16a58ca32a6575dfe91423f6844b1183ba35b8be1cf211773f09b230f1bd5102

Resubmissions

30/08/2022, 13:11

220830-qeyfnsaha8 8

22/01/2021, 10:07

210122-7vwcckmmtj 8

Analysis

max time kernel
98s
max time network
117s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2022, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
Size

149KB
MD5

fdbd0ccb8d0bea52f95cedb51c3de9e9
SHA1

d6fa30eeb170c70fc3892429df2872372b3cef48
SHA256

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e
SHA512

3457221f4ef4e0e79f694f89b30c36fe731037f1565aae49d9b0bb151c6e50fb0523c0f7a82ba333726bd2f9822561e3ee794bacc1e8f052ea9a3a7d5bcbe3d0
SSDEEP

3072:eAcG8oobbLSSqECI35X/9lvo+0cgz29F/LNDUf09chfEVn:eAh8oUKSqEB3p/fo+Igdi

Score

8^/10

persistence ransomware spyware stealer upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeAssert.tiff => C:\Users\Admin\Pictures\InvokeAssert.tiff.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\JoinComplete.tif => C:\Users\Admin\Pictures\JoinComplete.tif.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\ReceiveCompare.tif => C:\Users\Admin\Pictures\ReceiveCompare.tif.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\RenameResolve.png => C:\Users\Admin\Pictures\RenameResolve.png.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\WaitTest.png => C:\Users\Admin\Pictures\WaitTest.png.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\DebugUnpublish.crw => C:\Users\Admin\Pictures\DebugUnpublish.crw.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeAssert.tiff	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\ExportResolve.crw => C:\Users\Admin\Pictures\ExportResolve.crw.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-115-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp	upx
behavioral1/memory/2900-117-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp	upx
behavioral1/memory/2900-180-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp	upx

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3844063266-715245855-4050956231-1000\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\Images\playbutton-rollover.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Rename.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\fi_60x42.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.ELM	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectLargeTile.scale-200.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-400.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\1d.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.Entertainment.Mobile.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-300.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-400.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ba_16x11.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_20x20x32.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\decora_sse.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_background.jpg	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\CenterBackground.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-125.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-60.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Spilt_16.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1720	2744	WerFault.exe	26
2180	2224	WerFault.exe	77
2652	2224	WerFault.exe	77

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	64	firefox.exe
Token: SeDebugPrivilege	64	firefox.exe
Token: SeShutdownPrivilege	2224	explorer.exe
Token: SeCreatePagefilePrivilege	2224	explorer.exe
Token: SeShutdownPrivilege	2224	explorer.exe
Token: SeCreatePagefilePrivilege	2224	explorer.exe
Token: SeShutdownPrivilege	2224	explorer.exe
Token: SeCreatePagefilePrivilege	2224	explorer.exe
Token: SeShutdownPrivilege	2224	explorer.exe
Token: SeCreatePagefilePrivilege	2224	explorer.exe
Token: SeShutdownPrivilege	2224	explorer.exe
Token: SeCreatePagefilePrivilege	2224	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
64	firefox.exe
64	firefox.exe
64	firefox.exe
64	firefox.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
64	firefox.exe
64	firefox.exe
64	firefox.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
64	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 4460 wrote to memory of 64	4460	firefox.exe	68
PID 64 wrote to memory of 5008	64	firefox.exe	70
PID 64 wrote to memory of 5008	64	firefox.exe	70
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4396	64	firefox.exe	72
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73
PID 64 wrote to memory of 4620	64	firefox.exe	73

C:\Users\Admin\AppData\Local\Temp\45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
"C:\Users\Admin\AppData\Local\Temp\45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="64.0.1234768380\1453114454" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 64 "\\.\pipe\gecko-crash-server-pipe.64" 1596 gpu
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="64.3.1425775769\443615701" -childID 1 -isForBrowser -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 64 "\\.\pipe\gecko-crash-server-pipe.64" 2272 tab
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="64.13.682330018\527308496" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 64 "\\.\pipe\gecko-crash-server-pipe.64" 3520 tab
    3⤵
    PID:4620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 7344
1⤵
- Program crash
PID:1720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2224 -s 1884
  2⤵
  - Program crash
  PID:2180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2224 -s 1884
  2⤵
  - Program crash
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3844063266-715245855-4050956231-1000\desktop.ini

Filesize
129B

MD5
abc36610b0e3562732c77d4b31aa1666

SHA1
8c58a039c15f9c457d18db597e7a0142c80c613d

SHA256
c8a1363f87636a027fa747c4830e157d86fbd7dd55fb4c6c59ec92e104b74e05

SHA512
fd45bc9f759186592e62e13d1e704c7d7350d1b1d902bd380b084ca4df105aa9e9a047ed070b109f9ef5f095dd2b7bbcd201741b216f21a2f470a84e4cebd7cf

