crimsonrat | a3f0b7fd84781dbb396f686c4c6268a573824a11f50a39d75d725952adf57466

Analysis

max time kernel
1658s
max time network
1660s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
20-07-2024 08:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

__data
Size

9.2MB
MD5

5c2e1da3892e9ed4cbafbfd3859b9867
SHA1

3aa36c887a1e6b0c01a0b6b16c49ecc69ce931a5
SHA256

a3f0b7fd84781dbb396f686c4c6268a573824a11f50a39d75d725952adf57466
SHA512

b2f2c45aca4770dc8a68215ff027b7a1c83d4398576170f6bbda340933a441a20f5ee05a9877c0ff29e0f3c952293775ff84470b0d6cc9e564c0195f54ba5679
SSDEEP

196608:ln7CTef8UQww18jdK+Fi6lwIHE9ZhkEnKIX:le2g71gdKhvh5KO

Score

10^/10

crimsonrat aspackv2 defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000100000002af2c-3932.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle(7).exe"	Annabelle(7).exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle(7).exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle(7).exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 13 IoCs

flow	pid	Process
717	7812	rundll32.exe
771	7812	rundll32.exe
819	7812	rundll32.exe
858	7812	rundll32.exe
880	7812	rundll32.exe
916	7812	rundll32.exe
960	7812	rundll32.exe
1009	7812	rundll32.exe
1056	7812	rundll32.exe
1102	7812	rundll32.exe
1134	7812	rundll32.exe
1187	7812	rundll32.exe
1238	7812	rundll32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle(7).exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle(7).exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7268	NetSh.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000200000002b159-5604.dat	aspack_v212_v242
behavioral1/files/0x000200000002b238-6947.dat	aspack_v212_v242

Executes dropped EXE 22 IoCs

pid	Process
6184	MSAGENT.EXE
6196	tv_enua.exe
724	AgentSvr.exe
6936	BonziBDY_4.EXE
5972	AgentSvr.exe
6844	BonziBDY_35.EXE
2364	BonziBDY_35.EXE
7708	BonziBDY_35.EXE
7752	BonziBDY_35.EXE
6500	CrimsonRAT.exe
7464	dlrarhsiva.exe
6496	BadRabbit.exe
3492	Annabelle(7).exe
6232	$uckyLocker.exe
6212	WinNuke.98.exe
8780	Mabezat.exe
8900	Mabezat.exe
3364	Mabezat(1).exe
8780	WinNuke.98.exe
5380	Avoid.exe
8240	Avoid.exe
7244	DesktopBoom(2).exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	Annabelle(7).exe

Loads dropped DLL 47 IoCs

pid	Process
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
200	BonziBuddy432.exe
6184	MSAGENT.EXE
7144	regsvr32.exe
3528	regsvr32.exe
5172	regsvr32.exe
5316	regsvr32.exe
2808	regsvr32.exe
5664	regsvr32.exe
2056	regsvr32.exe
6196	tv_enua.exe
6728	regsvr32.exe
6728	regsvr32.exe
6764	regsvr32.exe
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
5972	AgentSvr.exe
5972	AgentSvr.exe
5972	AgentSvr.exe
5972	AgentSvr.exe
5972	AgentSvr.exe
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
2364	BonziBDY_35.EXE
7708	BonziBDY_35.EXE
7752	BonziBDY_35.EXE
7812	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe"	dlrarhsiva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle(7).exe"	Annabelle(7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle(7).exe"	Annabelle(7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle(7).exe"	Annabelle(7).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle(7).exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
17	camo.githubusercontent.com
77	camo.githubusercontent.com
211	raw.githubusercontent.com
213	raw.githubusercontent.com
238	raw.githubusercontent.com
256	raw.githubusercontent.com
5	camo.githubusercontent.com
7	camo.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\SET8491.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET8491.tmp	tv_enua.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb015.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb016.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Bonzi's Solitaire.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Intro2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp007.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\J001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE	BonziBuddy432.exe
File created	C:\Program Files (x86)\BonziBuddy432\Uninstall.ini	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCTB.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSINET.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb006.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\registry.reg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page1.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\CheckRuntimes.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb001.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\actcnc.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb008.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t3.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb003.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb014.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp006.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb007.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb002.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvbvm60.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\AUTPRX32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Uninstall.exe	BonziBuddy432.exe
File created	C:\Program Files (x86)\BonziBuddy432\svrprod.tmp	BonziBDY_35.EXE

Drops file in Windows directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\SET7D7A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D7B.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D90.tmp	MSAGENT.EXE
File created	C:\Windows\help\SET7D91.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET847D.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\SET8490.tmp	tv_enua.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\msagent\SET7D8E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7DA3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D7C.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D8E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET7D77.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D78.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D79.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D8D.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET847C.tmp	tv_enua.exe
File created	C:\Windows\fonts\SET848F.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D7C.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET7D8F.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET847C.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET7D8D.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D90.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7DA3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\SET848F.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File created	C:\Windows\msagent\SET7D77.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7D79.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET7DA2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File created	C:\Windows\lhsp\help\SET847E.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D7A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET847D.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\SET847E.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET7D91.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET7DA2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D78.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7D7B.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET8490.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\SET7D8F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
200	vssadmin.exe
6536	vssadmin.exe
7772	vssadmin.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "158"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000351b140280dada01	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AA1F9B2-F64C-11CD-95A8-0000C04D4C0A}\TypeLib\ = "{E8671A8B-E5DD-11CD-836C-0000C0C14E92}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{972DE6B5-8B09-11D2-B652-A1FD6CC34260}\1.0\FLAGS\ = "0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE1-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\Version	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\ = "Microsoft Windows Common Controls 6.0 (SP3)"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8671A88-E5DD-11CD-836C-0000C0C14E92}\Implemented Categories	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F68-055F-11D4-8F9B-00104BA312D6}	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ProgCtrl.2"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}\Programmable	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{643F1352-1D07-11CE-9E52-0000C0554C0A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}\TypeLib\Version = "1.1"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1BE803-567F-11D1-B652-0060976C699F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6549F504-C43A-43F3-B8CD-D077AF0427C8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FE8-1BF9-11D2-BAE8-00104B9E0792}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F96-055F-11D4-8F9B-00104BA312D6}\ = "BonziBUDDY.clsDownloadManager"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED86423-10D4-4CE1-8C84-9C9EC1B43364}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_4.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD7-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ = "_CCalendarVBPeriod"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComMoveSize\CLSID\ = "{83C2D7A1-0DE6-11D3-9DCF-9423F1B2561C}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28E4193C-F276-4568-BCDC-DD15D88FADCC}\TypeLib	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinSource\CLSID\ = "{53FA8D44-2CDD-11D3-9DD0-D3CD4078982A}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ = "ITreeView"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28E4193C-F276-4568-BCDC-DD15D88FADCC}\TypeLib\Version = "1.4"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA478DA1-3920-11D3-9DD0-8067E4A06603}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\ = "Microsoft TabStrip Control, version 6.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSRibbon\ = "SSRibbon Control 3.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDA1CA04-8B5D-11D0-9BC0-0000C0F04C96}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\HELPDIR\ = "C:\\Windows\\msagent\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CPeriod\Clsid	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CurVer\ = "MSComctlLib.TreeCtrl.2"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDB-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComProcTextures.1\ = "ComProcTextures Class"	BonziBuddy432.exe

NTFS ADS 61 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\DesktopBoom(11).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(12).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(13).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(17).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(23).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(7).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(10).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(26).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(20).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(25).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Melting(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(9).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(27).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Melting.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(16).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Flasher.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(19).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(28).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(7).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(18).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(24).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Walker.com:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(15).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(22).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(7).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(8).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(14).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(21).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DesktopBoom(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChilledWindows(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware-Samples-main.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle(5).exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
8056	WINWORD.EXE
8056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
5660	msedge.exe
5660	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6824	identity_helper.exe
6824	identity_helper.exe
6272	msedge.exe
6272	msedge.exe
7948	msedge.exe
7948	msedge.exe
7948	msedge.exe
7948	msedge.exe
7812	rundll32.exe
7812	rundll32.exe
7812	rundll32.exe
7812	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1564	firefox.exe
7244	DesktopBoom(2).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: 33	1088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1088	AUDIODG.EXE
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: SeDebugPrivilege	6500	CrimsonRAT.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeShutdownPrivilege	7812	rundll32.exe
Token: SeDebugPrivilege	7812	rundll32.exe
Token: SeTcbPrivilege	7812	rundll32.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	1564	firefox.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeBackupPrivilege	7948	vssvc.exe
Token: SeRestorePrivilege	7948	vssvc.exe
Token: SeAuditPrivilege	7948	vssvc.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: 33	5972	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5972	AgentSvr.exe
Token: SeDebugPrivilege	1564	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
6976	msedge.exe
5972	AgentSvr.exe
5972	AgentSvr.exe
1564	firefox.exe
1564	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1564	firefox.exe
2452	MiniSearchHost.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
200	BonziBuddy432.exe
6184	MSAGENT.EXE
6196	tv_enua.exe
724	AgentSvr.exe
6824	identity_helper.exe
6936	BonziBDY_4.EXE
6936	BonziBDY_4.EXE
6844	BonziBDY_35.EXE
6844	BonziBDY_35.EXE
2364	BonziBDY_35.EXE
7708	BonziBDY_35.EXE
7752	BonziBDY_35.EXE
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe
1564	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 4656 wrote to memory of 1564	4656	firefox.exe	84
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 2432	1564	firefox.exe	85
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86
PID 1564 wrote to memory of 3456	1564	firefox.exe	86

