1abbb6ed4cdef215f7666560470a4f9eac8abc5e2541e6c074a10db2fdf4d7a4

Analysis

max time kernel
590s
max time network
589s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

@echo off.bat
Size

869B
MD5

9992016ee31a07af2703ac34249d0294
SHA1

f5772e53b0b382faf40eb693902b4ee3ccbe91cc
SHA256

1abbb6ed4cdef215f7666560470a4f9eac8abc5e2541e6c074a10db2fdf4d7a4
SHA512

e2c42705c535cc4dd7f8f64d83db01aa05b974ebad7d4afc07ba0c726f5c1be7f984d48182e9262a2fcb7d4da0185ce91fb1c3873aa7eaafd4ca22a61bba4645

Score

8^/10

microsoft defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4116	wget.exe
5376	wget(1).exe
5620	wget(1).exe
1984	wget(1).exe
3548	wget(1).exe
516	wget(1).exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\wget.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\wget(1).exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SystemPropertiesAdvanced.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SystemPropertiesAdvanced.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SystemPropertiesAdvanced.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SystemPropertiesAdvanced.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{0A93FAA9-4083-4A10-AC7F-DD3F7784267B}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SystemPropertiesAdvanced.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SystemPropertiesAdvanced.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SystemPropertiesAdvanced.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SystemPropertiesAdvanced.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\wget.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\wget(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\wget-1.21.4-win64.zip:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
552	rundll32.exe
5264	SystemPropertiesAdvanced.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe
Token: SeDebugPrivilege	2980	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
5264	SystemPropertiesAdvanced.exe
2980	firefox.exe
2980	firefox.exe
2980	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 4648 wrote to memory of 2980	4648	firefox.exe	91
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 4548	2980	firefox.exe	92
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93
PID 2980 wrote to memory of 2400	2980	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\@echo off.bat"
1⤵
PID:4888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04dd65b4-02da-459e-b84a-20e7e5a36eb1} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" gpu
    3⤵
    PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee82d19c-c78f-469e-8265-5ed0d98b27fe} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" socket
    3⤵
    - Checks processor information in registry
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 3136 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {067847cd-5747-47e7-906e-347a15f03f93} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:4760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2df67e1-f172-48a2-b3a2-56f036e26eae} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4520 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fb4ea80-4a1d-42e6-a5ee-79634589f7ec} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" utility
    3⤵
    - Checks processor information in registry
    PID:968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5464 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5048f33d-2b5f-4f91-9a9d-1621c82b28ab} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:4976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caae30d6-9637-4d9c-8c2f-abed5dc82e15} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c86234cc-0fc1-469e-b499-98ae3467ca21} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6248 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {613253c0-ac06-4684-b0f0-b8881eae75fc} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:1764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 7 -isForBrowser -prefsHandle 2972 -prefMapHandle 6208 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c8e2600-1b3f-414e-9ac8-b1db6c6a47c1} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6440 -childID 8 -isForBrowser -prefsHandle 6116 -prefMapHandle 5696 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56c64bee-d38e-4455-9331-44352f07ee57} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab
    3⤵
    PID:4360
- - C:\Users\Admin\Downloads\wget.exe
    "C:\Users\Admin\Downloads\wget.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4116
- - C:\Users\Admin\Downloads\wget(1).exe
    "C:\Users\Admin\Downloads\wget(1).exe"
    3⤵
    - Executes dropped EXE
    PID:5376
- - C:\Users\Admin\Downloads\wget(1).exe
    "C:\Users\Admin\Downloads\wget(1).exe"
    3⤵
    - Executes dropped EXE
    PID:516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6008

C:\Users\Admin\Downloads\wget(1).exe
"C:\Users\Admin\Downloads\wget(1).exe"
1⤵
- Executes dropped EXE
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5820

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" sysdm.cpl,EditEnvironmentVariables
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:552

C:\Windows\system32\SystemPropertiesAdvanced.exe
"C:\Windows\system32\SystemPropertiesAdvanced.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\system32\SystemPropertiesAdvanced.exe
"C:\Windows\system32\SystemPropertiesAdvanced.exe"
1⤵
PID:4376