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.cnh

Filesize
580KB

MD5
cdbee8b4bf24e4d2f4ea769950a80d61

SHA1
5e31afb48e4cf75e9b6fbdd4e354e5ee0d768322

SHA256
48c67dc4ea4f9ff33e30a5d14f0b2dc420dc34e9bedf33421b43ad005ebc560a

SHA512
d4523eb501949c1d6998ec392500ad80ece5085cc7ea599d44202bd9ca944dfccb73964810d5cc9b45f4ac13ccbf88222547a674801810bf2ad99ad6097ca7d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\07B06E968958420E4467342EB42E42161554AA93

Filesize
29KB

MD5
5d042b7d09714b92e4ac7a9bc93b639d

SHA1
97969c9d1278a9940ea57de1cb9d0c0c1e9d221f

SHA256
c6d36f95f591b6bf01800778f66d9e5721bdfeab945adb9f98f4392dd31bbcb9

SHA512
461427a68676b301019cd8982651bd8d39c1be7e402eeac383a8c6e392e1418573c27f7992da21d179dad4383fd3d6e82f971631bc979d456e8cf32f90cc0f0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\07E6427B1D627AF848C49D53621FE07263DC782B

Filesize
10KB

MD5
12be3ba6dfd57b6baff058fcb12e8b52

SHA1
ea99b32979a12f91f67aa0349b09b6618d60332d

SHA256
36adb56dabd4018376d53bf99ff945e184186987ab66b70594f14ff3353161d6

SHA512
66647b8db7fcf2b07a444646e053dbdd1533d7abeab80053689917754359d571f9124b0602fa0c78ea39b38c04bb26b86853ad904418f34c713d2dd8b62d56c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\08C3E2E01964C091906EC513D2DC3445A376F258

Filesize
114KB

MD5
f480468df576b2e3f8ab0b00d3417341

SHA1
db5b2fd5e92ddcc447c7bab5878afb8029d87585

SHA256
9a60de5ff16fe6125530994d863ed765f1e04521bbe106e3489fa5257411f693

SHA512
bcdefe66e1142575572e6099daf6432a1ff9261812e64f45528f3a4b58bf6ffbcc65f42ac25401479d741f12b5e6346bd3f0b9d779c597baca6410ac0473cc55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\09A96523C52479AB223534DB248833C702FF527C

Filesize
10KB

MD5
f66e8165b4a1bd4ae4846d8134bd6473

SHA1
5aed779794ae27cde98476c31c1f41bd8c0220be

SHA256
4623559e9b9c0d65b8345dba083db0ee3b78d1642991df7245b8de8b384a1100

SHA512
549c5aed43f2583026ca8a6d318de47661c2857054bc17ef18dc24a6467920dd2781e207abe6b2f8f87f3257659b49975f4f6dd768f790a187c72e2425cb15fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\110444F16F5AAD68DBD2A40C58D06192F57E7671

Filesize
9KB

MD5
eccb5e5c3a3baedcfda2d3f26a86c307

SHA1
77bc6ab48a1d0f4c4c17f758c64e15101f86941c

SHA256
d4b3da154a78e4fa58a22cdbe1831e4d50ca6411dad833fe870879914f6487ad

SHA512
5edefb67dc294d845568b4e3873af2cd63263d9c2b12c4876c2a3412625ed8a3eb1507d40c01034f225fbeb2fdec959f255201e37e4ddad9b195dff942ff1621

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\1EBF72A3441AB46111A7F0639E59164C7F0E38E8

Filesize
9KB

MD5
fffabe83e4df3e995a09cfac27314add

SHA1
e4da345c34a7f78c129242a908493c2491a9c714

SHA256
266a9ba5381c7722e864226200a3a85dcac5efc8bec88b786d488dab9e2832d8

SHA512
a46f09db195ec01d0d5e221f6ed8da08f499bc9bda4a5d67b836c38db6a13e6305531c2839e58d65f4779a2227a80b06cd7bcb46aa19b3fa53b1c31b2bdba67c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\2520EEDE3C0AC3111CE7AA19EDE48E81574563D2

Filesize
34KB

MD5
db4751fbb3f28be2bce71ba234c78937

SHA1
cff9f7529e5a53b3f26d86ffd97af44b16b48e0e

SHA256
e758aafa72ff014862b865ee710ae34254851c4cbe5855158133aa097a9d7576

SHA512
9a15e64348b081689642f38b575ddb2a391b8df78247fc6c511ad3e84f7e61bddbfa66bf954c3752f7921a5f3ca901215ed728424308f15b2ad93da982567e68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\25535B070DD37A9038DE51408477AB301972D36D

Filesize
9KB

MD5
d6a04cd1d744fccee658d3ee08f17c76

SHA1
a67162c9f0c6f45e0334a49309bdda81db6b711e

SHA256
ac40c5c36b325da47d427a04b411b5093db365dbe46eabb66fbabd46bcda4481

SHA512
835a02d239b6c6e1eca37b7555c4f22efee5fb3d718e8198b304901fa1cbbf7c3e4c7b51bed625f536781480cdec077240a7a361f90926a3174b9052f6c4de55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\288B82EA08B487B9419F9C13FB133EBA7E9D9AB9

