1385ff67586052204c0019d4f691197e5fd7cccf054f4afe8f28c8065d574f51c4ad730c32ff87b6f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs-1.js

Filesize
8KB

MD5
43a0c341ae771083d11a07e112f10bf8

SHA1
896cead6008ec26828c1d77ebdc49363a27f760e

SHA256
87a266a3745d1c5920a8aa799c53ce4ebd641aaed2f9d6207aaa5ec72e3a6518

SHA512
2b724f0cfacffee9afc3a6d4152a869ac03978775599dbdf2648bbf140418954b24ccab3344e3da7ba856eadb9a315beca49f2a24258f502a233cb182c64b67b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs-1.js

Filesize
9KB

MD5
84f58d7d45acc03ef20ba7d3a014bde7

SHA1
c9c94021df8f4a14f751713cfb13403428c2569a

SHA256
33dbe3bfb594562bd30c25622643fe87e8177c127333a896765cb2a764578374

SHA512
cf0480b19b0c9c3125fc5cb90be6789cf4a6673e82122ab44b535e9729a6f03cf942b1761116fa9cd0bbac41e2b3ab102dcb68747b5610bcab2e3d55b3ed1169

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs.js

Filesize
8KB

MD5
9d9fd11b511d58a860cb11041cbe9c84

SHA1
c4483fbe77e5848c5966b6a0cecd2ea230f9c67e

SHA256
43e7287c13f732eed56f91d1011a7d2c26055b615b298a392cdce830aa935fca

SHA512
c031e5b1f91c3c2a373033607c23a37043012c5667f171b5d3bf1ec5a916cd3475cad865fb39c3e9fff7547b37f2c64f4efd65f9c91f005e423ea495ed47af88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs.js.id-3E508EF6.[[email protected]].ncov

Filesize
8KB

MD5
536e4534beae30c6770007b929fd2b7c

SHA1
e694aa395bc8585ed765fa9edad6115ebe59d772

SHA256
2ba97f3406ecfe649db03ffe1691a2a4064a961c4bb3ee7f2a3fd4937f015652

SHA512
84b264309f972a500db6ccc9d682752c39e7988e4a004b7109bc0f8dc1b19464f13ab366696a41b7f075f732ea14762f8bcb0c010e39486d50895285eb3559d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\sessionCheckpoints.json.id-3E508EF6.[[email protected]].ncov

Filesize
562B

MD5
bfba0ac00aef60cd5951f93fc808cbe3

SHA1
eb7b519279e075e01aac0df2758cae828fa9c8af

SHA256
349ac3b7ce02f283899a5e6795635c95c3ccccffa6ebe43c62afb12d9c5438a9

SHA512
e21f1786f5e7326c0ce981bbaa993a0433fd1d00e298c1c94c1c1c1b6608a4a892c4fd6a42e9f6fcf11c9fd8da7b66f86f0599e18db33b425404f06bd00023db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\shield-preference-experiments.json.id-3E508EF6.[[email protected]].ncov

Filesize
312B

MD5
eea845c58fe9c3ca6abccc95f998ff66

SHA1
cf85b5e586c1e95f1b48b6301afc2a2417db467d

SHA256
796f67635193e56006c744be4e0a2a016e421e8474ad56c0428db5fe7f0e834a

SHA512
6aba8812801360dffb6a011aa32321ef9de04c6bdf26800f139e09ed626233060a87de5ba8ba4415cc0def33793c33f66fecc0acf706210b0dd25a1271668c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\targeting.snapshot.json.id-3E508EF6.[[email protected]].ncov

Filesize
4KB

MD5
88c1cee57ef8a95256a99437c2e48e61

SHA1
7bd2b68272d7de9dbd21d96b14e46839dc6065f8

SHA256
125896010170c729ddbc232165cf5dd908e7eeeb478b68d70310b215241b194f

SHA512
780f03634a69ae84f8df272337956555adb33b25ef97576ec9c565cdde24dd683ecc20ebd1c5d1cbe1218973e592d10c12b1028af2da9f89ff21d9e9bb9d5d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\times.json.id-3E508EF6.[[email protected]].ncov

Filesize
296B

MD5
ec6aca3ead3fef43d656e523928d6ee7

SHA1
8509e4a5a26df4e726af9f925aa0a9fc206d1e4d

SHA256
e966aa58eefad8afd47e6ecb557e905f369ab96e85e2b9c0daea089db0ef0a5f

SHA512
d4e1c6830ecbcca0ab2b084a234c43ab7e766e4ff058d354708b159bcd6974f16bf8a63a2030ea562c898bb1630cd88f40942d3fe14a67c2fb8a354903565c78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\xulstore.json.id-3E508EF6.[[email protected]].ncov

Filesize
254B

MD5
dacd859c047b234dacf0839682930e5d

SHA1
428b47b082cf09c9e6e20d850b8d27ccbf9600e8

SHA256
cd30f6f4c8f276b3bdad64fde0610253a4ac9b80fcbf487ea86efc5d169e2d19

SHA512
759a2ef1d0e9725098670c1d5c473db71d75ebb7e9d4049ed130d2be8f6e567681097ee846f8c2f7c461ba4d865c7751dc0e5790efc9cae4a48f7b95afc2e9d2

Download Submit
memory/2800-7-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-10-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-2-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-3-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-13-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-11-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x000001B14D0C0000-0x000001B14D0C1000-memory.dmp

Filesize
4KB

Download
memory/4212-14-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/4212-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4212-23741-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4212-15-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4212-24947-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/6548-25187-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6548-25191-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22108-25029-0x000001715E200000-0x000001715E210000-memory.dmp

Filesize
64KB

Download
memory/22108-25045-0x000001715E430000-0x000001715E440000-memory.dmp

Filesize
64KB

Download
memory/25040-25218-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/25120-25217-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download