4d143365d5df5e6e9a37684f639a6afe38171b202e09a4c821977ad058be70af

Analysis

max time kernel
147s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/07/2024, 01:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

F-M-Е_v2.exe
Size

1.1MB
MD5

b5a376280f4bb1ea624cdb5265e6dafc
SHA1

8e5e51a123f369d36bb6fd718ef7c96838574c82
SHA256

4d143365d5df5e6e9a37684f639a6afe38171b202e09a4c821977ad058be70af
SHA512

c43e5dde2e1a1595accd4d4395d3997acccb374357f0b178b860434211f77070e11abda880056654d14e4587d6ac319c8f9a2c94ba08dc03ed8770c4b6ccadba
SSDEEP

24576:dcVkKSR5eOVZY2xjuAaQBLwx/wXPH/dqGkzzkDTMsGhs9Y:dcBYMOVGwS+dw6lAzzMMsG+m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
5108	u0Y4ZfNbjZ4PNDNB5.exe
5068	AutoHotkey.exe
1652	AutoHotkey.exe
4104	file.exe
3124	file.exe
5032	u0Y4ZfNbjZ4PNDNB5.exe
4428	AutoHotkey.exe
2740	AutoHotkey.exe
4104	AutoHotkey.exe
1528	AutoHotkey.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
74	discord.com
80	raw.githubusercontent.com
84	discord.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
33	raw.githubusercontent.com
73	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1588	timeout.exe
512	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
2812	tasklist.exe
4440	tasklist.exe
3180	tasklist.exe
4192	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\AutoHotkey.exe = "1"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "11000"	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "0"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	AutoHotkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "11000"	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "0"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\AutoHotkey.exe = "1"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1652	AutoHotkey.exe
1652	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1652	AutoHotkey.exe
2740	AutoHotkey.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: 36	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: 36	1536	WMIC.exe
Token: SeDebugPrivilege	4440	tasklist.exe
Token: SeRestorePrivilege	5108	u0Y4ZfNbjZ4PNDNB5.exe
Token: 35	5108	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeSecurityPrivilege	5108	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeSecurityPrivilege	5108	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeDebugPrivilege	4620	firefox.exe
Token: SeDebugPrivilege	4620	firefox.exe
Token: SeRestorePrivilege	4104	file.exe
Token: 35	4104	file.exe
Token: SeSecurityPrivilege	4104	file.exe
Token: SeSecurityPrivilege	4104	file.exe
Token: SeRestorePrivilege	3124	file.exe
Token: 35	3124	file.exe
Token: SeSecurityPrivilege	3124	file.exe
Token: SeSecurityPrivilege	3124	file.exe
Token: SeDebugPrivilege	3180	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4612	WMIC.exe
Token: SeSecurityPrivilege	4612	WMIC.exe
Token: SeTakeOwnershipPrivilege	4612	WMIC.exe
Token: SeLoadDriverPrivilege	4612	WMIC.exe
Token: SeSystemProfilePrivilege	4612	WMIC.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
4104	AutoHotkey.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
4620	firefox.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4620	firefox.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
1652	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe
2740	AutoHotkey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3596	3044	F-M-Е_v2.exe	73
PID 3044 wrote to memory of 3596	3044	F-M-Е_v2.exe	73
PID 3044 wrote to memory of 3596	3044	F-M-Е_v2.exe	73
PID 3596 wrote to memory of 644	3596	cmd.exe	76
PID 3596 wrote to memory of 644	3596	cmd.exe	76
PID 3596 wrote to memory of 644	3596	cmd.exe	76
PID 3596 wrote to memory of 2812	3596	cmd.exe	77
PID 3596 wrote to memory of 2812	3596	cmd.exe	77
PID 3596 wrote to memory of 2812	3596	cmd.exe	77
PID 3596 wrote to memory of 4704	3596	cmd.exe	78
PID 3596 wrote to memory of 4704	3596	cmd.exe	78
PID 3596 wrote to memory of 4704	3596	cmd.exe	78
PID 3596 wrote to memory of 4656	3596	cmd.exe	80
PID 3596 wrote to memory of 4656	3596	cmd.exe	80
PID 3596 wrote to memory of 4656	3596	cmd.exe	80
PID 4656 wrote to memory of 1536	4656	cmd.exe	81
PID 4656 wrote to memory of 1536	4656	cmd.exe	81
PID 4656 wrote to memory of 1536	4656	cmd.exe	81
PID 3596 wrote to memory of 4440	3596	cmd.exe	82
PID 3596 wrote to memory of 4440	3596	cmd.exe	82
PID 3596 wrote to memory of 4440	3596	cmd.exe	82
PID 3596 wrote to memory of 1784	3596	cmd.exe	83
PID 3596 wrote to memory of 1784	3596	cmd.exe	83
PID 3596 wrote to memory of 1784	3596	cmd.exe	83
PID 3596 wrote to memory of 2220	3596	cmd.exe	84
PID 3596 wrote to memory of 2220	3596	cmd.exe	84
PID 3596 wrote to memory of 2220	3596	cmd.exe	84
PID 3596 wrote to memory of 5108	3596	cmd.exe	85
PID 3596 wrote to memory of 5108	3596	cmd.exe	85
PID 3596 wrote to memory of 5108	3596	cmd.exe	85
PID 3596 wrote to memory of 5068	3596	cmd.exe	86
PID 3596 wrote to memory of 5068	3596	cmd.exe	86
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 5116 wrote to memory of 4620	5116	firefox.exe	88
PID 4620 wrote to memory of 964	4620	firefox.exe	89
PID 4620 wrote to memory of 964	4620	firefox.exe	89
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90
PID 4620 wrote to memory of 1660	4620	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F-M-Е_v2.exe
"C:\Users\Admin\AppData\Local\Temp\F-M-Е_v2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS4EB17657\run.bat" x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y AsDxzcDAzSDzdD fkkfk@fkfk@fkkf@@kf fk@fk@fkfk@fkkf@fkf FME bN4Aynk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=40 lines=3
    3⤵
    PID:644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq EasyAntiCheat_EOS.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\find.exe
    find /I /N "EasyAntiCheat_EOS.exe"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AutoHotkey.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\SysWOW64\find.exe
    find /i "AutoHotkey.exe"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy *.* ..\ /Y
    3⤵
    - Enumerates system info in registry
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exe
    u0Y4ZfNbjZ4PNDNB5.exe x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
    AutoHotkey.exe AsDxzcDAzSDzdD
    3⤵
    - Executes dropped EXE
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
      "AutoHotkey.exe" /f "\\.\pipe\AHKNIGMNFGM"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\new\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new\file.exe" -phltonMCNfMK7f x "C:\Users\Admin\AppData\Local\Temp\new\file" -o"C:\Users\Admin\AppData\Local\Temp\new" -y
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\new\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new\file.exe" -phltonMCNfMK7f x "C:\Users\Admin\AppData\Local\Temp\new\file" -o"C:\Users\Admin\AppData\Local\Temp\new" -y
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SR.bat
        5⤵
        