Filesize
48KB

MD5
fb8e6f6d3c24d3493616a3557903e5e9

SHA1
f210f89a0a650cd3f2d5887ec8cb55f42c063876

SHA256
e47feca59782d053bec08d3b73979053fcf26c7d1b62886b7f446b501f5e6878

SHA512
e3555821155b386bd8a25df2f141762ab93c4a9910e2205eb4acf99b38e5f8b2aadbc133d271383c0fd742f51682f57fd8ed6894b1ffd2b066c0641a62035be1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\37492BCEAF1181CDA11AB8C990A1FB5E8D7FA3B7

Filesize
7KB

MD5
81f2ce111ab60d56cb277c2599b2571f

SHA1
a923d4a6970d9e205d176a6edef91533daea855c

SHA256
5811659b3d96aef5e19cdbac18092370c08ecad312a20bdc4c8d45e3550a27f4

SHA512
0a82eba9bb07e990dd178dc10863c8aa3fb3590211ac7e03ca2b16b064b82371a7009b57c886ac9267cb20ae80b1dfda0a192152dc514d79e2cc2e5d24a7c8a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\3BABF1ABB4666CDBF4E49C68E349168355E4EB9E

Filesize
69KB

MD5
8e0e35b677be1c9bba75eeff784ea98a

SHA1
26f0da6e50d7c37cf99770c36a9c7073f3bc9304

SHA256
5cf721e24a3e12d582c896ef589ad027068e25422f7d24c7d5683aa9b018e1b4

SHA512
d367174e07eddfdcad59a536cff02abc40709c837509e809e41535fb4c277014fc9f97087476f8e1e3c4f2e2e0f6cc30909519193a4103c26f64bf03d3844577

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\40AA66F19623A0C99AEB106FE7409851C00D4D15

Filesize
1KB

MD5
5c45da6bfafe0c1989b86c3ca1d4578c

SHA1
2b0a8b811bc5358c1f4fd4a3fad1d00e37ca3154

SHA256
59826d409ec988b4efd0edeaaf98cb3dde173c97f75a699457d177e1f20f70d9

SHA512
285a89ac3e51761bd15411eac1f9c3ed9a38d778a3ebe5c3412359623662bf1d0f6022408780be064017f6d93c2e90463e68990c428b55e0100e6e9f9fb2ea85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\44FFDD5C6E7774E272EF4434DABFA83C4FCCAEC1

Filesize
1KB

MD5
dbe201f81487f4671a2fe5d6b5ecbc0c

SHA1
d43269043b84ed73db2bbcca43ce16b22dd4d5ab

SHA256
b5794753357fa18711fa8fc6a3c5ab97027e7a858f974f8ac5b88b2155491f26

SHA512
e4935b3ef49007cb5a3323f53fa42ca67a36f427012e13cdbb486e5756eebc268f07515a2b47d822c006dc16afb833bc08c74706d0e0534888064ab0bae5b55d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\4903E7ABE348ED39D98D1C844FB81A906D5ECA16

Filesize
9KB

MD5
f95018e9dd7dc1209d56a257b4d2ec3d

SHA1
72b529c839964fea29584093560b4904c1294bc8

SHA256
a9354829b0b14b7ab4f26c6b429cc85992f4d648f94fe5d3985a51b3679664b6

SHA512
cd51c52988c647dd3c5709617d51b7f60a371da5cfbf7636e6e5e80a65792d42f9270fd7330dd8bd4547c18b7175d5d9b1c1ab1a0ac3291ec6975efa3b2de496

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\4B8642113DAF576B47ED474EE7CB6FAA804BC613

Filesize
12KB

MD5
9c0cefbbcf6c4a28289126fa378cbe9e

SHA1
42d420040b198b45102e2eaf90ec6e3d478ce03e

SHA256
32a837fd10524dff04cd7affb34a38d204b03945289c4cc2df0033fc10c7726e

SHA512
22cad3693a52aa962e4fa8f71766639558a0b336391f0e839aca79b13959eb7164877fa17fc41e9109ffdac598af4087b75eec50baccf0aab2db9c50fb0b648f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\4BC05854AC174DE917085051E231069736A041E5

Filesize
9KB

MD5
f0277fa3350f97acc02130338ca099a6

SHA1
1a5ff455a0e82019332eb32cc36252400475db4c

SHA256
4595c81f1f79cd6fe994cb91e6ab19b5f45b5f191d586c764759f03832b1fdf6

SHA512
19fe815d1bc38860430ddf9e25385175eed9562658f2f5fa7017404aca83cbb3d39babd18c0f8c1be743cd76040d69ce805d10d1809af0dadabf0e1d1027bc67

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\4E743869DC8AB6E5DCF7181BC4923E60C40A6CA7

Filesize
8KB

MD5
ca5155592bd2315b13b882a2f191783a

SHA1
d60987a6b8f59eb1fd8714a47486b42e9f34f2b2

SHA256
5ebc824fc8c206bc10a4ae7e3643de4f970ad8942c97aef70e655df85281a98f

SHA512
a6e4e0f60ab58605465e5e84f55e9f00ab7fc2fcc176e786fbe09fb823f21375d130ce2c3ffa7538115a8437deb3af9c8cea4f491b2657679408871a8207f512

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\5180AFF1D490A843E4941323B81CA9B240510D55