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3968

C:\wget\wget(1).exe
"C:\wget\wget(1).exe"
1⤵
- Executes dropped EXE
PID:1984

C:\wget\wget(1).exe
"C:\wget\wget(1).exe"
1⤵
- Executes dropped EXE
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80CX5DO4LAL8CPSBWZBV.temp

Filesize
20KB

MD5
617a2cd548784b92c5902fa812c9297b

SHA1
376738be4a31947d6fc7a35200be727d2eff0bc0

SHA256
fa0e7c449fa8ec649803c9a309e5ae79939fc97f1d5f8c31640b44ad9989b4b0

SHA512
c2c093a3291dd8053ce61ea699667fec1964f4ff330c916f296d42df0d366aec54cc5deedcbf5245b9826fa7cf871283f3f0337e590aef00a3b5b9e9b906beac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
e9f0aa108856577c1fb0bd342dde2b76

SHA1
0acfb92d7fd584cc4118d79226ad1594ae6f91df

SHA256
e085357d799c95a9158e98f6e5ae8fce75f065fbaa77694b5396abdfd444ab81

SHA512
e9980355955cfbbb6f5e9d18baa9eaa4a8526163063c11601e537f75d28202bbc9c5a9c57978f39a73598ee0dfd64c8f74460e797394e44eea03a56a22b69f51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
12KB

MD5
cfa33855110b154c2b50fc135f8ec50c

SHA1
fa1f90459cb9d283800dc8ac35299c56d823a50e

SHA256
43aecf2e848bf46b047612de87f63e6f158eca5b4f88627ae88870e75f61a275

SHA512
505caeb6a24b94fca5e8102c08b04340f9a8a7245b01e8a60c2f162361a1a4cf2ae5fa3ff8630d2ce1b924ff564c8fa2b2548f314130fa5adb468990c1310eeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5c7a0cbbec43b900bdade1a6a230de4d

SHA1
9688b0a6f68c630b07bb04a13efc177736fe54da

SHA256
0ed1c8bab7f0b578d39159f326db8fe311f7651751d50528c573097c6b754e54

SHA512
57ed78fe9920f8cd5a57a9d4b607ad05335cf8b943ea1ad395d7a95035c065c6afcbbfd1ff70fd5d10cccc8dd3e10761c71f521b51f10e3acf9fac0e78c3c481

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
1c09e543deb5296403beb448e061dd6c

SHA1
e04192a256848869bd5d8545ff5034b682ef46b3

SHA256
d4e46284c11256b5401f8a7856702e8af1bb4e85315128f8ec2519c535b2696e

SHA512
e12deb1517abd1b5b63c16a5bef733b521e9b7e79f7193b4e8913c90a18d3bb36eb4764306cdb87c3cace1f2c9d656b83388b20ecaf5e710be48f142794befd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
55KB

MD5
95a49b8d84d99f84e27b8909f539fd58

SHA1
67fc5c6717c9cc090cdefad424bc66edee7e83f2

SHA256
4de135840be410a61adff7d8919597b94d814015c94e71b6d782406081b84504

SHA512
b94bf00ed1f5af6e08c77ba5f8add99aa2007b7341e3718e12e6809e85901f7b5498716746d880573da262e7e3cac6193762bf472392623d191b1eb2aadac2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
b44313aa90ef28a359cfceede16bd344

SHA1
2d3b82c326de61e88462b2d14d341e766539498c

SHA256
1ea636b33fcbcd0622cb75259b741a790f7796ab7a84e6a85233c6f74ec026ba

SHA512
4ac7240dd3cd12c922fdfa9952c56db498b87974e71b79fe480c67db8a01fff31765bef64e96d19098d00698c51af70b55de111ecd4fb6003197b5f3f591709b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\4631d12f-2780-41f0-9982-dc31ffac7a1a

Filesize
671B

MD5
c9b8868b1c84dae7959f92d08065ca52

SHA1
f7bd496d50c2795905bf74a0da88f255fb435f47

SHA256
f38fd37860dcbee455307208c7dfa2f2c47f894bcc8ebeb3945191971064e795

SHA512
6194809d512fb0d6f0b25bf00832ed255e9b68e7a269505fd91ab22fa483ff114bf6a7197c408b99d20edf283fec30ce9e2cfbe440bdd1f163ad47531493c2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\54e0de35-8f50-416e-bf85-bd26a6a1fec4