        PID:5108
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.0.49466445\1251204868" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29c4f658-9d7e-4fc2-b90b-e4c8cdc90b65} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 1780 19d159dae58 gpu
    3⤵
    PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.1.473913365\1732965105" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d09f544-cdad-4db8-b5fa-5c0b6c023fad} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 2136 19d0a872b58 socket
    3⤵
    - Checks processor information in registry
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.2.1648922139\895775696" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2992 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46818a41-656a-4125-922d-9ef8b6bf3f40} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 2916 19d15963c58 tab
    3⤵
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.3.1341733870\2053065470" -childID 2 -isForBrowser -prefsHandle 3232 -prefMapHandle 3252 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db498d79-bab9-47fe-8beb-baaac4981dff} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 3488 19d1a85a558 tab
    3⤵
    PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.4.105623825\2069251806" -childID 3 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db953aaf-0fee-40d7-baa6-bebe6558f387} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 3888 19d1b0f9358 tab
    3⤵
    PID:3884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.5.516540295\1803901515" -childID 4 -isForBrowser -prefsHandle 4020 -prefMapHandle 4708 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b67a84-2454-4c22-9985-18f9d843ad35} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 2668 19d1a9e1158 tab
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.6.1483656656\1582241646" -childID 5 -isForBrowser -prefsHandle 2644 -prefMapHandle 5036 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92af1cb8-5dd4-4843-ab6f-7b49d80c83f9} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 5040 19d1c0d4b58 tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.7.1792082529\711454443" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a410d041-b477-44cd-8b3e-5763de04577d} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 5300 19d1cd18e58 tab
    3⤵
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.8.326761660\1415373748" -childID 7 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {547a698a-2858-4cef-84ff-df7e85b2f8dd} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 5156 19d1d85a358 tab
    3⤵
    PID:4692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\F-M-Е_v2.exe
"C:\Users\Admin\AppData\Local\Temp\F-M-Е_v2.exe"
1⤵
PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSC8D42878\run.bat" x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y AsDxzcDAzSDzdD fkkfk@fkfk@fkkf@@kf fk@fk@fkfk@fkkf@fkf FME bN4Aynk"
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=40 lines=3
    3⤵
    PID:496
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq EasyAntiCheat_EOS.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\find.exe
    find /I /N "EasyAntiCheat_EOS.exe"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AutoHotkey.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4192
- - C:\Windows\SysWOW64\find.exe
    find /i "AutoHotkey.exe"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy *.* ..\ /Y
    3⤵
    - Enumerates system info in registry
    PID:308
- - C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exe
    u0Y4ZfNbjZ4PNDNB5.exe x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
    AutoHotkey.exe AsDxzcDAzSDzdD
    3⤵
    - Executes dropped EXE
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
      "AutoHotkey.exe" /f "\\.\pipe\AHKFJHJKBMD"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SR.bat
        5⤵
        