Filesize
8KB

MD5
3185b1127301a5cd0c780f06d54a5d99

SHA1
283c50ed160a5c23de9732c34823ef9d29b07ab2

SHA256
4b103ccf0aea0471fdeb20cdc10ba89e07417a80e79ca3bf1b8daec5173ff863

SHA512
051b118851a370ac70e1eb47616dfb5d8cd5ae41df772dbc9447c32573b8aba5842b3271dd77bf4fe0fce9d34531ec908e4550c50a68a835e42496632e9cc17e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\51AAC2080B4E2FA36AA750E95C58A5BC00050FB3

Filesize
145KB

MD5
90a5fbca837def03d0da5f94fdca25b4

SHA1
9f69aa7d51ee05a2eb09183006db6f36b90eddca

SHA256
6e615020a3a7e2e85366bec764b71044f890d62f0021f3f437d41791c993d1aa

SHA512
c6cde3f8b15d9f7b0ac6eccaab6c0551865ca3dc9df4adf8de3692e656865092ef76b0fe7a7e90facbce28a606fc6f6db643903d541c20b1b9bf9fe67507758b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\5286F19EE62D4E10C9DB3704E468FE15C65455EF

Filesize
99B

MD5
09b01647c04cec8e2413492afc8611be

SHA1
4edd89e09aed14d6c37dc55fe80bdbdf0dfbde70

SHA256
37ce19806b4c7fd72dcdf284b03b411166d632a462ea7245628272d35032e978

SHA512
ba59a9a89ddaf580d50a3e747a7282cb27f0b16d2a3c2c22d7a0ec76ad1303cd8047a407d0e9c34ec613af7c70b8424b9f5a067ed9435a1192c67cde6a43c0de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\601730C5095430D9777A9656FDB55FA31A6F441D

Filesize
15KB

MD5
f3ef68ed3b73d1a842fda8c0c62e164e

SHA1
ae841e68f831b450c0c0b8233365668ac3ee469a

SHA256
f28d909818db37959d15461900e60e3455bafe9242b19104c8f1a81775b30765

SHA512
5e1beb02ed2e64bb2a77846841e3bb77b7e06cd6e58ec5768bf92eaa9ddb6f86746b5b4e0920e5c61e9c3955c06d6f7c76a07a8a230592305254926116253fd5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\693B29EBE544239D7B9796FB9A8A1FA66ADFE6B8

Filesize
12KB

MD5
f829c8f05b3cedc1cbbfdd7d3228c75f

SHA1
61a98e4003cfe50b3b029bea74d69d6813805f41

SHA256
9b2b71e1350ac9756ee3e1d1114e24cf088a4b2bf49b775fe6001d039f11a1a2

SHA512
8ad89b5e3a58e6881c0c292c0441ac104a44b093695d1b50c46cb84b22e6fce225fdc14a11fe1f545249f0543858cf5e15483e1daa5e3e8a0584021c07d25515

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\6D4934FE31BFAF4563C9C133D9CEB4B986FB5CA0

Filesize
16KB

MD5
51826f70394504e4b375d4365b8eff4a

SHA1
8328187e7e616164860f1d63da9b8bc309691f7b

SHA256
80a40280a10fcf971dc39ddff058fe8536059caa22080868d70d4f89355def79

SHA512
ab4a256f71f2039f90d85d40b5c09d4f70950adaa216a210b55648b3a5d49a1c813486b1cf1e195b9cfb9034ef68557abc18013f485f6da9881f79ce35dde971

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\78EBE2761E0D8643A356E1D92D240FC4520091D5

Filesize
29KB

MD5
ffa1f58a17cf29d1e969e1a59e1d4a70

SHA1
8219ae441b923fe07f50d7bbc958c951e3354639

SHA256
c09eba57f14bdd1d6655e23a7a8eb6d4c60d22949350d4e5a32168c8e51b4884

SHA512
edfc2d19e7fedb43d9ab421bed218f97560cd915f86baebb02eb9475119c36ed8e597ed9f9c646dbc22620672f2dc4d059cfedff4bf2eeb75fa378897534cecb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\7D544D14527397441233E8A79C7A91D78EC4456A

Filesize
10KB

MD5
c312faf4cdcac99ed5666c0283c3ef94

SHA1
e251bdc274d8d256beec1ac5a84c3caa15b5ecc2

SHA256
c451a6c39672bbd1bc1fecd323f59cf8297d86990559263a7c6ebf7bacae4055

SHA512
20450090241a15268eb87cc664f79484f2659b745e033efcc60434b8d0e173619b549e562427ae5b341d035e0819ebf3b3b120bc9964af6e3980bbe4cffc3c9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\8286AD8A7BE394FA99BA8FDF9D2FB4F0DA2EA12E

Filesize
11KB

MD5
d82d0868fb19ca312f0a71fca9fa5475

SHA1
e0bed3e4d656bf44f6f37552c9bd3fc01e6163d6

SHA256
40edbd539b8afdb0a96503b5addab9b69523fc38641cae9369be18cef3c3311e

SHA512
a687865de0355e4e99e0f9e7d8fc03595a339498610da9cbef526f3f4978e03ac5f67c85fd7c634ce9cd59edff5c6c00d617fb87f69ce9eac68dc3d12eb9708e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\9A485FE6E9B95FDB51F8AE0B1F85A3B055230C5A