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle(7).exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle(7).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle(7).exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\__data
1⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade1c30d-09ae-4a51-a1ac-8898067ba884} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" gpu
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e8ba9a-9486-4d48-a5a6-0b1f5a16ffc9} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" socket
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2920 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d474158c-a570-4a3c-acbe-8d19169187aa} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2580 -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 2544 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e4afbe7-a920-4a7a-b873-cf212a62e623} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4044 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4216 -prefMapHandle 4120 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4389180-10bf-4c3e-9593-b86a977a1933} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" utility
    3⤵
    - Checks processor information in registry
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa843eac-729f-4367-9425-c287c1a7fc59} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3083cb7-eb3e-48a6-8ccb-f6248c184004} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f657c883-2d77-45d2-a576-3f220ef594ac} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2672 -childID 6 -isForBrowser -prefsHandle 3576 -prefMapHandle 3404 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4016ad56-4f85-47d4-b77f-54ca49d9cb73} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 7 -isForBrowser -prefsHandle 6392 -prefMapHandle 6300 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c508bd45-a6b4-4e8f-9d25-1491f8408d64} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:1460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6728 -childID 8 -isForBrowser -prefsHandle 6616 -prefMapHandle 6716 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31fd0827-81ae-4a98-907b-448fc3acb96a} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -childID 9 -isForBrowser -prefsHandle 3500 -prefMapHandle 3596 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b91a22b7-b5fa-4846-ba5b-d139855fc01f} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 10 -isForBrowser -prefsHandle 5748 -prefMapHandle 5592 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3beede6-9dee-4074-9f75-f5933463b218} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7580 -childID 11 -isForBrowser -prefsHandle 7584 -prefMapHandle 5656 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {599d10fc-df9f-4f82-8826-a073b319dd27} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:5688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7744 -childID 12 -isForBrowser -prefsHandle 7784 -prefMapHandle 7780 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77a04a70-6eb0-4c82-99fa-9e291ebb2caf} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3044 -childID 13 -isForBrowser -prefsHandle 7916 -prefMapHandle 4892 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d1b3472-5baf-4987-b8e6-312190b50edd} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -prefsHandle 6724 -prefMapHandle 7756 -prefsLen 31004 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bbb786a-325e-4d7a-b5ce-30e3537e9dae} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" rdd
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7860 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6348 -prefMapHandle 6504 -prefsLen 31004 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa961854-9cdc-4cee-9c41-7afb8e21ca3e} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" utility
    3⤵
    - Checks processor information in registry
    PID:3896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 14 -isForBrowser -prefsHandle 8032 -prefMapHandle 6724 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2874fb46-e32c-417e-8a1f-784b82660dbb} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:1428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6396 -childID 15 -isForBrowser -prefsHandle 6140 -prefMapHandle 6436 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bdab1bb-b816-43cc-9b81-e9dacba40af9} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 16 -isForBrowser -prefsHandle 5768 -prefMapHandle 7656 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5495ee89-3aa2-4b43-a59a-895f3762db57} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:7572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8652 -childID 17 -isForBrowser -prefsHandle 8536 -prefMapHandle 8444 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c6f03a-a8ca-4ff6-acc5-653c4fe6ee4f} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab
    3⤵
    PID:6392
- - C:\Users\Admin\Downloads\CrimsonRAT.exe
    "C:\Users\Admin\Downloads\CrimsonRAT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6500
  - - C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:7464
- - C:\Users\Admin\Downloads\BadRabbit.exe
    "C:\Users\Admin\Downloads\BadRabbit.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:6496
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7812
- - C:\Users\Admin\Downloads\Annabelle(7).exe
    "C:\Users\Admin\Downloads\Annabelle(7).exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - System policy modification
    PID:3492
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:7772
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6536
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:200
  - - C:\Windows\SYSTEM32\NetSh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7268
- - C:\Users\Admin\Downloads\$uckyLocker.exe
    "C:\Users\Admin\Downloads\$uckyLocker.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:6232
- - C:\Users\Admin\Downloads\WinNuke.98.exe
    "C:\Users\Admin\Downloads\WinNuke.98.exe"
    3⤵
    - Executes dropped EXE
    PID:6212
- - C:\Users\Admin\Downloads\Mabezat.exe
    "C:\Users\Admin\Downloads\Mabezat.exe"
    3⤵
    - Executes dropped EXE
    PID:8780
- - C:\Users\Admin\Downloads\Mabezat.exe
    "C:\Users\Admin\Downloads\Mabezat.exe"
    3⤵
    - Executes dropped EXE
    PID:8900
- - C:\Users\Admin\Downloads\Mabezat(1).exe
    "C:\Users\Admin\Downloads\Mabezat(1).exe"
    3⤵
    - Executes dropped EXE
    PID:3364
- - C:\Users\Admin\Downloads\Avoid.exe
    "C:\Users\Admin\Downloads\Avoid.exe"
    3⤵
    - Executes dropped EXE
    PID:5380
- - C:\Users\Admin\Downloads\Avoid.exe
    "C:\Users\Admin\Downloads\Avoid.exe"
    3⤵
    - Executes dropped EXE
    PID:8240
- - C:\Users\Admin\Downloads\DesktopBoom(2).exe
    "C:\Users\Admin\Downloads\DesktopBoom(2).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:7244

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\GetAdd.js"
1⤵
PID:1876

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\DisconnectProtect.ttc
1⤵
PID:5948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe
"C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  PID:5920
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:6184
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:7144
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:3528
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:5172
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:5316
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:2808
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      PID:5664
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:2056
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:724
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:2584
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:6196
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      PID:6728
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      PID:6764
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:6804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffcd5a53cb8,0x7ffcd5a53cc8,0x7ffcd5a53cd8
    3⤵
    PID:6988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:6992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:6292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:6580
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:1
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:6904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
    3⤵
    PID:3556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,4935380972522555208,16362375451483582764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3772 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6936

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5972

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL speech.cpl,,0
  2⤵
  PID:6508
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL speech.cpl,,0
    3⤵
    PID:5884

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6952

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7708

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:8056

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1788

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
PID:8780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a8855 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx

Filesize
336KB

MD5
3d225d8435666c14addf17c14806c355

SHA1
262a951a98dd9429558ed35f423babe1a6cce094

SHA256
2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877

SHA512
391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1

Download Submit
C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe

Filesize
7.8MB

MD5
c3b0a56e48bad8763e93653902fc7ccb

SHA1
d7048dcf310a293eae23932d4e865c44f6817a45

SHA256
821a16b65f68e745492419ea694f363926669ac16f6b470ed59fe5a3f1856fcb

SHA512
ae35f88623418e4c9645b545ec9e8837e54d879641658996ca21546f384e3e1f90dae992768309ac0bd2aae90e1043663931d2ef64ac541977af889ee72e721a

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE

Filesize
796KB

MD5
8a30bd00d45a659e6e393915e5aef701

SHA1
b00c31de44328dd71a70f0c8e123b56934edc755

SHA256
1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a

SHA512
daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE

Filesize
2.5MB

MD5
73feeab1c303db39cbe35672ae049911

SHA1
c14ce70e1b3530811a8c363d246eb43fc77b656c

SHA256
88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8

SHA512
73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE

Filesize
3.2MB

MD5
93f3ed21ad49fd54f249d0d536981a88

SHA1
ffca7f3846e538be9c6da1e871724dd935755542

SHA256
5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc

SHA512
7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx

Filesize
152KB

MD5
66551c972574f86087032467aa6febb4

SHA1
5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9

SHA256
9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b

SHA512
35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg

Filesize
50KB

MD5
e8f52918072e96bb5f4c573dbb76d74f

SHA1
ba0a89ed469de5e36bd4576591ee94db2c7f8909

SHA256
473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82

SHA512
d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg

Filesize
45KB

MD5
108fd5475c19f16c28068f67fc80f305

SHA1
4e1980ba338133a6fadd5fda4ffe6d4e8a039033

SHA256
03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b

SHA512
98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX

Filesize
1.0MB

MD5
12c2755d14b2e51a4bb5cbdfc22ecb11

SHA1
33f0f5962dbe0e518fe101fa985158d760f01df1

SHA256
3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf

SHA512
4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
140B

MD5
a8ed45f8bfdc5303b7b52ae2cce03a14

SHA1
fb9bee69ef99797ac15ba4d8a57988754f2c0c6b

SHA256
375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b

SHA512
37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
109B

MD5
bc2e9284831a8cff7b77a5a28e209ce6

SHA1
6ac420241c5293593b4ce300ae3f8e8d6726d359

SHA256
685595725c7b9859717037ca9e0dc096d1b329a13f76addd4b35bfacc3fa821a

SHA512
f528aa2675c94d347fd634bfe0ec70d0700abb48d7e252efb5632c832ec42ca7fd66d70b01fefbbfdf676b247641efc96e1e54b0a3864ba8b66d817b22068e34

Download Submit
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx

Filesize
76KB

MD5
32ff40a65ab92beb59102b5eaa083907

SHA1
af2824feb55fb10ec14ebd604809a0d424d49442

SHA256
07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42

SHA512
2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat

Filesize
279B

MD5
4877f2ce2833f1356ae3b534fce1b5e3

SHA1
7365c9ef5997324b73b1ff0ea67375a328a9646a

SHA256
8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff

SHA512
dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE

Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe

Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX

Filesize
472KB

MD5
ce9216b52ded7e6fc63a50584b55a9b3

SHA1
27bb8882b228725e2a3793b4b4da3e154d6bb2ea

SHA256
8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13

SHA512
444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX

Filesize
320KB

MD5
97ffaf46f04982c4bdb8464397ba2a23

SHA1
f32e89d9651fd6e3af4844fd7616a7f263dc5510

SHA256
5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1

SHA512
8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002

Download Submit
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe

Filesize
65KB

MD5
068ace391e3c5399b26cb9edfa9af12f

SHA1
568482d214acf16e2f5522662b7b813679dcd4c7

SHA256
2288f4f42373affffbaa63ce2fda9bb071fd7f14dbcd04f52d3af3a219b03485

SHA512
0ba89fcdbb418ea6742eeb698f655206ed3b84c41ca53d49c06d30baed13ac4dfdb4662b53c05a28db0a2335aa4bc588635b3b205cfc36d8a55edfc720ac4b03

Download Submit
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx

Filesize
320KB

MD5
48c35ed0a09855b29d43f11485f8423b

SHA1
46716282cc5e0f66cb96057e165fa4d8d60fbae2

SHA256
7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008

SHA512
779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99

Download Submit
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx

Filesize
288KB

MD5
7303efb737685169328287a7e9449ab7

SHA1
47bfe724a9f71d40b5e56811ec2c688c944f3ce7

SHA256
596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be

SHA512
e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1210443139-7911939-2760828654-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

Filesize
319KB

MD5
83e68e41d3e6dd705b388184996a483c

SHA1
ef9b8c09bfe1837c2e79bb7623fe3f05add8310b

SHA256
a5e3fe51663743f384aa91da7ea3aa308f95b240b7afec1b12c30a874fdbbcd7

SHA512
2f62d17d98d6a6505a4b25f43cdcb70120d4840a914d4a5fef85b1226070264dd4d64412629581e7227f5e92705dac6f92217693bba6da083ac0f8dbaafa7629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b0c53c5fe6ad2ee4ffbde1b3384d027

SHA1
0c9ae4f75a65ed95159b6eb75c3c7b48971f3e71

SHA256
2e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f

SHA512
29f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe63f44aa3aa9393e4251b4b74226e3

SHA1
29eef15e4d60afed127861deebc7196e97d19e4a

SHA256
7787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3

SHA512
f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c28408e02a5e0ff00138b3c08414e469

SHA1
d0844f0c2394d937a6369eced9196d5a5547cf34

SHA256
34613b8917327eda224bcfa001fe6229b1fca667cef2f1e4b8e54d30ed8f9608

SHA512
760d87a4ad368ed4258bcae19e7be06987d662bf671ccc8e0bee382d106049ed1d8a545b2eb294a105c672a3fad4dbb66f5e34e32221c3206a34d7815d488f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
939B

MD5
951acc7f145ce471a1c6c7429a89ba68

SHA1
d2125d5d235d93ded7df04488d53be6e29ac2fcb

SHA256
5aeaafe07a20478b13acb323ecde18d131807f36fa3978310d29bf3131f1808c

SHA512
85f8f4dcee3f7d6f004f634a5da08c52726a73d2f5d970ee7fa406556c2aaf9aa540f64267a151e0b47b6c60086170c430a220411f3fd51e01c2e6208b398012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
939B

MD5
e8a497e026f20b2474aacca5564edf5c

SHA1
14a92dca0c13d2c3f8a5ed079397c542dcd4cd03

SHA256
8cbab4e9acbf7036a9e19a73c91732dfa2a2443064187f42fb9bb3e2bd8025a8

SHA512
d3993e4c045a013df5afb02fe3fa87ba02b1c458810564afa362607da41c5e75eae999463dd60726e907133d24ff4488de06040f21b6f390608790518b6d9d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
939B

MD5
eafbbc3bdc68d69c0758aa3b93c2035b

SHA1
bb2a7b4db7aeb8b00a27b14d39bb10eef890935b

SHA256
1e282e23f3a66460c8f1c9f50bcc6fdf2394872a66c985041243fb4aaae1588c

SHA512
ee0e5816680a175a0d62fd6d27ab95233831619f44fa4c85ad1c7c3d5f7779775b73d7c752e5af9a67206d5c201945398aa238eb165104aa6a8b83d54bb56364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca9c8d05d5f411d73f377b337c738716