        PID:3964
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:512

C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
"C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4104

C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
"C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
3338ad24959e29d414a4151ad7376548

SHA1
7b49b42596647b07323285ace12f4485efbe64ae

SHA256
48d1f68feb99d162be79c949373788492199819dad54e20357202772bfbee668

SHA512
6aba9c690dff0f0ef58ff93494b50dcb596cf748a9972463b466062853714f8e2a01bfc269a246389236708dda36394890f4aa99de558967188b860edd3b4c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f6d2796f999b92f4c50dafec472ab222

SHA1
5b7dbd1570618a05c261c17bf1698a165ead967a

SHA256
f1cc61d56c09541f00489fd56829ef25c39e3baead723a4cf9bd0f0f51b06aff

SHA512
5b0e5e00dc9abd8ac7e8823efbace62a1c359db74ee77c5c1052023897a27c866556a031f205d5b3ced034559dc669ca235e748b35c917feec3c4ddcddfb4d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HONFD4R\555[1].txt

Filesize
1.6MB

MD5
b18ccc4ba35c0fcfcc2539db58a1f7b8

SHA1
a816018f7996028951178cf89e487cd61e4e5135

SHA256
2da6cc18f9141b09e30bb73e537beb71b7536b680560025d08056329d5dbf2bb

SHA512
e20e5e69e6795fae809a19efa13a90abda1763aabb66f4b32119c96b0719b1c67d50cdccf47aaac1bca804d325b2dcb3d15b9cea0aabb58a5a1f1f0c1da8a6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EB17657\run.bat

Filesize
1KB

MD5
0e18b28ad81adbac6d108969a733307a

SHA1
9abd50146b045a771c8d8afea9524a9c5e74323e

SHA256
69dd02b4cc7526d85c16b786ed3a15f6f1d32171db78edd7ed70cf7538957225

SHA512
00d0c7483636fc41b49b57edabcf0990c490bcde5d36788e650727b0c46ec1b54bb4c0c60ef5a8acc523611c797d3b794191f7b0e5436d7a54ffb65ffa82d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EB17657\u0Y4ZfNbjZ4PNDNB5