Filesize
71KB

MD5
1a6732f81bea8e0c421eb2dd0e603fd0

SHA1
193da1aa4363644043fdbfc0373dc34dac17c6c5

SHA256
9bc4ac364d13a288665eaf45f784f7c23fd05cf996245d1685f661b98c2504f4

SHA512
d798546abd53bb4880585cbc205ff3e547ff3103543ddaf823405b11d03f5f3ae4efbfa38960a77c9ede4c1feb83e0b769d6ac7dad1cbbf7688b45bbd5fa79c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\9C458D0427E52079A2D9707C800ECB78120F63D2

Filesize
14KB

MD5
7b339e2a1f19f2cd757c6a2356acfb16

SHA1
4460e16e3e35327a0d71ad7adf484a281cde72b2

SHA256
36a119237e933b6a70f2d9054c83bd1a5961ff3146b1e212e66ed671e7b64027

SHA512
08d6edd0b22ba53f75eb7c736de7d0980ab20116e25c03fdcc44b2217379b86e0aa69630dc512c10cc1b6a6ee65b089dd4b37f381f558a6ab8c3a2b13eaa6f4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\A21092429617834EB0C72A584014395C8F60D334

Filesize
42KB

MD5
85811406e7011236675100644c1b5660

SHA1
3f276167893aee43c99ad2dcd6ae8afcc53f03c8

SHA256
029246c8fe299e399ef21aaa4efd1ab8055a25a00146a4f8028e225e0d662e4f

SHA512
2bfc37d7a991928bc6a69b05cf3a0ce5efa8bf7b01e94f20e78d5288c9e274abe60207536cf8bcfd2a7a6cab4f90092f1958510b2b37bb73eb1dc5a660ab267d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\A4B7B9EAB20097715684BF51804247C5A00E9A63

Filesize
1KB

MD5
672d3cb3dda567c26c25854274353a78

SHA1
8b796adedfc4189c669b16db6d4948bfb269f7af

SHA256
aa9a00c44dfb319070714a085d2ebba9fc4f4c75f75a47ec9123f05cf07a04a1

SHA512
305182539773721fb9c0a18a4500c7e4d99fab881f54f3a84339d72c146df69da9d18a123ac91e1024c253941fe0cf4dec35c602b1dabe45e284996f00e832ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\AC31EED6E81447651A2EB277E35CB4CC50CF3B13

Filesize
14KB

MD5
2d6b1ccab9dda1a4e01b27b7a774aa64

SHA1
fe887028b3439d219cb0d26a502309b375fcc52f

SHA256
ce39ea2f9a18e7caae8fe5362de8cf4ad5e1173c373c7f1e045c671281022fbf

SHA512
269bb2e2574ffdf64a2b0e53f9bea4031806726961d53b37d87a6f409dec73568663816b7d6635b47280e2a68050008b5cf12271f10dcb739f6b934ef98a19bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\C0023EE7E2EC3454829C62F8D83AE2371E44E441

Filesize
15KB

MD5
94c1e65c2673877cfda05b8895e68c17

SHA1
ee921ce9f09907c8b260b9f9b1256275d1d15cfc

SHA256
75e171463e205a52517b817021eb4cfd96051dc45c934e46a763b0394c3f3405

SHA512
f39a80529971430467ad553d8e43a0ab256a78833e47fdbbcb3e8e7b3151541bfc5b96267041a359275270902e8d203acc59cd977a37d4e97a706e4faaee2362

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\CDF359E63200C01C1961DA51E2DC1A04CDBFB351

Filesize
9KB

MD5
32ac54d04d7be858403ef9ec42583c3c

SHA1
783d7df0eb7bb720a522a82303606042a23e1168

SHA256
65bc8b864a7a32684b0b0c028109002c16fe243473bea0386e81efb35c8a23fa

SHA512
f38b555520e5c0a7e668f1d88f259b84248451b6f118f275b086f28e1142276f1eba1165249de6911ba477888f873a7c912cb0b44770700ad60cb8ede0d77bad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\CFDC1AD7CD7993D53198ED73D1ABDD24AE2FEB3D

Filesize
12KB

MD5
b9e29a7a63a2a4e608f4d5b06abfbdb3

SHA1
a825ca95f04105a12e53df351a0916983ca24def

SHA256
2fe986b7cc35d781a1d1ea3e8f586f3960efb11fe95375b5c3b83e93d64d9aea

SHA512
1b9e1a61416f7a6b3862fde90f1116d808fe36fe67f0f042c7fdc723edaf1fef96743eaef7415efcefb87597fff1928e178985cef8506c2ce5a49b81cb70154b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\D1D05A639FB00341157437E60910B8FB15EC65F4

Filesize
1KB

MD5
6d5f3521e7dafa959dc5bda7b29f3dda

SHA1
9c9d705383dfcd457bc8e73d7f38164c26399742

SHA256
b02b49a404059050729ae49d935048df501e4bde7656890ffdff26b52562cc4e

SHA512
2b94504a757b872553edd6fc08da4f7e55f203134bde984a990b4c7899c4ba8c82b0d40a70f214108bc18fc667fb773ff6bc891b76ca563a3f402bb0ed65b7fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\D5BF8E4120E38D647959419D0953D4127A172CF0