SHA1
920d178ba7beb6342d5658282e896824adac848c

SHA256
57485fabb161441529d2092e79897ed2bdcf13dcbae6c5cfe43d73a3c71b2fe2

SHA512
ec69aff760fa43bbcc6af79361fe7beb74225c6c0366dabc2abb0b46f7e112571b937165a18ff14215da01e81aa3c075737fcc643e2a0e7e9fbf6426aa37e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
660a123cff15e644071a353cd37ef507

SHA1
9b3063a28a27ed9e90264074bc562dc13a64c45f

SHA256
e94c0580e5835939625dac06bc0f9c97eb073b170feeadf7b579042e8a1284a9

SHA512
6abb0397b635740269856f802f436134961242f6b4096dca49105fcf976308cbe9ee3b84324809aba574b4b30faf21d5da05cdff52593610072bf16a8424f1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eaff288c162f94fb2952d98e9de845f8

SHA1
b10848f045f79e11b50d3c10552b3543f86cf507

SHA256
b8250264c4bf024489e2d1820818ba7d2625a30c22c103c02ecfecfbbbcda3f1

SHA512
b61d2d4a7d64c81d51bf165a1810e784adae02154fdc590a1c6eca8e4f7f81a18de34d800258380c59e3ca33dbaf7e34b09452ac7346935d4ba81c728e05e32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
456288fadffdf1155725d92361ec790f

SHA1
fcd89686ec6d03d14ef962d8328fe3781719d17e

SHA256
5b28c9ed05bb457b1aa3678f3b5a29165fec1e4d9bef1944255fe50bd27212a8

SHA512
8952f55341cf4307398136294c80846b3409eb6900fad4264fb932bbc6e6604dc93642063c7344c0bbede7e1b8d7e25ac7ae11d34f271c905c37e39d8e86aafa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
ea7d00b7052b6e06d5122b47b6c93877

SHA1
5c598d5f197b5ed6db69cb3e5551acf3ddb6014f

SHA256
674d21b01ae0fc359c4339d6c2f7959d632476d28fc7ae77c0ef384b49a4ec8e

SHA512
e22b1af70eeb182b23415934024df7ec6f0aa7cd802541f9b2cf40ba46283b47789e146328cc0f1b7d9c09b32364d06c17be67fcc2e653731c5b5c26ee4433c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\017DE7AB570E37DB037314BF228EAE6043AE2E5A

Filesize
30KB

MD5
7cf07260e7f2f57ffbd4b5fc04ce1b03

SHA1
9a8c2830783a12a82c56f05113703d981725a117

SHA256
8d73689eb8e1429ddf8396561bca206f50d2fa0c3197acf44498a76046d9fc7e

SHA512
6b814d846f8dd432f04c6901476743e9042384aeb4f1e7f7c1a71da33de573e600514be0d68b1996e1b6eab13b97058df8241d6a66e75cacae834b4d8b6c0f24

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\028C0894AD87F10A73B973631F70818724BAD700

Filesize
164KB

MD5
a546116e33e0d0dd849d5f5136b42605

SHA1
b33efb5afec36ebb48391e637922d6f73ce2cce8

SHA256
e1eaa0ba87a81a9ba3a3899603284d3f65d7fa436b5aa99da0e608c5244cc8d9

SHA512
1da5a39512807b9f1f70594d9e40f0baf47d99deb0f3493f60e7824e5c7d1ba76ff3606e74ddc852aac2da97c81b05c6644454874a7557ca140cff9c6e2acd35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\02E8C6E0B9504E35C8EC759633CA1ED0EFA9B8F4

Filesize
15KB

MD5
90dbb3c9b05a6772f14c82bbf34b777e

SHA1
27bd12123cac860b74d69b2c04cec7b79c6ea4b7

SHA256
01ab21c0c330e98a68e9063b501b97b68b1595e12445cfb6d43bc8b973b78877

SHA512
f510b82fab94e4b39828062fb2dc4ffac81e3356c5002575f991c36e23979cac5b2a420da69213fea842e5c5b1e48248546ab8b47e7dddabbb5faefcf9b75d84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\0DE2403E40606B9197622D9499699DCABEF1EE41

Filesize
76KB

MD5
cca47e03153f1e3a513ac3979be907d9

SHA1
f8dee86326457e539ada65ccda84a9fa132e61a5

SHA256
0c60a8eedcfbfea793412e1cab50bec3b369c8b308204ce9fc9ed3c63f446939

SHA512
281c9092d501407595996c6547eaa040a9386cc746fe20409daf9b5592a33399f4b480ecec144d7eccafd09c86e973ecd93dc20f8da442db736b95ee26c3b09c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\0E28E1F73B1BDE35CB1C1280439DD160D4624C91

Filesize
137KB

MD5
6d98f5511371886ed50d1eed5fcab1e2

SHA1
e9284c00f6e98cb8b4034661e5c8b09b19c34b8b

SHA256
c356d84bf716d81019ecead41771b84420a45babe0d993a9d66ac0bfc6c2c4d8

SHA512
d3431706c1a91123348bab6acab2b14f0381b4905ea750657f26ec63f65186fed6c6fc1ca6e202b01bbda4d3fadc761cc746fbaf662e3aa4d4b07cd6398af575

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\1019680A1EEDFEB1CD228847477B1C4456103C5D

Filesize
640KB

MD5
b9539a12779265c6833992438b78ef33

SHA1
c5c8c1d4c7483898eac99f95e1084398aafe631f

SHA256
ff84187ad484649f1e63f603d199356dd403b6bc1b39414339f4f5c982294e28

SHA512
7bbe0bbad32c75a59f31db485d6370d959718bf696d63d2f92ca5a48077e55e68f4f5283e21b50e7293ca302c4d8e440626e4b0061edbb2ca544de2d2c9ddf23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\1535AFA3EEDE315556C4878E601670C2BC153DDE

Filesize
87KB

MD5
862591ff9cea6fc3a1ae4a9348964240

SHA1
813fbfca25daf7664b1a737b40e4ea91b6deb2c1

SHA256
6adfae1145ecf67d39b921a8f9a64c92aca108bd9d4b7bf4733e7daee175e40d

SHA512
4e0407f3781977fb1f9244f480db74d768ab712b10a154b180b79a030f4b706059918892129fe29e6aad9736758170d1e9f30ec3cc0e12959c46a66e1c9840da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\15AB10B20FAB8CA5A661243300D7092EB3C1C08A

Filesize
135KB

MD5
574ee8811f406dc16b9460781fe10e28

SHA1
7a721378f07a3fcccc10c425119dbbe289c58b70

SHA256
87ce3d52404f5926eeed5d45c1618e492764e3ba1be01a73b69bcf05ad3ccf0a

SHA512
c9a58ec4c0c7cf160bff550e17b839e70e7e5321ea0bb9e0e7d0aac977d9b3dabc8bfa3b3e3cbf43d6a6c08db3ecbab1e2af0ed935f598bff759908da8bba707

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\15B93BC621B274AC627F930BBC2A3DC1A7CF1BB3

Filesize
105KB

MD5
0042a4a576df924b65459affb2ad28cd

SHA1
c48fae3df10f43a827eb9c5a0d9d33b8bce7eb7b

SHA256
45d6e6c378f39d0d1403c96dc2d817421b6e329db739ae0a592b4fbfeacf900c

SHA512
6b1b0d33e91fc4d5503452e1a3bc0bef37bbac272e8e4c0ca6f5e07290eada72d9f9019e72fe3c2a980484050ed8d738f63acca3cbbf0a4dfce187ef2acfe44a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\196E7D97D4CA0145B1EFB053A084AF87175E2A56

Filesize
768KB

MD5
bf33c31dc40d14f29b32c970cebfc756

SHA1
61700e3220a6d0afea1c99dffc8372726dae6b4d

SHA256
838797669d65aecaab0f5893eecf2acfd9cb43ea9707755560539e3b969f6f55

SHA512
f67251fbb559dd2e5e831ec1df2e66e2ef8bac22f66c403c2061c6ba9c66960e9f4de30f92feb39e5004091552d8566fc4c52704e0189045c789c635070adeef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\1E6BF9D29D8CA67E03D57DC855B1226ABA7A58D4

Filesize
159KB

MD5
ea8e537d2ccac5071c07d24070417bac

SHA1
95c77ef0e5f58f632713873e10a620b30cf12d21

SHA256
f65f19941c915593202e3713e4e742c30e51873534accc59a98513bf53e59ae1

SHA512
448d86013e55a0bdf533631aef6d5388f8da8264c8a657ccc07661d12e7e745914fb953bd58f469018c9c8dc50b19a59b5f27a813bdace5141521dddaf24958a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\1F94A3B019E2B2B47E2356E16C996C9287E700CD

Filesize
97KB

MD5
66b2f20bc144fc9edb671c1a6b7fe6a0

SHA1
aa7f02bf1c874a255ea1de5590c4a304cf73197a

SHA256
5f7ba90dcea6853a12b759ed3b45f6322eab572f2a847a67e170ff90b5bad78d

SHA512
38e6ec49fd58995c3c1f84189b688379d94e589c669a536ab7ed0654555fb014afc02213353302a51069ffeb6b1fbd46f9f37b3ee63879974bdf43fa3ac8574a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\22F2BE6046DE71FCC15A701DE0FCDEC5259AE136

Filesize
370KB

MD5
960c7482bf62b8f215446626ac66dc4f

SHA1
a58637956e298c1c53369cb28f36b43d97c621cf

SHA256
777a2b816e0e6bfb37d917dc82f8c0bc28db10d77bd84f1dd1af0a0b7f7bbd99

SHA512
69520e11bed47fbe1776ba9d9de2f846d126ef451eb0c7495229f13bef2a23fccb43db47ccdb7028ef4d4cd6c155a48a0d71804d34d3e64d6699105514b2b025

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\256BAEE9702E5F10CF1E95315C026FB0758B3948

Filesize
76KB

MD5
8b92de060734990871954adfc681f119

SHA1
a61c61946207f21f62ee5857fa27cf5c875bdd73

SHA256
29c2cd8091b6732bbd04982494a035c5fdacad409bf9596d3a4b40f788ca7bda

SHA512
97b03aee47f526d2795a2ddb35159e365be46cfc74c5fdf95854f86abf088c67f1a59246d7ffd6f53eb8b61d3c930987d8af064362c843c7a13c9805612fc880

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\261CDE874D74D33D88C5BDF890BFAA1208AD5AB1

Filesize
1.5MB

MD5
e6c8119aab7b613f8fb5aba0c6664617

SHA1
c160637d9eeef0e194df5e4a0e5dfefead278320

SHA256
16fa3de6331c99ec39cd60ac1f3a6e259647184c98b0d9e707fa0a6d1203a302

SHA512
4aacc2a3e923e6f4355fddc15649be95b036f1e4e7931bf46c3f4e5d7e82993377822a15883d7d9f270ff55176ccc0eb49de761c32d0757e3259052dd99d8cb2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\30C85AA25154BB8A0FDD9750B0A52C4359905942

Filesize
164KB

MD5
4f5e8461dc3269012b5d54c391d0606b

SHA1
04aec7b6462b6f9db2a8ce63ef5f9da64cfb8a53

SHA256
6562f6b1dc116577044450a18d598fe9c5416df0154f1c6fb083010e736aadfd

SHA512
bb36f3c5815a0df6f25130188eaffa080d72f86e874a17fe2f886e5db67f5697652b47863179410fd6973c0caf5d31aa1f19f993645b3c369905a82cfc67ab5f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\3B60B52642E87C965983787197F5E13CF39DC4BD