Filesize
26KB

MD5
ed48efe7a6085bb3fcee6a7b16e22303

SHA1
5c960f37d2309e94e226c77fa2b6425b7e54ff02

SHA256
055b2f9ddb28429aac1a20dc4e5f09804ed156c2584f9c62f0e5f93316c8fee7

SHA512
5418b99ce5a59569ab15d1b239c212d84f57eeb3bebf9d8a105edf481c8f8ebff4132ae9edca98cda5b338de4688bb2fcff98a7094eb1cb6b6adff58da4c6033

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\64d31aa1-c81f-42f3-aef1-263a2b62d1cb

Filesize
982B

MD5
f95facc85414fa44dc3e089b8fdb5e98

SHA1
dd16e41e14c3bf503829f18c7b701efd0e18395e

SHA256
83bfd1607d87c63073e25d29bd2e360414928ce4e46d2d7b3eee0b4216d44644

SHA512
622b85f802d980a4a7307f6838b1b87ab2de14d30341f98448c36bd44b1db5044338a07fce3c5319cd7192d40bc031bc91912334b31fb8a71fb7555c5278ff94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\89c8c477-f636-4039-ad3d-1f8cfef0263f

Filesize
9KB

MD5
5ca83980e93e6d37a6b63c41c4a6ca61

SHA1
0999901f5f9dfee673d249ed07ed7a0bf05bf91f

SHA256
bd4ba54bfb1d4954b453dd1c239c9602a17c298d8babc4fa6c5c352eebcbbd65

SHA512
df4ef6c5a0f78530afa94e6fb3bc9a2f5f32157b5413e5443ec3ac236a36bc82b6a733ac6512c6a4e941ff898e82be7c9d6fae67a605ddf883ba04e5c09b389a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
10KB

MD5
de8450649829a5551d5f39afaf3e33ee

SHA1
6603027ee037e0e39ea6d4b1c3efd90f54157727

SHA256
edffd0dccd7b97c70a13f690194b6049b82aa3a7d737184736741b3c4e592143

SHA512
87f1e038a1618b0d674a7bd447b4b28941b399f4391a128d4bea7e62ba3784df32cade1fddee69b5e3103e5b69fce4e6f6721d3fb44ac4208155d6545b16c14f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
12KB

MD5
5bc0f7cc21ab326f98a14fd7fa2e5039

SHA1
4d00b3103d26cb08aad288f4db3a35ed640b68eb

SHA256
644832ac0a24f7b1689f3e7d31347242bdaf31eedbbb83717449d113570bab46

SHA512
e9bcbd25bf7382eaed1d315deb31eee7557cbd3fe59464ecfef6648a1960dac27bbdc4e8162a33c8d65b666922a93dcf3ebfa0b45757fd3b6d4ac3c911f095a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
11KB

MD5
02d7ce1ddb9e01cf5c03cadd2486f73f

SHA1
39ca0b1bd4040f81308c01008a025f3af5b9180e

SHA256
57a0ddf6732c1cdd989b2f31e73fb02e6d2eb41b38ab20c20b454eaaf549886d

SHA512
422d4161ccdd16b934fa28d1b35e67021043ad390c8de0b5ad8a537b3795e32bc68c7f118d89342b95cb06d78843c6b83d54c47fc2b6bfd8572ea5948c6e54f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
c88df71b179c9c1d2d044f085e0ffaf9

SHA1
ee5164dc95b28c543a04be00d37067b9b0a9e89d

SHA256
bd5b4739c16a211964b8a8cf82d9217330d936ea98e82e349dd6e63d823dccac

SHA512
80d27e6dc35aafdc1b95f8d3f0817dc2f3f2dca62386e76211816ec172324d0b3501333d373718ab80bfb33dc41708795522b741e93c8fa88b72168bf1ef4078

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
737b68283a24a7f25f733b6a05975fa8

SHA1
0277b61cf790d412364f3a0ce19eaeb6b19b08bf

SHA256
4dd0216cf413ab0739e257b0339067b68eb45b43d0766124758eb0a6df6efd0f

SHA512
a8682965ef93f5db57f21d2d95d1ab9abb006bd0700d0d353262bdecb1b0883708328c4dcc04b0dd1d2e589b81f9a72d3438785e2a78a87c90c924322e0eca78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
802a7f182d38e475794d1f60a098cc35