Filesize
8KB

MD5
7400d7055439506117b25a4cf7a80cad

SHA1
303d11fb9ab251a0770fd9faa70bce6cfa29c171

SHA256
b302e649aed4ea9b238e93b1d98167f31fdde7b8a16dec6c44f1632159cb756d

SHA512
51fa0bda9617eae1d6164ff71064cf05219014361da418d260ad67fcd351af7a6fa635933006aad4c1434392e4c1badac0d3abfec6b5458f2cb10ac558dc74ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\DD4DD374D188D7BA8F1FB36F2642B0CD7A32BCD5

Filesize
13KB

MD5
c96886a90edb330428e74172f1e4745a

SHA1
f68235fe3abdb49caf745ff8c7cd1fe3e506e7f3

SHA256
16981f62f7b5dbf02f53d264e6f56fbb1eada75f3dcf37f1f3880be4a4a57e97

SHA512
549b7fd2c06567904656ca8a3f8c7df84acfdc30a6e2c7569d94ff1f1edaa33e5fd3f9b69f12912b70e0e69104a4c82987f73e4a79edb2952951c3ef4543694b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\E38D92CCD46DD643BB84588345E6579F40AD2978

Filesize
14KB

MD5
00265b4b943c346be78cb454845f76f2

SHA1
092f0b6e18ca5e2d672c1f018e8a8400952d5604

SHA256
021aeb2fd14539736d0e45f8f738f21d7b115323d0d6f1cd0e1c12899760356f

SHA512
ea1c1ca6440089c4905cbbac342e00075eb391874e46d269e06be3112005576ea33fa57a19fac70e5ff63caa7f96a397b1b8d975dc12cdcb2baaa95867a9ce69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\E70CE43FF91BFAF77764D70AEC87491AD04FADA2

Filesize
23KB

MD5
6f64ab9662a8bcca71f706d8653c6718

SHA1
7cff245467bd0bc825d3edfb805e112d32b7b0e4

SHA256
aa27f3855f99dbeb0a4ea66ae03a9007d47bb3d80d43916900b11ea84dfa5e4c

SHA512
d7f77b9c092e0f5b0f60a96c6f2e4a45167deecf019596aaf7dc4557373b29fe502a46f3916b4fc1391119b95e5433915594afbe5b22a08f4c5d3c2bfb194324

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\E75DA8F2CC4E449AEFA4BF67229AB230E75A8897

Filesize
1KB

MD5
75ff16660c28513399b2ebf789e511d8

SHA1
8666d7523b30b20fb1beb321539ef1d62884f3d4

SHA256
70e822c00534bed35ffce9d1d2693a6806692e63cb1171d6500cb9a6d31ceff2

SHA512
c2726c5af5d767d4d691dcd6b08827d3b6ae6715365a0049bcfd6b37734939af4834380fcb770ef2e60c8d2cd1eeb6b634ac1519c2c4bc7f60b7bdac23e8cd0c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\E8597E5D047DDD4800506E1F2291C1538D638247

Filesize
8KB

MD5
c138db16c1edfeae7e42662bd7006e87

SHA1
bf9da3acc5befeeb882da93b630a2291839a0d1c

SHA256
f6cb0ff4144c670909a7ff56210f3b4194350f775a72d7f4c4ef7a06dee54429

SHA512
f61991f38d8d7cc0e74efaf1a42cbd3297a52255a98f9bb17c01a0b385723f132fc7444bb491e5504c42fd1725a668b3c3bc4f419efa9844bad6941b1f218978

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\ECE9A18311DCFCA899B09D7CA5CE46AB32BC7F93

Filesize
27KB

MD5
df7c0651cdc32b98aa58a629d3b8f8dd

SHA1
3395c0375e2a72a3c55f41ebbb5bc8a2dcaf4005

SHA256
c4c4a5223b5433897d0218ddfc90cf7166d4345bb092f6d873f762f32679ca3c

SHA512
a4e10318ae05a7ed916e6ce23db4b6356b0b5c674c4a195b9baff47745fcb4c2861d061076a92b6e0dc88e7e33d5ff8bd72027498142ede228b1f64b7a83bd9b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\ED07F042F4253F704BFC7070ADB92A3EDC4588A0

Filesize
9KB

MD5
241cbf9592fa8097489b047b81e2c7cd

SHA1
aff47ecbba9d7d42d19a3a22de83d1ed8c973966

SHA256
b03974a6707a00fa539cdc87723eba4a997a171593d595e96689b1cf2ec47a86

SHA512
590aeb7ce0728951956c4c187e8238e04cb7fb8bf4c70dd4f9dcb61375614ce2823cbe70b338d1815fc1180d007ec927361081e5000cf9899441fa62a3fee34a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\F0AC0767E22587415827482719C430DD71B2BF0B