Filesize
97KB

MD5
cae039fd650c6bb7db9a08cf0ca7d4ca

SHA1
b25ebeb4e4c1c247f73b725782ccb7b2aa3b1162

SHA256
ea31dc07d62776afaab3ad0afae8ef10bdd0e7a217b9ed093d617e946dbe1a11

SHA512
69b305070eb3a50be13f17d408a6e82fb4065f61528769b73f83df5f880a311b70ee44420e215a8790c4e6c76bfd879f90655de9e840c31cdfc848103e4d205f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\3FD70D88F569094323265B8FA8AD72BCA91467BC

Filesize
406KB

MD5
08cbef469993c803da657543ff62caa2

SHA1
96ccfa8c3135769571a174a9536b0ddfd22bcde4

SHA256
35163d1e17142899b9fe5c22bf450d74a02cae6571e6c859d49e84043621eace

SHA512
fd2ea2d5427a6d750036bf6f431d30283389ac73b0636dc49cf8f2e3ef4c713e8af9fd2c40afa3381a253775d89815d3a0df7a97482720f4a9b851cb24aa863f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\40A48D6FB1C16FBE729C2E2DB9B8B9E79A67D5B7

Filesize
103KB

MD5
a3739911be9dd63445998d399fe42ab7

SHA1
16d5b0e77d2a9571fc0a6d9f1dee752e2da76a0d

SHA256
50653ea9d645e35c0c3cf3e78b885e216b86d011b68089ad5dd0a4e2e29e0905

SHA512
d972e5ddbbcf78bb19ba473899a1c363f580db08d1c1f249c71a7dfad335b27b690541b11af81aabf8b42075f0eb878d8b7b2a7fe536f04965fbaf6fa0338d75

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\429DC8AB78A8473DC45C70CA74453F829ADE8BD6

Filesize
76KB

MD5
f7726cb9dfc27734b40e42bdf5e38e93

SHA1
f3f2dfb9761fdec2d35c17c561f4b10273ad5f74

SHA256
7b6ca8c96e0b166e6308a5529e7b56cae295f8bdaddd3039963ae43f2b5d9741

SHA512
ffb7a6821c2131b377b80974da77a04a3122e6586de1c7d4bb71456390c2e5f8ad14dba7e57fa5d8bf668951f027d7f331971633e32b3f15b183e4c2f63aab7d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\443AB88BA68DB7163076E0097FC9BA63DCC73EED

Filesize
181KB

MD5
198702003ed175f99100ec2f7f575cbe

SHA1
46a693736efd53ac138a6efbfb64ac7ec3f12649

SHA256
65a647b6a83762316134f3382f277ca05e396b09b4d86626f5a0c2bc610421e2

SHA512
057ad809270f6e2b4e4076cb69ecc4b4a146df2a5efdee09b54f0eb622ecd9090a7448099bc90952860a6b444a428ef0256608939c3e9f7661f83f66785ecc49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\461225B439B5472726DCC8825BF53B8030AD6AB2

Filesize
85KB

MD5
7d1139d6fc8d7bfb180c38b2a78ad2c0

SHA1
c16a2fe45a23a5bca6b7eae4f5eecc8052226bc2

SHA256
5faa3a5394cf1f12fadd097a5558ea69dafdf26f64c41fea397a300f7c36512b

SHA512
d85f997912ea23182e798aebe11c29e8505c14458162b6ba4d35711371f4809d074be8af8ebcd2ee5aabfaf05bd81c4dbd31ff0c5ee4c02c8887eddbb20cabe3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\52E1A5F5904D864BC54C4678FE8113AA3A212996

Filesize
86KB

MD5
9ef193be36c26a129ee3814fe52931f4

SHA1
2f0801a790574bf832e0433721fb83fddfd8a8b9

SHA256
31e26a54db07ed7f55d8f0f4a52ffce2a1c210bc480d2e305840d49f4dacfe4c

SHA512
64eac62aab393988f1d7d8bd90e7399440122b64fb1b1eda0cda45b91a7dc4be5d91bb21314d9de3c87cfb26b5f7b9c4ac9aeef6bf446d4c5aeaf116d07e7d96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\54DE1B3147C54C4A099751E9FC6C6802302F42CC

Filesize
45KB

MD5
422c0a59dbf5e5c553d6e8f5943f04eb

SHA1
78ad2f3bb49caae629274443574396db2cd3e181

SHA256
d9f6903ec216bc9148753276f36b4eb7064b4c62355c64afdb2139c12e34f3e0

SHA512
226421f20dd857d71a765600fb61587d50ca3a86dac068e1935781b2649fc279cd112c24e1892f5df2f7800928bf1edafedfbb68e52d0ad1ae459c2e1d39eebf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5749E4EFF85CF01078AC244BE54EF2ECD7110909

Filesize
1.1MB

MD5
e553a4452549dfe474239cf06efdbdef

SHA1
0437e591a8dca5ac1c3fa5b6fbf3bce4580e52de

SHA256
d2618e2be8fb38843691d7a20c287b822d7fe221ced2ab072fb349aa286df435

SHA512
96d16b44035f776032d8bf91c56d65d51a1cc4b0f4e49ad38daf9a084c42414eb304fb7c820ac7d496b8732a53b46d4254bb524bf0f13a7adf644ee13249eff5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\59A1522AA7731AD4E8F877D2EB907E26A22C77AE

Filesize
1.9MB

MD5
f0b9bb419675df330999dd83689bf93c

SHA1
0f4c0c915eff9d925eaccf5a9b7a244e970af6fc

SHA256
1f493b968ffbb656e48809e716dd4845bb3794c3be4ec01f6c5a15101ca2c7e4

SHA512
26568550c0f8dad8f013f43fb5f9d0913a29fa10597fc86a085881b44ca98130964dbf859cb9e2122708290a65572c036f799870bd11687f8e5e5a25acb58b57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5AA841DBAEB39FDE1998563E3998A0DA2540E911

Filesize
20KB

MD5
1e76a9bea5c879b924ac1f33fa623fec

SHA1
5bf71915cc6e5552460c884ccd11b2283dba62b4

SHA256
b5b12568023a2f2375f51c8aa981c9c47be5e7c804e9bcf1f4d0a7c02afc2457

SHA512
477467e831223435fa88a49bcd90cd71e7a1e5405ffd9f0cf9241a643f5441009dbab96a04aab75556fd8a64bb54f7db0967c5df362a6e7de18316f064eb3b37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5BEC448356EB52B1CD4BD7994A4DA77FFEA1097F

Filesize
14KB

MD5
754a025a8b997152f95287a7914e9b46

SHA1
f618e9b48d8bc356b5d5be8420c13be5dccef7c5

SHA256
9219752406a1e93dd63153a60a68004b4b51f1f34401fdf0306aa173830d0979

SHA512
b5cdf8fa3891a73fdd16a477bbf7be034f90bc8d14ea954bd4d6133c6d8fe898bd92b69877dd60c66a2626807ed1e598817b8b7bc043468f9133d56748269c38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5DB00C41BB699A14CEBBFA1544CE7F3DA6322FCB

Filesize
368KB

MD5
2fe1541cce62def86e9a64b336818d28

SHA1
8b4efa8697195824149b4c6eebd6e03c2bc9a470

SHA256
aa649ce0ec1e6b2afb9c0b60755f488cb7feaf6b4937a58e752d707c9cbc0025

SHA512
fe521fca19ad3ed24ce23001ec3782272ebf033b1dd30b26a4076869ca0f4d798be6fe01576c48ed5530c2fabf6de06195384b164cc2af6b07a7efe660625810

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\6018DCCE8EFCE22F8F648A32D28EA223F80C84C9

Filesize
72KB

MD5
15923906d18d204e6317d8536965d37d

SHA1
7b3d46a938c7779d24893178b8ddd8343be04ae8

SHA256
b7af93ed0063b869d0023345cf5e8b7ebe4fff7c9addf5e8f7520629da3b0d43

SHA512
a9f89e3ce5c555cd520dee4f78d3b0109ebc2808f7aecfbc3cf287f931f000cb014197178b8aa52165db0ae9a5f4eddef530ff59470a8f66c76d50b01f9a39aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\646829319C67DD4727104CB4F8B6606414E30D3D

Filesize
132KB

MD5
d685e7a19cb0307aa955680beb32685d

SHA1
c5ad789270a8bc86828947b361d76579d797438c

SHA256
38b1168c12caa76af04b451ca2a8d901ddc58255d8be4937636207742dd0e6c4

SHA512
9362705788dfa132b3242da5960d45917ad225bd2d165bbcf0fe6f19c29eea0e5e956673176eabf8a5a4b0e69a79839198a441ac579845f1895715bfafb77530

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\65BA518C415321E62A9EFBE90AD7CBB4D5909AA0

Filesize
300KB

MD5
1daa4c223bc71d5d70ae272287e41433

SHA1
88b8d7c85c82ac0f72dba94b81774fc5d1fd88e1

SHA256
2db839812cfb490f364456932744af113886576d0584edb79ffe07896539597f

SHA512
b9cee7dc865fb2e912b7227f3d189607ade49846d0c41ced05861e61a6f1d44e4513141484d9162d3ee6e3bcce04e69a6383b9615cf94eade50edd9c0fc81144

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\6B17D5D7ADE0D4EA7B18D9AEE5DD2912E25B6B6F

Filesize
92KB

MD5
4dafcf081f9682772bba19e38ea33921

SHA1
422dc6fde5995f8ce8d74a108adcbe10105785a5

SHA256
1d4d76d43ea57b23d458a20ec8a68da95e05056023f30a41285a34f214e4ad74

SHA512
7966e705d1a2701940fb1e6ca683db7686a47b7d01ef8513ecec9b95d7da9aacfc5809da6835d0ad4bee3c5439f65f1f7ecbb2a867ba6459cce4e6b0181f2962

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
445f09d33612e0ed19a4c02c549e75d6

SHA1
fd6ceb4da3c55ad70e0e693bb1d642d9b649ae2c

SHA256
98ffbff29c861b67973f5db75ffce8b21bb67cdfc3b8e719ad4d42a1c5223d46

SHA512
baef9e2405f95fcf122b0aba52dc1ccdf454f4995066b496e53760f872dfe97f7478f8e70c1a9a049f622229930f6f4e6fbdc5bf325ad5d7745ccb037f4aaf67

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\6E006E1B8180B45C77D3EE220E3B09E2B064C5CB

Filesize
131KB

MD5
03eb0f33b6ea0e275b4285be432e9303

SHA1
a8cc3a93625120b603bdc4ef63532246bc913c94

SHA256
70a900dbcc2c6a2d9593b24388f1ff3d54309b419dc92443fe078cc7452e77b3

SHA512
26615f968789fac17479781b014f43cca71cd8d5c30b62980088d3be9b05d6308363f873ba10a3f3d0158fe7a7d8776ebedf59175c09eae8ec3ae7529e15950f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\73EAA0767ECF1BFF6C0396D2598362046273B2CE

Filesize
30KB

MD5
dfc88884ed49e1f76b12d7ef79062a62

SHA1
7224f216c822d05c857283ea6c3598ce56ffdc85

SHA256
109809a073842f3365edb56c4d601c06e9a9cf7cb20b501c813565be513e7996

SHA512
bd829924db73f29ad70412ecd505c2800581d8dc67c0708147187d4915c9679ba855e179280f07554b615afb2fb0d7c104710ed86bccc11f6b232e1e20faf0e0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8107661E821032A9B67FC2BF2B10824A0EC8E0CE