Filesize
651KB

MD5
fa307bb67970ca2b56b9bdc5fd6da356

SHA1
8e39d622ca553305689b1ac901aa0db6ef7d944a

SHA256
81c893ec73fdafa2048a235697b7659237bdff7a1be68c27cbdfde3bc71d8514

SHA512
b3f27bd3414f663548cd65c87479db5dec4224fb1c217a8f3a4b903cc3eaac701a24d874fffd6f7c7d39a844b5f2f073d7ea97e531d6840bfd57832e9d8e5fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EB17657\u0Y4ZfNbjZ4PNDNB5.exe

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9R1vjsq9n_tsw0b0_1m4.tmp

Filesize
9KB

MD5
d80a3d394ccc6789a8af4bb65f90e397

SHA1
b248a6f97e672a3d06750406e677e446426ef05d

SHA256
a9544cd3f648861cc1fa2f2526059f580ba07147c8bee8f5846b49a96f497969

SHA512
1820148a0ae668a3161f163a4219c01efea255df8fee2a64898dcf2dbf85b868bcd8bbd76cc1afc5711b0c56c616a8c22b967d53af651bc3a3d043c915846221

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsDxzcDAzSDzdD

Filesize
38.5MB

MD5
9dfcc32f9b3c4c4189454755893f32ce

SHA1
7de7c51eb46b3c599160596b5def8ec3067b750d

SHA256
1b4122c058b7c92fbff8d89931685dd4a3f33c7840e8f08d1f731c8ab56fe0c1

SHA512
5f4855a7c212d1a9e6bed2e6f8c9bdb99947becfd2ca4d4c6e706f3c08dc69d29e65e07f4c7d8035cf37902886f6d8367805ba19b4423276129e6ddc096714fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\SR.bat

Filesize
94B

MD5
53ccfb1c797f725131f60e69041f0e8c

SHA1
080b61b50f81ed35a302589da181390828505f58

SHA256
d88ab762ffc7c095bb1389ada75fe226ab35f8da533209f646df86f4b91da03b

SHA512
9a0c4e8301871b9754537f86be402356f29de7e2a341799d301487b044bf3066d135ab0c235a1517f9f9598962d10fd46f93a98c7f5c8fec674558b3e138f4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\1\1

Filesize
4KB

MD5
9807bd58f4863eb9d47255c743e28b64

SHA1
9fb42ea45f84df82c4930ec99d18288781c2063f

SHA256
a9f651647cf62afa1425694d23a99d3ccccf7dc62bb03cf859cb76b14cef2e42

SHA512
9f457226d1152ca0b72f349a7debf78c86de93cfad0b4046df9acb3bdc44fee08c3b29e9db38650b344e8c5196846dcd5b604573abf58172605f69f8505aa2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\1\data.txt

Filesize
5B

MD5
38cca1363531ea990168f56b051baa79

SHA1
db73b0dbcb2b0f737a16f622894cfbfdb33dd678

SHA256
1622c275deffce043f5a9a143b8b3403ef39a2d7ef33cbda80f95c9e08571eaa

SHA512
7fe165b6b2103185dd442ba2f9f0174f2fe67d239b5208eea7d3618785d6b315abc829e2d9bae4f9d15072a3243a1ef77602698b3c06ca948f795d0016cfe8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\ChangeLog.json

Filesize
104KB

MD5
321273d2a35435c6e3d315a946e60f49

SHA1
2042ce983d20637ca2920e462b100dbed9fb85a8

SHA256
144ccfa91584a738a314e20e90f9496560195afdabed56eb47fed52594b117b8

SHA512
fa2dd0a9dc56eabd1e905c6986c1751c4fe54e5fb42e6146061e30eb3fa5c9dcde0da2540e163f06158ce017c8aa2a6fb3ab12b259892a81c6393b01758205e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Config — копия.json