Filesize
12KB

MD5
f80cd00b37565008e7922d7eac79cc3f

SHA1
cef6c7aa434bdd7fba60f5a63f26755ac6bf000e

SHA256
7d537c2551167bb9832f2600ad72c6eea30f83b5d54478b5a0029d2f6f7721ac

SHA512
c6b07861650326e5eb6366588cc4d686831b9d22abbb5f514a02d50f2a7897423529088b7fc772a49cdb85693d9545134431741807ab0f1e1b9a72923e9131c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\F0DA453D49DBFCB6924DEC356732738A87942EA1

Filesize
1KB

MD5
5cd7d70858206a94d35ca07045254522

SHA1
4bf0ada8f1ff7ff709613aa1dee1e78f77132b94

SHA256
dcfe65282d3fb8b8edb1640ab0967935e239828912848f1e4aa23670cb03428e

SHA512
775c31ee88316e662d927513fbd3bf45c74c6b24616b1a0d7d774623db6b4e752ec90e5596165e9ec337694ed2bd35c6fc64e2444f29df4fefe531e272aa5b1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\F3F77F3FEE25EE80B87E58A78428B949324E227C

Filesize
12KB

MD5
e5eee3c2609429239caf9d96f8c8a4f0

SHA1
7a41cb1b888a25b81081baeaace9cfe6a337086e

SHA256
012f9654c4e752d50654123b491c904bd18c1fcc3c2ba9b63b557cf07877a925

SHA512
74d7fe7382a86d0f638c232e43b57737761bc60889d96e264297e57ba02a9a500b0a86495e9f197270c1086de1f9036ab7937b20251bb75644633dfb54fb4b04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\F70DCFC7875D4A31AEBC2D7431072D6CA8FD93CD

Filesize
85KB

MD5
756959a95c767484748922534007eb3b

SHA1
0adecb2d6b82ace8f1ee89eec7d15229563bcd11

SHA256
017759ee77e83bd61a6bd027619f67693709a66b4883939af4acf4e4d5b5cb8f

SHA512
d9105447e9a4d5dcd9deef2f80fd9bef2f8b1e360de517bd8a6b1ee67d26848199ae9dde1e6cf0b165c0a1b8ecd0d71e75f7f5064c649d51cda02e4f5bfbde0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\FBE12DF59A09440615ADD747C2CDDF1DC885F7B8

Filesize
8KB

MD5
f0712623bf2f1faa265ab6d4115aaf3a

SHA1
24944a351c89168838a63656069e4528546a9bb6

SHA256
0cb32987e976164d4e7dd8643ef470d05a7cada302d6f94e03aeabddb42b988a

SHA512
e5024cae65abb47dff40613ec069be08b80edb7205342e2185ba4e22e9c77829fd8a542c30208579a7fc088afb58f198c184af7c75d0628693ea7da1e7c3e380

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\FDB1EE785DF3AE52749DEE50D9FA6601BDEB7D89

Filesize
9KB

MD5
7d6c0216fb33d5d82319f5627849387e

SHA1
adb88cbe97836aae4b8470e6240380ce340a5c94

SHA256
4ab5354c260543567ebf25f6f20126c2a46f3f416082222942c7aa809e916d60

SHA512
9e057425e14a98e6426a8ee2b62ee34d4af0149de775075fa79c3afadd3661ab5ae282bb37f3878c1b06ae56da09da919c261e72e28020e09d57e6b3f4e23c09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\cache2\entries\FDE57CE68AD481B76DC64A916E81F3CE6CEB5780

Filesize
1KB

MD5
fb2bf834b2d32137cad3f30837b4b718

SHA1
20800c44bb6b6ab607bff3f6d3b4f63ac9f2a180

SHA256
6bbdcd214ce050fa03a24859008498669d394d1ee45e96c1c945f7f558becea4

SHA512
cbb7bb3d36f57a1ff872648616ac826a5dccb8a5e81c0e58073bc7e2f8af0e9ba30357e083691ebcfb4d32dde2c72f80c1bc80a977cd2f057c2321b9c7dae91c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\startupCache\scriptCache-child.bin

Filesize
710KB

MD5
7b402dea71cdc82eadba25132d5a5b39

SHA1
f82b6e6da5d212294a1fa4029ce965e703a803fa

SHA256
98c9dd6c62a28d721bec81cafa324ecace1253a911043c1645886f35b9c6a4ad

SHA512
34208c4385b97d045b72abbe70fa65e7fa2b9f9b6814680169d704eeb12fad363763ef7a0032e1f8e6da13a7880f25096a992d76a8635d9658f404d61d25810d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\startupCache\scriptCache.bin

Filesize
6.7MB

MD5
5135442f8508d69e0d4e2b17e98ec1a1

SHA1
5d5af091b363062e78d14c442d8b074a3778e0b7

SHA256
a7fc05f3a40c9da4aeb8f8251091297d8c2bcdcac3403fe0664d79a4b7d141ac

SHA512
28d26c1feb31f219b1143035c1f6342f310d30b932ab69696b9c9b766d408dfa3a70f78069e60fc578c85aefbe71f22f99d196ddbe9791c8624f4f0f577f65a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hret3y5j.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
f2927f7328dcd3cf28d23ed14e99f237