Filesize
137KB

MD5
2b890a621e09a007595e0621a43ec09c

SHA1
c4d2b1bacadb117780f2c8e6b3735cd8bbb35ce8

SHA256
ca115988b597d99ac770b66c3174ca2fca3421109d90b42f745634ce8675950b

SHA512
c8934efbc6a8d7c2d302453583b7aeac5ae6b4206d62771b3d7c296508be679f8722f0edc558cb83b0023b63ed6a3503ed0ab4a796d386bab33ebaa3cc2213dd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\839AD5FA81974293066CFCAB893DA5F21408869B

Filesize
47KB

MD5
bf60f33814ccd1f63bc7194c0c868bed

SHA1
08c72c9d3f2da7532cc536e353651f9c6986aa03

SHA256
5790deb2dfa3550889e6e3443cf1a25c5dfa40de8c8f97e725620a4e5c59c87c

SHA512
906c9bcc219711a1d95d34c9a509d7348c80944bc1359e07edda835410c3c93b4c57646ba85f15e5357afd4bec4d7f10a7e7fdc74dfbb17cb31eff960cd71441

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8594CCB54834483C16E499AF422E8C42E8746345

Filesize
18KB

MD5
ba57aaaf8a448babbde27cad8c3378ea

SHA1
0392417fb9240f7c5b95cf7cc1228f593ff8023b

SHA256
38aea070f8e83d2e1e076899f9e46f9fb5323d146fb1dc21c028f7a67db38a5b

SHA512
c49e6185936b0406d3f15f53e4cab3d065bec4c615ebc8beb28d1ce1fb79a1f4043c76b4f13fbedaddb65fd6e3b81d39347fd485d9b734440385248b448456be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8740D34638930B86C867BDFAA83E497B16674A3F

Filesize
46KB

MD5
b1e2a4fa839a86eeaebca820e74205ed

SHA1
7b3d48bdad5ac83d95e74086e6a275f1c7cf0d48

SHA256
e98a2c618fb004e76f727a8b9ed588051f29a2cf163c151626f734ab5788653a

SHA512
e99df6fea2fc6961967ae44c3288e6a720cba5e505cbdafdf545b7f24f177bfe0cdd9e39c4bbc152113be8e1dd7cbfaeb07498ba95ccdc6cf5547972d922f82d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\88D2DD145122466A8C6F39785D5A392BF5E86A0D

Filesize
81KB

MD5
320630969aaeec5013edfe13f5af8f6c

SHA1
43873ef3b389f1a75e734d6dbc7fc7b9f9b99dd4

SHA256
1d61e7d7a16e59bab1a8341a3e35a1591c4d8fea23422b9e7327d2bc30fabdee

SHA512
e387396778af6e6c6fa91d5b50bdf3ca5ab6314a61bf04123210f767dbd9b60dee6c247a093bd3fa3cb20e2379e2f3007351d4063b24b00fa243c5d228902526

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8F8D0B9581DB6444556B653E5C7E0AACC0EC8F88

Filesize
143KB

MD5
dc897a48efc1342bd05364cd48863639

SHA1
77a3614eb872c62efe9d4f8e3367cc1d98ac21e1

SHA256
e0ffb612c8238167d640fa4c88ba276d36d8a584d982094219edff44e538d847

SHA512
340097d186f395b9ba245f14af75159b31a14415627feeccdf18c807a849b58a614cf1dd4797502fb808de70a183803b5c958b9782d7bceed05fd0322d75eb23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\91AB440C4C501BB497891D721678A7E0A9D88D79

Filesize
36KB

MD5
073084c6055987a313ea1382a8b322b6

SHA1
3f9376f2f0c2eaae26f61ffed916521dcad211c3

SHA256
3abc7957328dc804941df542478488548423fa8cb03357c653489aa93f55d4b7

SHA512
03e14717a4636241628eea977189db2af518d5cd3cdedac26b754abf83797fa24a75165980a00aeef1697e050989242174eadc8a8353dd60107e597349e43fe5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\92B7809CBCCEC32F8AA6B585CB23104E10E55D53

Filesize
63KB

MD5
ba6a0a074f4b637ab144027d26c78252

SHA1
e59329381821fb42873edfe1c168aa92b3573280

SHA256
2adb39bd4d2da17b6dca904dcf322897711071333e65f7e7568e98758bf87170

SHA512
6aeff2c42eec867fb04a70d6856905744aca64a6c4455d1d973fc23c6b67a75f79800b560ad902cd3f85ca44e8da4ad1b750a3ab97f4101a3467bc496e85e570

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\97B10BC4D7847C8AE893CE9BC8685F05EBFA5B05

Filesize
142KB

MD5
5742bb038b892e8e17b09e8bce61ed79

SHA1
e9428dabdb377bfb99775180cd6702102111368c

SHA256
5693ee1ff11904213912c50f0e795356a1e90e6ce053b0b7ec9e1af5db042db7

SHA512
2846644946b6d67c14d54afa37b31fbffdac07b0494ebae4b1b448bc2f8929df1453e78a9bfa04900589d65aed00c71d9b9e904616505af8dc4066a75710345b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\9C96235CAD726D63F60DE1389F02007E7CBA3632

Filesize
66KB

MD5
6d07c4f06a2adbb48d39cce3cae970dd

SHA1
f2c93d7d9e8eb5bc67986567cb2fdf916deb0692

SHA256
daa4d62e381d72458c94fafa0f63f689648e2b13bfd757cf69e6073605b5e4ab

SHA512
7f5555f77001e037e6cc826d4f5611b83aa287a72d3ef7c19c8ffc82344029d6fac24f754abe01c19fe54a516dc543cf67e40d7f30e9a1576957365f76f52678

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\9E5E33E0FA029B026E3756ADB0A531D5E6F3CA06

Filesize
112KB

MD5
cac64cbd7ee150a7e06cf9c8f2f0670d

SHA1
1c7e662613afa4f0cc6450f14356f78b43277c8b

SHA256
35eb02a7e788deca73a07704043933d7747377a5cf8fee050ebacf1be4c6741f

SHA512
027ea0bda2f66d179317981527476c0cb65f1a9d31955f9c465f4855cec0ee2cfef4a7812b3bb8d67573b4f3d0df16552a2e0c17f4c09a6af66b5d25defb7575

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\A18AB3FBE5FC5E1A527BA36FF698DF26A7C382BB

Filesize
66KB

MD5
c96357679631dc6537279dcbcec5186f

SHA1
da88abd7813958df4676d49e1e580b04a46f0775

SHA256
2fd092c187e6f4d186b512dadd1099265c33fe183884bff82f3ca711ee97b509

SHA512
744fa231e55b9143843991fd8b57d922b41c393de21c0b4229e4746297aa1f91686b0c1d35dd94c03c4a67154be40ad9bcda77e6f48ac4019e90ad3c8c0968a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\A7CF3ED5C01DEE0C144A5D0CA5CF0BA94AA917AA

Filesize
93KB

MD5
cb24dc16a94e66df748418ed31330933

SHA1
4e56d7ed021ae4070da1240c78e0d7a9f027a7d0

SHA256
4e809bae99cb11390a51a68093d3397aa969465aac71e036eeecb762db4cb6fa

SHA512
b9fb2dde90280b434af8bebd77cc4e051d3c4b0de2fa2f077e1bf10ef593755751bad9c9bc1b42c3b4b2c6d92644d94d60cdbed1e2e40331087435d97e01d149

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\AB16811DE46B2D265276A15A24BED28684A3B7A4

Filesize
162KB

MD5
fbfbeae5fd31f4d59d6a71240c3445ff

SHA1
ff6d898c025db0c8cb7ac4bd37690c86d8e7c959

SHA256
68fb862d3051b641f849d3b5779e759422e908358d661560dfdbc156b7ffeb72

SHA512
c8d829b9ec9b954183bf900e689956df3397189834938f9ebde13833e0964bf227dc03559b78a9bc0d75d26142676a74bab25861f946cc360c97ade82dea3fa8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\AB740295913D6FEAC15A7060502087FA226E19B5

Filesize
67KB

MD5
794c7867c1a3b79d5f67507551832b89

SHA1
25440f3e81c11d8b802a664c8b1ee09899854ebf

SHA256
2907a105b85c81a08f184fa7ff244ca428949c8f4ef4ee4c1cc1910f7d0b0b67

SHA512
ee42853e2631961638c56061c33f8b5d4a26c1c8532437163bee9a1f66bcda713db49fce7cb72e3012b55aeff33505314fcfe06a8296d2794235dae38e4c18e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\AFF8599683ADC304B348A76C32AE1EFDB98A763A

Filesize
344KB

MD5
e8a518591d5932e3a9368104e2797c73

SHA1
7cfadc0ca4dbc4bc1ed9b4a0388731275b9544fe

SHA256
1da8c984c03c6b7069581119462829838880b8c41b8d058fcd6a84332b78ce02

SHA512
676eff2407d003b34dcde01d5427d7722906337045ee54465c60ef3c79e33e78e422c1eb6bdbb6d7f89bfd1522bc4db1455f592a8227e0a3918aa992690b6114

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\B6ECA212CACE9464F18FC0D5AB00D0179F230CDD

Filesize
101KB

MD5
fdf69e35be2bfee8635b7b18a50ea6a1

SHA1
fff02ac4e0a63974f3703b0129000023c2b13e3a

SHA256
158ae581a42ae4b6a84b23964e5d411be9182cf966e98228c37730ef1842c8be

SHA512
3c2cdaea68678b192c89555a02f3ef8175f8c23de2514c53a686663f55353aecb217c21414308ba4523804a845b50f6e9cfc8837a25495a8ef3168194e86ef62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\B8C8DDD2A07579E58FAE2BE95019A6D79E31F546

Filesize
85KB

MD5
8ffcdbc8a71a342dbbca8f60e39debfa

SHA1
e2002a139c7b1dc55188946822cded9e11d716ef

SHA256
714ba069943ed30661de6ba8d4a050bf9a945beef02d3c0afdd9dab0ed1a0bd3

SHA512
a768d99d5697b0c5a5b8e58116a09993d8c1be7aed1e32ec803a68c3f7f5fb512383a242b52ea96fd3b9930dbda46460e1d59637087b78b3cb0f8a7975305e96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\BA30A8866A8313A16394DA2599448520494928BB

Filesize
30KB

MD5
e01411c5f86af8876440b034b11cde3f

SHA1
a9e8a81c1bb3316e4c67d2c024be7b13809e45ce

SHA256
8f3f79ebbfeb745c9485477b5008bd810c55eca7a39fe4113d5c36e51e6fb2b3

SHA512
298af676e0f00a344c6cf90182a8a48977e856f06203b9ed9152dc4452fa6b6afa8e38b013bf007d6cbcbc175816b84764be78bd801eb43fe189b9f3fcf00eaa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\BDDEBC3E2943A23B7E98CA3F97E19716F05C2E76

Filesize
41KB

MD5
41eb390bf53a3c25d37a7e7f53656efd

SHA1
14b7836828bd6d11c558c956f2b4f16fc81ffa9f

SHA256
298715e6dfa1d26ddd412384e2a1c182f8a3f80adeacd2233fa5a9b8b333b350

SHA512
f0863f0f0186f00170b27117d928d86bb9ffcafb0c1adb3ab27821db01aaf7dad61bf2321a900034eee3fba5c91fabf9800dc5e011c8ab934cf354f2b68770f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\CB6E5C76A12459DA5E98C1D32CDA1620CDC135A0

Filesize
89KB

MD5
71ecf5f0cb9bd63701d08b1d653e84e0

SHA1
013eaec9c9657f9f4851fb8016078f2c54783614

SHA256
73e6f048c95e33f3eba1abc0d66c304a8c089c94ff79f047b4d0ca38599ebd70

SHA512
b154565140dab6b2cd64918777da301feefcb8df5bff867e9eea8137ee3334feea594cc8ec9360da8a963d3bb2e2a7ad66f06d3b2a20f34c92cc902480010d91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\CC4BFF1B802DC7FE4F3E20F2F9395DC46A46ECE6