SHA1
258e1b645cdab583cd56b50061c780268d06922a

SHA256
377e5409d23b928df54e79e40cdfe56326e257ad5981c8398bef35ccfbd53821

SHA512
e8dbdda5d20950ad82bcb784f3b12630b3fb54baca6d454879317bb0a83129c5c8b6f2fe1cc6875b3e280f5c21803f98d5281718cd978225e316d92ed853fd50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
c9c2617d47f79f2a120167e0e8ece512

SHA1
f7dc46ee8e79d8c20c7faf8b98b6f615ab02629a

SHA256
b54e968c8a15d6ed22cc26e1ba251b0ead48461dc87d76779fb74006a15f4cf9

SHA512
7fd6507d4a1fbf93f03a4cd3e9886793832622c7fe2ed58f8b258b47f51a384c1d3cd2928f99c08ce6431f0c744475f7cd1310a506adcda0fbea06b26f62fcd9

Download Submit
C:\Users\Admin\Downloads\wget(1).DVjtPNjL.exe.part

Filesize
4.7MB

MD5
695378debce1b312f353f84c11cb4629

SHA1
d0c48530c7cf2141cf3aff229a337d69769efa7e

SHA256
f595e2e53680ba2937ac48708bc24e6fb5ff6b6fb97d60eb5040bf073ad933bf

SHA512
ac388b401b6c8c41a32da2a346671393f64cafd48faab6f64b809d9dbf4cc272c87e05c1ed67715c924bca74728a1ee72cb524aee52ce118f1a912cbce169fde

Download Submit
C:\Users\Admin\Downloads\wget(1).ORoRXtKq.exe.part

Filesize
6.7MB

MD5
a46e3aa0154ceb8dda4336b97cce4440

SHA1
ed2610991165afc5677069372af7e900b772a94c

SHA256
6136e66e41acd14c409c2d3eb10d48a32febaba04267303d0460ed3bee746cc5

SHA512
a1ef21ea4b3a93fcca5dcf796d851082ea611a066a0f5b8582b4a4c63d58d8476cf859ac8f69a8e5effe68115cf931afbe26912b7043c6e4975899124fb233a1

Download Submit
C:\Users\Admin\Downloads\wget-1.b3GBo3cM.21.4-win64.zip.part

Filesize
5.1MB

MD5
485f26a84092437fce23f9ee08deeb53

SHA1
429c9fbf5f1c8727217957f0c9a259e7416bf960

SHA256
7b0addf04edd370307aa6005f0c08a171a319cccd4403663daca5478860b3056

SHA512
a7e520765eb7dbfbf813d07609edc9addd58118943333cdffcc7691656dcfa7fb5c4fce847e98bed0c16f671bba528d30862ce7aa5a451110e154c8520c5b0de

Download Submit
C:\Users\Admin\Downloads\wget.pqGe3IC8.exe.part

Filesize
6.2MB

MD5
f2d3e44afa5cbbbf41ecb3a87066cbf2

SHA1
7be54d798b696c1ecb0999c47fdb24fb2d2e9827

SHA256
7c722c4a25a26f7179027b1323ed8e291c48365c6f87345e61ee8d5ebd2e5ba0

SHA512
b6f661280dfdd1cebf696d8cdb51763eac79d073eb13b7ef5cde76130ccc54b2e1705969fe15f11225233e747c8ffae516a3b402410582186daa838264c6b80c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/516-822-0x00007FF665C80000-0x00007FF666148000-memory.dmp

Filesize
4.8MB

Download
memory/1984-791-0x00007FF708F10000-0x00007FF7095DA000-memory.dmp

Filesize
6.8MB

Download
memory/3548-793-0x00007FF708F10000-0x00007FF7095DA000-memory.dmp

Filesize
6.8MB

Download
memory/4116-599-0x00000000007A0000-0x0000000000DEA000-memory.dmp

Filesize
6.3MB

Download
memory/5376-648-0x00007FF7FE9C0000-0x00007FF7FF08A000-memory.dmp

Filesize
6.8MB

Download
memory/5620-650-0x00007FF7FE9C0000-0x00007FF7FF08A000-memory.dmp

Filesize
6.8MB

Download