Filesize
6KB

MD5
9c13e1287cf02c04671f07cb3130d2b7

SHA1
b8a6c9dbc68265ef58099d25855311ad3acb9681

SHA256
b6862210b9e6dabb85f5b1d4728496f02a02c8c3974d8b724d122c9bb1589b49

SHA512
f40f801f92d24fb53d8657772f3295e113897d388178984bd177ccab539cb2b79dcf7b330e48a3b7602734f337141c931386d35e294f446ae25cca2603ddc870

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\CrossHair.png

Filesize
234B

MD5
5708840c1c245bad73dd6ff689bf74e5

SHA1
cedeeca6fa4c2757dfeeda022d2ba33dce752c6f

SHA256
175c1745cec830354ba7b883e1a6fce77e188d402fbdd45060eb6a045b7b4b33

SHA512
ec25e8d371cfd0f1d890bec7447533ae1b7dddbc83afcdb4cb023ffa2432742e8160920a645726d45d639c847602da25637c30239363ed3b3bd59765122bdd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Default.json

Filesize
9KB

MD5
9fb9bdd77a0f92df53b8b31508e2a284

SHA1
2332cb923f6e767471bc33af06b51c968f334a0f

SHA256
397197f72cfda35d2714d685b83a90c12aaaa51753a39928ac51ca0612a0f403

SHA512
49927e22ced9f3aca89d6c4a5f7369fc601347568af594711432a488a35ef062c7dec8a0628151e3c6f04d0efcf330f53a7ee9f2df1bc59e732918842149c762

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Language.json

Filesize
108KB

MD5
085e68e5343db0ca01903a21da11ccb5

SHA1
c5d9bd5f201195e97b4777a2f0d2bcccd7acbee6

SHA256
f5893b48cb61901858971ec677f0d08c855baaafa191dfb7cd98bd60a1cabb99

SHA512
96ca668298750d33ac83a2f5a8f83b9ab82fbbb25ae57a1d53ae0d78644c650cd5e5a0ebc7d994a3ac9824b835850e2436b84e0de149c87e3f743901093be3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Pro.svg

Filesize
4KB

MD5
528c7edb05d700bc65ab59105e12938b

SHA1
95090c8e4a1e145079ad3a96a6d25f26a1a6165d

SHA256
b2496b7628759b1f61fee470393cb0922e4650a1147818b1fd99c0b5cf9fdb6a

SHA512
839eb0d257bc0bfea35536677a5c4b1d21379b9ac18e46229d7b2730800e495786918152e9adfd47391576d19da97291b0a7d2b5ed5080cbf1cd448108927038

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\background.jpg

Filesize
133KB

MD5
0c4b1730664d42444fdae6c62cf6f6e9

SHA1
bce6c0cae81088bbad4578f68bcfe880024287b9

SHA256
d6d018cb87981e4d69ffac2b135f4e0b54ce3244bb8cb3d54604438fdbd5d52e

SHA512
4c76a912f0bd4448d980736d5ed44c2a55f41aea6f4993a54d776f51dd39b0fdbed0cff5bd7bfd7cc0a99e9ec435f12f05e79ee617bd00ea1ab03257a0cff34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\file

Filesize
836KB

MD5
2661a7c22cb9212805824d2fa9e86264

SHA1
2901edb47cb1dcc121fbbe01ee44df63e7af5db5

SHA256
2400eadf0d14d1962d5000d1a562dff7a2d0cc184bfe0673c53afbdc77eeabc6

SHA512
a8634db933d5ca9ace0689fb1d51ac5e0411535efde62949ba240797cd4f34cfc84961356d7a53559da84329732f4e1393decdcfe393d4fe26e003de93c5da87

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\gs.dll

Filesize
121KB

MD5
74c8c5dae54f226ddfd463d5142178e2

SHA1
728a4d28ecb8c81d25677d7415ee1204afe185e2

SHA256
1a064562544e2b975bd5f4bf9f894798b2dd1f77b7864d9ed52d93bf42174340

SHA512
0c92b23b20a01d1f2a57c90a0598683d5a8c3a52489e41527e56bae246904b289481d500f7b4b656bc727eb7d3ce77a8e8dac8b46608f4244f2f4b76d6a4c535