Filesize
481KB

MD5
73c2b4f96f1da660a768ac887703dd90

SHA1
b240aabf65ba1435580f09239506d46a6c916d29

SHA256
aa1721043b75e147b53d75000ad0aa5e54093a0b8747189f8b19ae1582cbdbc1

SHA512
bd41c147aadf1d52644bd0976e50092be51f14078e038b395f4d8c90ca3e37169d6382fe72ae6d2610716523185752a1300fe2ebb87bc24c666e1025a783ffc2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\CCBBC842AA6790B7BEB16A6AA2AA32FE791C9080

Filesize
191KB

MD5
805127e5ea636059f19bdefb8cf8252a

SHA1
d94a09179c1f39186f99548da33c5d8f55e98c71

SHA256
bb578a6fdd29f390a06cb342fe0a295942365ba77a7d14557a5e88c2740f724c

SHA512
dcdf47bdf09b113e433466ce07bb969c8aefc0fa4dbd88586fe9515eb6335a023c0aa3a576bf1358c0cc947a8546291be7cb30a2e9dbf8e84262bdc8374f00d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\D0BA3DA8FE6698E2529CC5FBCFCB7F4BA5AB11DB

Filesize
94KB

MD5
493c9257e28c093a7dc891081063f224

SHA1
0e32caf2b3b2fbe8e88f04b2a181b9b8c9990a1c

SHA256
dce048ed6d9d3e076529291bcb382067f0dc150c61dbb82bb35a36cd52d4a224

SHA512
22689afa5e8e11e245d0975dab16ea7b03d7a6a720e160f351d07ad440e0ade91add68312531c3586936d16e917c3e4feacd36633ea071787cf823677eb8c0a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\D0BE1E44C965E99FD8D904610EA8D2873E58F206

Filesize
1.0MB

MD5
6fdff2364dc248657069cc9da5c6b32e

SHA1
9d8c8459207c069b6f73075330ab10011e746ad2

SHA256
e2783a359aaa2d9b8e3755e5225aeed3c00ca6abea94e74364ca0931c844b3ae

SHA512
5d2a61529b8471298114a57378568444b7782768927aafb80ea935b2ea61a2cb253e86d2329da25c3a0bd85673e87a7bdf68b1031bed194e5eda98f9f78ccf00

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\D3005616DB8C138CA87918AB267BB350F7F87F06

Filesize
22KB

MD5
b43c1bb8f101a5b4ebfb933df2997e5c

SHA1
7d2dc23ab2381897699fd37a7da07564084eb9b3

SHA256
e7ffa20c46d069be2227fd2a8221fa6b39595b965addb6dd0b68fd52d56756a3

SHA512
f011a112150f1d3da2baebb1af792b8ca451bf655dc3d68c3c31c6317b9bb4d937e354680815ea6bd53d76c2a51bb66393beba1dec7dc921e1937712c361af32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\DCFB1237A2E8F3073D4357A0BAA1AB6C738461D4

Filesize
90KB

MD5
7d24b80083462b23ad008d1ade2182de

SHA1
e7d394c68521e33e485872f24dc5911d8e945032

SHA256
a46db3ce1c19bd138a35e3d42228774a249d4ccafbe78f959b0a52065c2bc077

SHA512
d05583b55dbe70dd93778d2954fd045f28903806612526ef77c470a553a5ec89c3763ea3662bb7020bdaed859a5c27ff299adffe200d2076f553887130fac078

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\E06E2C3F1830342297539226D501797B793AEC71

Filesize
72KB

MD5
33f273320c8dafe5306f60f60617d929

SHA1
ba2e25b348c78ea65f8de9c29491aca0eb68c972

SHA256
17e6cf8ea56e3c5fef44c24a0b9985b083f7ce6f2767f7be12639416ad5c9594

SHA512
4778bc6c5fe843e272d2caa8e2d8a3ef6b0daa545e8be20adb56bc4e3879064ff1559d80aae13eacee3afe2378d5e1af141e0e9b3e7891890076069e2b6f649a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\E17BA016257CE59D87A31FCC310FC91590650A91

Filesize
81KB

MD5
9262d6529ecc35f16fb0bddaeaf10a4e

SHA1
ee28b7ba69d9a81ad8f3f6913d150d67335fb877

SHA256
4eeaebd0f26dcde72a08c61583b15ca4921e94df783609571e938494f3e0c562

SHA512
e3afe85e7101b2a99216502da79af70be4e643d2bf23526f6a2a0c5b22118e8429a6bb12d5369a2ae7fed39d0c593ed46d74660d5764a94185c2137e337e3132

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\E37F0C9F306DC48775447C1CB63D24537A2B4D38

Filesize
74KB

MD5
2d7f5cef68e05432461e384ea03021c3

SHA1
6783c46a5f68bbcc45b38f2590b9ac4f52ea69ba

SHA256
caad918b442c0888da218a6b185dcb9fcd2245cde115118714ee3ee377465f8f

SHA512
65ad24196b22ecdb2201292b72ebc6b88e404489caaf3afe8b2af17aeb4b3b26ccccb5386028584533d86444d830391bb5a84850397cdebd2b90eb8f87f7eb0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\E63BC7965D9702F4F85F2AC3F532E7DC0C645275

Filesize
15KB

MD5
b52279ff872390c1233c152844853e8f

SHA1
f02190245fae2a0c05221d1ff567e22d9cd95794

SHA256
53cc79032ef977a2752513116eec805c894c8663ea680e3c7c4d0466c6145996

SHA512
647781e36604949915899c871332071c0befe6f9b5b65aa0a563f3c49fdf0bd10064e1a13c37a5906a2f00d5ff43af884c0c300557595eb4b0f8867375950df9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\E6B872FF186BB490F2440330691953663544E2C3

Filesize
495KB

MD5
9dee1e01017eecd9dc71dad9b280a247

SHA1
0c675ac8e8041213f643a249593d89538ae59901

SHA256
571bf820e9919ee4327a60575c4ea8c6340e3b86451748c752bbb4a630e1c75b

SHA512
4e9e3976c9d1378596fe1b5bdf4dbb65ac7f3c45b728df4c3a410a067ea33255c3d2e3036513edd8e1a7394702cf4928e21ef4c696bc507556c4af872ea6a08b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\ED7DE1E972B10BB78C661B79A820CE46C3BEEF7D

Filesize
61KB

MD5
6337fd528239ff28d1938f5a946ea898

SHA1
a1887cc211afaae467ebcaf7ade92a233e2a8120

SHA256
a0abba5bacc61556c0602868e94ff9561dfcbfd45a6360ab8afd29b781ff7382

SHA512
80201c3d803504e3cf616935a14038547dd4494b374c9b22f319d3c9d5ea29fdaf21a0dfe18141d053878b667e49a7fd731abcc47019cd1a564941565768d464

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\F042D0F0CB1D03F626670DE9F0BE80F1C09C7CB5

Filesize
16KB

MD5
94b7a8c2dc34c2acf1ef23e4f3043992

SHA1
8dcb0939d8bf6cbb5f9b406c4a581f7dfa458c30

SHA256
dfdf75bd2777c5034995fe8b568a2b8c2470c62aeeb3c8c82e506de3b4110cdc

SHA512
6fc7ef94cef64f70fd64f451d9acacec3aec7a8385d735d074ab319b94846dcac33ab834f8bce20cd65f396b209f93c53bd1f30e70901cdd9c67d46e763e2fb5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\F0EEDCF02D3B3A4C639EF61A427186F34175B5CB

Filesize
21KB

MD5
4c3f52bef020bcd43bf962f0780dacd9

SHA1
a4e3bba6d1226d7c6d07b9a1efe79cde798706ad

SHA256
897d0b49560ef102ae22eb0e3819f3cc9e8a12ea1813c61177bc9cb99be3baef

SHA512
ed0cc03dd8d565bd8d7dff37d6ac699e24c30381502bf30cc57de326b99d491094010bdc723eaa2b43497bfb177f4e7424ed428eab1939c2b1f881ec498cd340

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\F13B080D38DE260A7379D18955DC815BF6E3A7A5

Filesize
195KB

MD5
46faef1c7cd7fa8b8c92dbb2da96adc8

SHA1
4fd5abfd2263fe2ba9b1a18fd31b1ac009fe2c23

SHA256
bc12eb388339bdba30a8d1ed718fa5bf02df041708b79d14412f34fa232c6b40

SHA512
c48aacf2293eb9932b9529ab69b1e2c052400fab7c724986647412e3250f250cd3d7445561f0685ae66440814e5fb19be4681c6170a4d78b513bb68b19730e8b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\F8C1E3712927605E6B2D2F5A2C6652D3742E2BD0

Filesize
3.8MB

MD5
777859100d237d9d5bcc21cf7a17c456

SHA1
40094dfa58b0fb8830c316e92d08759b50a0c1e9

SHA256
83eeada41ac1d70db1dce484edd23ecbcc7ad8575ea7ed7f1f86e25e0d6ff7d4

SHA512
ca45fb9f9e48a306b334bb2cabbd7d5d258b5c76d089ce14a2727088b58e05acf50f5a4cb4a8d02e4cc821b81ba4a6b5cd0802336f864b94d2e9f2288b18eaa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\F92B11F130848521408BE0EB604F2CBF26C6B78A

Filesize
51KB

MD5
9bc4dbe421b81edf596fb25a05dd955f

SHA1
d4b0b647fbab683fb7afb794b382b22c51929593

SHA256
4263b3130a67179adf50c8b8e4a7ac3ff623ccec13bf63774aa341b358168656

SHA512
a3a0bb81e774ed9fc672b6f8ac0b4c8bcf2395f43495ee6f115964ccb262c43c0e34fe4f190816aaedec62a76ac4f3ebe303a89d67835874f847841c5f7702e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\FFF3544547FC343205CC3E77C1CBC1E5D83178EE

Filesize
142KB

MD5
2deacf4ef5e34b03fdfd702232de6513

SHA1
6f8a31e1eda486cca9f473650569c7b7f04b9037

SHA256
edbcdeed38cb6a4706bbf0fec17fb9d92342e0dd5d8654b289f32eb9cd71a674

SHA512
fd163e891a725081d75c9be42190a140f9a2adcd75dff696f93a5f0c2c3a9ef7840b7243b815a13f44d94a060d76689dbe1a187b28d47d3a080b58924a984b4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\jumpListCache\QvhiRrisE5OCCo15UhWfKni7GIBuQszh_bzME6C_u5s=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\jumpListCache\abZkytIxzStb59JG1l0a60oQgKmwNI4HLBo+Saz6Mqk=.ico

Filesize
965B

MD5
c9da4495de6ef7289e392f902404b4c8

SHA1
aa002e5d746c3ba0366cd90337a038fc01c987c9

SHA256
13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f

SHA512
bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
47c7a4e1f805aa96129a49cd4a139e0d

SHA1
255e7e1b2c74231e5a67149a844670060e412da3

SHA256
d89cd516a97caecfe9b1a191f45c501f61531776450f83177438b39d38d7b5af

SHA512
0fc1e29ef7e56c2670e5526657a809f42440d593eb892e5c74e35f278c23b0f1a492e30018c9aadce3ecfe2260ca9d6d81ef483f45777c5079492534c76fc2bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b804075afaac9bf7e363297df2b10534