SHA1
b46693c701de5089201e6f1faaa57009ab6a121e

SHA256
f2bf72b7656552a4085b06a042a0e99c447d866fe047ea242e0d0dbefab7c430

SHA512
354f06a3573bcf6b9943859829d363486bf4d2d9a85e7a69beca84fbf5cb7b2787b9f4cd62b87a73def98818886035f34b8206c972b9440637b7a16199b72cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\02ce4a57-7328-49c1-b451-9999b2bf0ee2\3950266016.pri

Filesize
3KB

MD5
86c7f55d37ac86bbe932cc9baa228446

SHA1
eb05105b87acc1e1299ab3713358fbd8d8dadaa8

SHA256
f5f40d1324cacb8ef4ddd5de32fc8c4d4dc18e4fa7eb7fedd06287700073a0ac

SHA512
f3e0be60d0fd07880cb8b61c935ebdc0edb34fe684aca19d5eab0bcf516056e472ad354012846f09d5bb58684cb3dd9c806ce7d8358df64bfc7a667d8358656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbf2e022-942c-4c39-9583-d4f3096a98a6\3950266016.pri

Filesize
3KB

MD5
86c7f55d37ac86bbe932cc9baa228446

SHA1
eb05105b87acc1e1299ab3713358fbd8d8dadaa8

SHA256
f5f40d1324cacb8ef4ddd5de32fc8c4d4dc18e4fa7eb7fedd06287700073a0ac

SHA512
f3e0be60d0fd07880cb8b61c935ebdc0edb34fe684aca19d5eab0bcf516056e472ad354012846f09d5bb58684cb3dd9c806ce7d8358df64bfc7a667d8358656d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\addonStartup.json.lz4

Filesize
1KB

MD5
7a65505898088674fc678fb17d5500b4

SHA1
27eaff7c986fe26053848dca802366352e6fe3ad

SHA256
4a500b0c0a51e550e1cde7c86d960298a280bc3e1ca9ffb623897eee53003f7b

SHA512
571a569938ca00c1de6a591a593acf6165d8d18a0c5806702129af0006c56ad5185943432d46d908f39a0368251848d7251b8cca545d337ff57376f91649b0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\cookies.sqlite-wal

Filesize
256KB

MD5
664df14a008a69443c437429fd604bf5

SHA1
d9c82237a540b2c6e45489382ee5fd10342196a1

SHA256
db5ace6694493944e1b106c9372284c4df7e067e45e1606db811cb9224aa5411

SHA512
1893c0ceedcc6544a5ce779670766be73ff7fb63df1bc12ca724f6215d9203ca576cfb04c3b0202b43bc11ab8cd51fe20ad4cc9a870654bc01dbb806e1b6dabf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\favicons.sqlite-wal

Filesize
64KB

MD5
b195294c15eee15bbd740694818c5541

SHA1
2182ddecc2d939950456d5ae85551bf5978ae8f5

SHA256
7d25796ce96fb3c3583322b84a681d184fd4a500908d555dc0e83e4e936f9b24

SHA512
30df796afbb1d7f980cfe2b3c715d0f9a87e2c0a69e9ed91ea1918d90f497a94d30cfbfd306fc6a784a42c598d3d301c8866d92234f7763a81370b6e27828b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\places.sqlite-wal

Filesize
1.4MB

MD5
94eb11cac9117d0e96ac83dbd669aa39

SHA1
02d3be17a56ab20cfff54b8c12d15255b0bab31d

SHA256
cdf35bbf9c8a59d9c8f207d9cb50b607bca048f8acdf883fe4c22b72c9a524ef

SHA512
331bea76a17b2b8ecb91fb31e91c81441705fa9fd7c8766368194d7f7e1e9756d4eb9a3913492aea9960dd96527d4b67ebd0a914b5b966530772046708f45175

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\prefs.js

Filesize
6KB

MD5
56ac3d396f75529e03740c456a35c227

SHA1
7c1788f287d50ead05939012fbb8b8d8cd71d8d6

SHA256
b42640a3bdb0c788065c1f8856fc09830379ad5f8db078dff4960123e735a080

SHA512
739b6e8988e2c022072243a74f3ed14fd46a40b4fed9a8bb8b46ebfd969e681990d0f0c2b923e52aada9880458f5eeda4d2b31fe0f2e507f4f905a7d16567230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hret3y5j.default-release\search.json.mozlz4

Filesize
2KB

MD5
240829c03d6532c6e05028dc0e585f29

SHA1
7e793fb745149bd7ba31910128b592d85c26b075

SHA256
dfd45c9d7c273ab68671ea00e50c8dc9046313ef9e5231e6b2f24306eea8df9c

SHA512
3eed3f6e65ed85ba364635efb54ba427773bcbfb7b0437aee5ff148c93ee3c8c9675944f4b9cba07c3266820e0f399556c0f931cf2849dbe9bf7ac5a27e15b65

Download Submit
memory/2900-115-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp

Filesize
436KB

Download
memory/2900-117-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp

Filesize
436KB

Download
memory/2900-180-0x00007FF611FC0000-0x00007FF61202D000-memory.dmp

Filesize
436KB

Download