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\gui.html

Filesize
499KB

MD5
a821b6fc4dba557d76488f75e167e5ee

SHA1
f9ab2862dd859a643179c3e5a827e543b80f4444

SHA256
a70c2dcd35f7db1a2b73f1069154dc944e4593f469cd842a0f524853b11ac9a5

SHA512
2ce4d2516bd4674aa0d42c54de4b9e01cb2fe0c8cf924301cf3a967b5236b5cd9c5213625d66bec285ab12810066e1d860d64d13726485466cd91c578902cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\icon.ico

Filesize
139KB

MD5
38c0279563abc2c70f9f288b616c9770

SHA1
eeeab2f77e4aad904186e3dfe2ec65207ef92604

SHA256
e4a941a51c9fd340ad1612b1bd4040d53e6924d5cbe1224b1e09ce8a7d4b8c19

SHA512
1d0fdb93a143dacfb8a4d1f8b56c6da6f353d3061ae79777d78f5be9b0b8670f089186f66491a0ce10f6ccf489ea4ed531f41879756c700e170ff82807fff564

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\jquery.min.js

Filesize
87KB

MD5
b61aa6e2d68d21b3546b5b418bf0e9c3

SHA1
9c1398f0de4c869dacb1c9ab1a8cc327f5421ff7

SHA256
f36844906ad2309877aae3121b87fb15b9e09803cb4c333adc7e1e35ac92e14b

SHA512
5882735d9a0239c5c63c5c87b81618e3c8dc09d7d743c3444c535b9547b9b65defa509d7804552c581cb84b61dd1225e2add5dca6b120868ec201fa979504f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\script.js

Filesize
16KB

MD5
ac1d20da4d518b1c74e7640233a830eb

SHA1
1b113d00d3908815cf9d9d6b7400c686fa4fa526

SHA256
770dac9889a0a3a42bc995385b692630537d2c46e53ba89737a460f12e6edb9e

SHA512
abfbd1185252388af265d28c7ed4918cbd3558793b9af4d1e631684f20adfc1d3d20eb9c00feda362f2644d26d01c2b3eb5905b150ac6bcc1ec3baba513888bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\style.css

Filesize
16KB

MD5
1261a774b4ec34a92439bd3b509c470d

SHA1
ff7cf9d6a21bd79fa24b461a9c04d3d24607fbe6

SHA256
a16846c4021e8c4fbf2a7ee97dc54ead4bad02ad07c8780ca3a3be38bdd16d28

SHA512
5767b44035653d5cb77635d0ca363c1d3023257569252ba459fd05898e88331b80d89c15440e66cd1350cf0e8c144c7135ef24a809ca8ee81d7eedb1262c27c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\swap

Filesize
1.1MB

MD5
3bf06f64e178d8dcf06e25131c0e6d10

SHA1
f6798bbb82581707cef54c2c2aa1fdf6b9578b36

SHA256
7037f6cf83d9164b86c5d614728aea7410ad90971a8aff392d6c62763b0a4d6c

SHA512
7edb72ec103a9f172cb9e35751a126ac3611b17483aade086ff4f25d642c978065cbe947c226b30caac7447bca5295e6233c2ffaed21eb6f8b2c8bcf37e7d56e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
86996cebeb21e68acc47a539b73a9fe9

SHA1
ac6ea55afa33671512fbc2cc725b8b8e1c9fa963

SHA256
79ba8bdef846e51cd7382e40acff760f83226e8580ff272e388974da259c9daa

SHA512
17d3abff4e3c601e6b2cb7793c2f1d20cbf5adf7969f73cf67e5f6396461640d15a08962ee7d3514a7fab7e0efcb1dd8f0e82d98fdb1396c43ba3a57b7af38f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\a692b754-39bd-4492-bac8-c026d38b7147