SHA1
e3f4ca96b16b976154b9687ace50854160f9e332

SHA256
ed82e14aad6c79981106d556d0cf80b852edf2f2d061262d2427116221746b97

SHA512
c5aa25297cba3e04e5aea86076d56059419fd95a98b0cd78c2bcfc5851d9f69f832701eec388d252ce4e643915183e03002a7beeed6eb80394d279496555cbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
8e15b605349e149d4385675afff04ebf

SHA1
f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b

SHA256
803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee

SHA512
8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
596cb5d019dec2c57cda897287895614

SHA1
6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa

SHA256
e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff

SHA512
8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
7c8328586cdff4481b7f3d14659150ae

SHA1
b55ffa83c7d4323a08ea5fabf5e1c93666fead5c

SHA256
5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc

SHA512
aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
4f398982d0c53a7b4d12ae83d5955cce

SHA1
09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc

SHA256
fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2

SHA512
73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
94e0d650dcf3be9ab9ea5f8554bdcb9d

SHA1
21e38207f5dee33152e3a61e64b88d3c5066bf49

SHA256
026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e

SHA512
039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
1.8MB

MD5
b3b7f6b0fb38fc4aa08f0559e42305a2

SHA1
a66542f84ece3b2481c43cd4c08484dc32688eaf

SHA256
7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b

SHA512
0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9C5.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-26962

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-2995

Filesize
1.1MB

MD5
f0a661d33aac3a3ce0c38c89bec52f89

SHA1
709d6465793675208f22f779f9e070ed31d81e61

SHA256
c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

SHA512
57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
311B

MD5
0d75308d394d1c5b296f76265f9276dc

SHA1
06e785f45f346f84a9a7a9cfd9c16afa0dde0c2e

SHA256
8f958c76724979b04baaddec5b38cef20446b73df645d2e383a7e896812782e3

SHA512
6aa59fba97099ee01914233af058e6b95d3e0368e5ad4bc9f4fb067be586d6a58dd040ee93baaca4a6e95fbc07376e14e21234033760b67a44032f8a81623c86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
26KB

MD5
5302672692e95e4668b520b07d1626d1

SHA1
588928e2eaf5c936c1633ef6a37a4936085a5801

SHA256
3e6c43b0b93c42a1f68a8d079760773facf16990b92a22591ce65abb3138b892

SHA512
fe1333a54c9388faf425bb4acc0178bb6639f5acde2b93e5131edcecc88d8b8b2f99bfa617de791b416ee5848afab243f031db8ea3c2d0389eafb14e5085c82f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
e1f4195737e1e4a84cf9da1fc6d64b81

SHA1
4189d3fd841db594bfa5371d6c9f54c91c8f280f

SHA256
1481d20867d9c089c7857e02f6e0e0fad92fb35246144a367a2712684ad67646

SHA512
65132a377ff08e540332af777c457eda91ce68a4eca5f474076076d67ab0864aacf8e7b2ddfe0bebaf7c5975e9cc3797be75ea921e9cf60065a52ee37658fbe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
deab03d191587dd69290f05ec8e5f90c

SHA1
02c317ae7f22c065684af62b251f9dbf75049e07

SHA256
b43628dfd6fef4761750719a0123198d83c1dda6f1858e49027751c010db0d19

SHA512
cd3f34301279005a5480e1ebc4966429a8ceb208059a1b9e373cb592d02291ff05db607e026368325ee5b5485bca2547406384c354f51a5cf57580a27a01e9df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
91869c1cad37fd2978f85e3ea625a510

SHA1
30489f0002ef766efa8f8a6582f0610c7b6ef558

SHA256
58a17b44c4a96f833b7996acfdd56e9e2212339fc25aa07399d8929564defc94

SHA512
f333f19b451e2cf79060e9bfefdfc8148a030bf0c1c8756323d0305528955fa513276120e3b281331cd5fdcfd5e30ff597237176eca64d40811e395752bf682d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
16fa4f0f02767e89463a00a0964f2f53

SHA1
914ff4d96085ee362ea6adc7e4cf6515d67f3b6f

SHA256
41ec84cfe6c38f0adcb3637ce1559d20ea88ecea042a60911ced735336995ad5

SHA512
18251eb7de788c568ca624e79cad7d7df143b51bfbcd54a99f94301897cdb86c11fdd1814f1d2e802675f1f778f8e35e008c49036d179a9d1155d84316c56958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
56c5b01c5b81032f78857be1014afc39

SHA1
f45221ef7ccf4fe05849593f75f496ee0f65a7d5

SHA256
e10a625a3663ac7e80c26c0629263f8daee1abcb5b6f49dd794354f26120c11e

SHA512
4edf8083a24545101b0276eabd3b22ac32c0bfd332314f092d23176e133d4000d9f94a54583f4dd22607d86a49f2e7c7af71dbbada211a6be3f6e74193d961a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
13c1ea972bef5afd973281bb8ba9642a

SHA1
c12b3317b637037a70ffd7f8b093180c7beaaac8

SHA256
af36e90280bcf3c04363eb7a4de6aab5fe5a5c674c169b82136894ff7e5839f5

SHA512
eeb59fea9557fa123c1fbd32ea779568e54e2a505c9a91456c396d3c45f5e2ebad6ce772f63bef72e10211ec8ef4be88a6b9cf8b3403ff3eaaf5b79142cc7ce8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
a5bd08be72a91edd91f30dc7d49166c4

SHA1
47a75c0c189c5f96ef6c7bd7982f575d54ea1661

SHA256
775d8f6ca7d16d75a0d5768508ddd367d842365533e1892dfb7783a4e2d438fd

SHA512
2ca31e13f2230afeff1686ca416ab39f223400ecfd59d57ec798e87788ddccb1a4c9bf0468390e8ec38da850efdb90572cbc1e924ede554d8c297048f4a2cf3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
debfe3fb41893a8c2ded769edecc8c87

SHA1
96970b4f66b2271a07ebce9ccf6be3d98692d91a

SHA256
49f908d6c1e0686693381caa64e8056eaeffa88a211ddf4986f1c5f6f526f64a

SHA512
65a7f5fd4612a02804c676de21153c2e8f5a266ba81dc22827848ab3461ef0d9ac96dcf1d624c3cce3c5aa9ae717c10a830c004aecedd5e0a0e1ce7c69687995

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
11KB

MD5
b622c82a4f9dd5ad19dec096470fa889

SHA1
e4da0ff224dcc4e5c40bc1ff18c9817c0a891fa6

SHA256
962d040338e462f8cc939147b261b5ffd22f4a650a369ddef46e71d2122db57c

SHA512
54114117339045eaa0aa9cf655867ef6802778cfa3c8161d7816070aa6362954ae3c0c4a0b7dae812f916963cbf417ca19f840da627990e5c20f0466d7cbca24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
8KB

MD5
ea68da802ab5b9b86b07b1ac7014a681

SHA1
ffda57a2b08aa1470d28a282569c9dc567a75af8

SHA256
3ab8db10e5b99f8fae6c04f3712249d68bcacd8f66c0fd27607f8970fbd46212

SHA512
d5627fc48874865c7f3d06ad4f2878ca4ad8279ac8dd494804b042e48a610dcea440ea81279a97ce7be7add258c65280bee57f0e830ea90b1c3d60e9f0370ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
8KB

MD5
5d55397cdfeeddef29e39b2692508302

SHA1
dfb6bd35b26f062354395b0f53bf0e9f0cee15e2

SHA256
5a9fbe0b40d6f8474c3187b727a576b46ae82221d22b714dab3949198fa3f998

SHA512
986eda1afc7733a48538c63f006f2eed2e587216ead670480d7a0d3ff4df24207ed7dc60219aefbe0d683715ba163a8b85e4f8d258ef7cf32f46207efd75fa53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
36729ecd1ee670e910386947f87a25ff

SHA1
7d1b9ab601f61edbe81b7922184c6b8ce146ec62

SHA256
3cce571f834737f440964d1e809468caaedf380075567b35c319fb6bfae65351

SHA512
283e8a0fced33aeb8c5fcde7345f0779b48b96ba2b91d0abb34bb91e64eee901941c4a5fccbdb5210ff68f4aa9b29be54dd3528cae9acc0338547c047beeff56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
105KB

MD5
d211b6486f3748f8813adc17b7771ede

SHA1
d2ea7d9043f087feab8f006ff873db5fa8a16289

SHA256
421e2f824abf2ded348e8478c85fb0f8d2481080cb169d3c8a8ac99050eb3174

SHA512
bfe3103409de08d73864482178ee63398c93d836927385428ab2594fdebd3c737fcb59c4e1954f54a5ed9637847e219455656d4a7e3244dfe1d4c20e171a16db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
31b099908ebcac00e4c131669a0afb84

SHA1
fdfdb40eacc5fc7adc6cbc36e41bb54865b55b32

SHA256
24c00cf7637a6d75e49c37c62159ceb6adcf40c2b6634194b63cf09801aa631c

SHA512
e7f1abecb37ae3091e764b907c7a6840761b98771e761552df3474d739d33c0005a5dad57b1ff895bb51e69f0ee25b18e155aa6f821251fa4bb0ef3c011df20d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
105KB

MD5
a478e06798403996743eb30844a3e859

SHA1
7f295774940ccaf02792030b4c5267ddebcfc345

SHA256
b99d2bf228e38b76e8bc6e08e93d19c55faa24ea1e1df8157e716565435c6a7f

SHA512
09a32d55e562b2d65a1131e4bda19d57bca451d9032af01a5a943b8041d8411c3e84f7209af61a1d3bd96c3d7ed3891dcf981953ccbf0df4874103eae4d2ae1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
59KB

MD5
0e40235c695e444748214df880e1dc48

SHA1
536dd8f5079d41acfd9fe494406746b20e3b7936

SHA256
15c8a69a05a187249c8084af8abf837e5cf140a0019f7f3c60e7b2eb1eb8bb59

SHA512
86577797173499da95c0cc3fa0566222782c860dd15f424f67f4b96d89b042882681472a72c42c515f6c16c0d09c0a71dc6a96a950370ab0c2c71c556fea707f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
482c7fc7c46fd7f59627ffe6454ba45c

SHA1
e95c4aa49f7bce372da7fea1fa88cf308f1958ba

SHA256
0ae8e40c03ab9ce12102c77aca8a294dd099fbfe6a221dbd01f62f998949b0e5

SHA512
43ac2c411d8acfa0cc26bc8141a08f623e61a5d66762287b16135b734cf666581816cf8b4f283f4fe8090e9570c72f09aae43fb568f5992113df66511c337d55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\42ffc3f9-cbb4-408d-859c-d514fa55955c

Filesize
847B

MD5
c6971f3e61089252da89924893e2a58e

SHA1
53f68bbb9be3bf5f06b30d9877a7563ca0b4c724

SHA256
394013d8bb433146c159329d10ffb64289c0d39277ff4f05d226d309deb5dda4

SHA512
b64cc6346bbfa4971de2157159adb2639cad52f6fd8d5d098a3344639d468b80e72806f5159df14737a563a28dc1f4d24d46e9f1954bc5fd13fdfbac7fd19cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\57d14e85-056d-4216-891f-4b15a1ae7a0f

Filesize
671B

MD5
13f66712189e3e57a7e43a906b9555e2

SHA1
2f5111fca4eb5ca9c30e3ef9852fcd9e682e3222

SHA256
8d3ab71d8ef28b9c8d46fb28e07772929541bf68ac3e3f5354bcab85c28b424f

SHA512
952e47aa7d49339e50aee9facfff0344efc2528e2f968ea6a659f3bb3c2c4d1a3c48f8f92aab18ede43d7ff57dc64c7fbe991be495ade8e18b0cb5da28487807

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\a29643ed-b3d9-41bd-90a7-35c07baf3d1a