Filesize
734B

MD5
b3257ef5404a949c4423e8d208c53003

SHA1
255a231cb2e22b641c74f55e653bbe9ea2c8d263

SHA256
99f5e09b5d209d541a2e0b7f126543c29102a8cc18b9ec7d4d767a180f8aed4f

SHA512
f2632ed95c0c6755d525e9c03e6cc89513e9647458eaca8cb0da75d876947a999eb3f492bab56962fca9ad6c618e32a0b6d888aa55095727022e4ad696371f97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
55c26dc24340a4831f81db764684e6bb

SHA1
e91ebf5f17095f32d88001272ed2db11d61feb43

SHA256
59d31a014ea707499d84a8714f9efa00701c71fc0faa9885ba1dedfae6d3e24f

SHA512
0e195ccf3a956bcc072f7b8d3a3a9d0b5a00d9e3c79c9a18b9337bd1f932f0e22eec2df491d8f9df184543f45d1b65ce7147fab46322604061105abe8b75f503

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
6KB

MD5
aa3687ce574496dc5e05b5e65d1cf5c3

SHA1
38abb0780b7f81316788f9db96d3a90e8b45dac9

SHA256
ae75d9ec549d73235b11204bc9774135044f76e085cc44dd859650184fbce2dd

SHA512
bbdfd91037a2439c7d954d320e1f37d436ed2a93928ea36e72c8aa2452bd5623fe493cea31acd6dd7fe3eeb924d8cb5b4d752e283012e8a63a3a52c399e6011a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
6KB

MD5
d98f2456c72e01ea39648bc4c56a31de

SHA1
dbadb2dad767cc030140e8727526a5bf96f7d607

SHA256
b49b483b005935790fb727a453500de027fbdd5d41f70ca9c61efc65ff485fa7

SHA512
7a8898964a7bc5d84cbbb3296c9c9c873225a58f1a4239ca21712c16c73e1c60ebd352a14e5272350bed76bfa181c336300dd5a4a4de8d295acecdd6fb621049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9922e6e9951501d1901291e63066f02a

SHA1
598de5a25112a82081a46e15fb2d6d42ac5fae8e

SHA256
fe5d581560ddeb7a0b5bad668f2e582431a8135e04cb535ede3a3567dcc6bc5a

SHA512
8240bd21603d7c3c794173e8dd16782895439ccbb6930bdcff4205076564497ff50258f8bbc9f7e2646871b471fae805955b8d8da579b73f168506da4ab3ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
470c13f182c7a90dc7eb2986336b0b80

SHA1
8f0b69d763c6b1b4bb3e042234b7fbde0042b10c

SHA256
e5daf2f2c63f00e9c498f34a270951cc9dfa479084a42100bbc3f45ac8ac6d64

SHA512
2cc7836a9ef4bd22be8bb000564ad03c1e24b11dabc1e971964509566fa5cf8f62105dede81bbae6ad8db825da0cd7ea3fc26f6504dab1b9097a4bf89a0c649b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
ca0307e4f1c0450e8ad5eee39517904b

SHA1
afcecc61ab4a13622521c3842cbe6c73173a7878

SHA256
8c9b083a561bb50886dcd38c1140c4393d73de76abc3f45c55da619251aa34d4

SHA512
a8205eb75756c9f406d1f4e4248c3ab6b6a36b6354bcc745fdacd48ca765a0dfd1bb6731ab881e0f82e8d8920a60f9ac36d5a6e9e10cb8dbb403a34a464d6b59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\AppData\Roaming\test.txt

Filesize
2B

MD5
23b58def11b45727d3351702515f86af

SHA1
099600a10a944114aac406d136b625fb416dd779

SHA256
6c179f21e6f62b629055d8ab40f454ed02e48b68563913473b857d3638e23b28

SHA512
16b7aa7f7e549ba129c776bb91ce1e692da103271242d44a9bc145cf338450c90132496ead2530f527b1bd7f50544f37e7d27a2d2bbb58099890aa320f40aca9

Download Submit
memory/1528-469-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1652-287-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1652-250-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2740-468-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download