Filesize
26KB

MD5
5985bcc707106d705a9ff5e76d643d0d

SHA1
173097b8c0b96a8ba9ee08a6e12c7dbf6ef6e007

SHA256
007f405bf29cb2a5054b736a61e551af526e36a3f8b3ecabc0155a9f272198da

SHA512
dadcfb41410d81bdceba0ac5262edb9c314bca94f5ad275431721ca3c182c6b4fb65ae7ad15e5c41fdae2b861194f9d846b7870a12b21fcdc6b7c8a97b7aaa5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\d807947f-48d5-4f42-a9e3-ff976d6c7a4a

Filesize
982B

MD5
3bb082e6185e163f427c8d08bacdaae7

SHA1
8e2c9a1e431445a0dc60d0a4e50554d10707f6bb

SHA256
be70484a5ea7f9ddf1be6d47d29565006ab8647ba5c7de0c579618a85559d14b

SHA512
9ba757b5db5a5bca2e8cda28694e81ebc4886d8cdbb99c7c096233f73a2aa14dd86f43e9a448d7e2b7ca7f0f1fc14fbb5b38450675d5b14ee7781c95dbd4bbda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\ea396c31-051a-4505-8312-5036319e04a3

Filesize
10KB

MD5
6e45aa8ccd60e66193c88f215acf7498

SHA1
7378b3ab8cfce2617cd30ce32246b2672b36822a

SHA256
04242cc9a33a8044b24fd2389ea9feb498920be1e11ce5eaa3730b49fdfa2377

SHA512
c338efdb488d2f561124207ec8d5ffaa1541e9af08b882aae540c4391026b969d9fae97fe63a7e29ce05861284704cf185f3e495b26ac518a2b70a9318817817

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
13KB

MD5
cdf633bf0ff46662bd0ebe733873f2b0

SHA1
af544d7beff9770b825ea178de38796de4eb2dae

SHA256
1720935ff515730310f869cda7ece4169ca56b9297004274d55cf7e910654465

SHA512
d69862c981cfe74ed01a6df219169ab47f2c4c3ece1bcb9b0b902ae18e612ab8e427288361c22c6d997556c18b1e9e4259a59b524e62586b3b8a3f712cc9a977

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
13KB

MD5
5c87451fdddfc89c96ae89eecf3173a2

SHA1
1fe279d4e1f744c8d036462349ef885edd900c91

SHA256
972d896ddfc0e385a7855e10080b17a89b63a96b29d1102b81d7964b8584a437

SHA512
4867b64282e3f2149e42f7ad24e5d497d7aa27f9a0d9019a00d9c96300c10235e1ef9249a3e711145c60e1285572b21998fae792be63ca24a3f2ec1bcca14f49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
13KB

MD5
f6c4fc20c3c488200e02e472188a6356

SHA1
8429d910e23fd68318c4f8b09d91e5646d6a14a3

SHA256
b86a1fe518ee4b840b11a97c1cd2af065baee6a081d77e24c4634b9f8e846bdc

SHA512
29683e74c801526ae54183cd9c0426eebf516a92f37bae9eea85b480537be9d92530f58ec8460d275cce0635bdce9c63c7fe8ebb92c49aefc506f8746680ae30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
11KB

MD5
1da6468a0b1603247fa1ce2e3fb31af8

SHA1
a90a0032a8de9e65b132926fd66a2608e729cbb4

SHA256
e4e940eb02b2837ca0af305c30a1a08fb1e68e6be618f2c24c224e353a9e2b39

SHA512
8392db09b7636d55b415897bcf21f1c1e6f08bab285c9b6ae8519fbb3d161c630838df8b9520248955ab99747d4ba3ddf7516555477ad5472a90fcd0062670ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

Filesize
13KB

MD5
229937927e14181fc2b8f58811cccd43

SHA1
84e88f5e708beb762f4affd388395ef00e6b4876

SHA256
557dfd6ea07a6b03fafa4020f75202a914ef9aa181db23111ff88c157c44c2b5

SHA512
5cd99cf5aaa102df03752c7a54ec69576bdd98e482933bf933444958a68345110f467628482930e831ae93a675f6ec6e7ea14364a66ca64e443c0f503b7732fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

Filesize
13KB

MD5
94af69ba622e8989af7f79939fe4af6f

SHA1
a0d9cd7f7460464bc8ac82448d88cb5bb47e3788

SHA256
79e8305790db41880c6b0469de6de9bd516d9c92f2ed1936828c52568b895d19

SHA512
6cd5b05e1497fc63fb0c32f18215cc2fd54efe35bec668d9b8df80ac260318023de06ff32e6c579139e9d0801252a7fcf81564bd56319ca44e3f873d48739d07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

Filesize
13KB

MD5
cf7bd95f4ae1191e0dfe3f9f3c42dd8c

SHA1
c729f63a989bf643cd333a56b08c6b5aedaace04

SHA256
51d821affce053067e876572f67b6692b05499d9be0c87198b6af0ec268fb2ad

SHA512
763dc086c4ffaa13a3f93cb42284e64ad3f0ae939d95d6c5ed9020c3cb9190997f44dbf9398d4b18051f5e6acb9a1c90e8df5cfcf7726854c5d8b8709aa03c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionCheckpoints.json.tmp

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
f32f0f173c0186f767d26f6ed64d6984

SHA1
79df1af76b1e05141adcc4ae4701f668e647d7e2

SHA256
d0a266fc123d9ee3f2c58cae19576d6cf59e363eb7ed22099dce5f5cb8f69287

SHA512
181acd8426830f8a40df85eb6f8789326447dc62a6bc7f518e56e1e72b8f099762526386489c94fa00b64f13c1d3b5bb810505386a9e28d4acee95a5913cd57b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
82061f6c65bb63ba7fd2e24817d2d631

SHA1
847fbc88901bac3a1a56febc57f96b989d8ea5b0

SHA256
e500267c3dcc826d7077f072f80bfd027da00b45c95c40c4c99ad4ace74a2c59

SHA512
fee772e2708ac13272a7861cbeaac810a7e40d85e666c355b508158320e57f1b77debc06c212a37e4c3fd7a1713a7ec52ee846b6cc3153f884df4f2b92d53563

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9530a1c6462fe5193869e45d17263aa3

SHA1
86149ae1e046679a5a237d039dbd542b3f93868c

SHA256
5b1f4d9ad34cdfa66b86853ae2e9f217a74422b6f520caf0ff80aef1e20ae07e

SHA512
5a49339a6808aefcd65d5c24a08e6052ce20e6b14544a93035e6135c2c9859254ab727e155132313b330eaeaea9c05867d6d11e419c2e719482474b277a1e2d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
54bcfcc998036aa9db8857d39807bac6

SHA1
0212b480de29424dda101cd241e0e3fee10ea670

SHA256
95b3049063bd753349546943420fb47e7228a9b49a53692d549781fa840f7eeb

SHA512
1e1cd2f9af6d34fad2d789d6c952e7e91dbac18dc9fff5f12fa0c273a4e17bc231d91d5ba9e8bf9474011ecfed55d9e79c917104fea97cd1c8ae42d5b3e3fbf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
2d1e4de0cf14cddaa2415507e9cea1d6

SHA1
0be29a8aa83c235888dd88a3a0183454077c9cf4

SHA256
5571f5161b33457ef3a5b5313270c55366c032c3a1d88224bc90d265fc0cb09c

SHA512
862bf6085e916dab883b3ec67b44f11bd4b3fb764036c9a4ca300e670b458800d1f678ea9f237cfa3dc3baae9b972a1d272237dc14949f0ebcc3436fdbf99ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
a3bc95e1abdb6c482c6d6622f1a748e9

SHA1
e1917d4dd8c879117200dc8638d6f4156aa61f70

SHA256
d78cb3a3f37677081950bdffbe03aaa3dc571a61b525e235b7f810819fb77480

SHA512
b5692fc610c1982e16cc65d33cd26430ec6e1b3ddbd2b859074bcb4634526d8c01cdf5c005901cd5ebffb12369548b6b5bef6f35f8549ec176a0c12864616445

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
3975df0dddc858ff1d61dc15c38bb31f

SHA1
9b7d4a3ee95b2ffeb96be4520fef73985dc5e850

SHA256
392db2dee808c3864d4d6dee6f3bd247fee2c9c69c8dee4767c5cb8cf18b1237

SHA512
f61effbdd0db31d1855d1169768b10f092e5aa1fec4d8462fc67278308ffc659ed0d2e567c4c16bd1341d5d749ecd3d043f46965e069e0fb8ddabf0978c5ab38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
fb91021e5dafec240bdd492bddb657e1

SHA1
94ddcefee5f1f384124046560edf683213079454

SHA256
0bb5bc7b5f4ddbc0395f0df142b01c3f8f6237d33521a95bab17994d1df82e3b

SHA512
dd304e8e5d7ddb22aac6c5ceec3a8c8ec68b1ccc81a2c66a1cbf967db7f63356baccc55234bb5ca9ceb2b6c008a3c4349d02c62182f120c17f6831ecbb1a1065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
3ed41a133071cfcc5aebbb2e05478e38

SHA1
30fd7fc7813779f6b3d63c4f4310695d44f92505

SHA256
aaceee8cc0cbee20a0ce2e19e34a39624eba79a8882ee4ccb996c48ace7cf50e

SHA512
e2c4b2e12b123fa5e0811a798865d708bcfb816aa2be13e7238a89c0115ad630b3ddc1651ceb7f17f75d6569b356cf9e7c43d84f0584f42c12382b9fd4af8ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
61921b01b294c74268464a02775e1353

SHA1
6879b7dacae77c385878cf72850e3d753cf89737

SHA256
dbdf4b7f722a0208fc49046f242cd20ec214dff579f0ab0a26d400411e3f1d07

SHA512
5d016fabd2e88e56c1b8868941c217519c249da4f7b447580a427223d7ad5dbd41bebc4386d00e101b9cbab53ac1378020fa31bf8b588f21e951af4140410170

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
65a3161f171c9ae241efd82dba88ae4c

SHA1
4ded703ef005fc9596b6ca88cd18d3c8b57a543f

SHA256
4855a58c575aae10bd7722e6200933c8f9c0386769d28e1c9d0b8ac0826898d3

SHA512
bb318fed4bb05d046282eace53753c29b4acfcf28dcb49faeb41e015e7641e36ac9ad8f8e1e53e52036f162608a4fb2245373304e1ec7d21bf80c3f7d334b7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
06ea8cb0cc2cbac375e64cf5ef9d9e5e

SHA1
1a3690cd29794ac51743ab90b4de9d3d76ccc5dc

SHA256
e643c7a3d39e62804d1dee63995978e564e22154d9e5ed0f59a8b0a603bc92fb

SHA512
a399a7a5f541821ee1a76568dd4f6f1005cc27c72de2298c542a9c2ee202bcb3025e4b66fe05c9968e3e70a5a46e10314f4292ec7f9b9344a7df8619eec1b76f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
ddc55ce31f03d43b7201a852ccee4ff5

SHA1
255e02650779fddb3f57c174bb0a812f764096ba

SHA256
8f348b9f9a558f14905a5471147ce2e44bb6e6daf97ebb4e6e40e4f8e3580e07

SHA512
abae0576c52e6d9561e7015c65cbb398a1b3acbce5c063beb988024098e82d7d8b6a93d3a1e4451a1ead8d97a5c4d2371516575fb7b9d3ad9da9bfe08e92013a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
5e01aada6040f26f5ce10afa7a4b2ea3

SHA1
5c57a7929b907048358927a0d1f28c043bd6cde5

SHA256
6e33cd7f57cb5b806eb0158db8e5021e82a3821b0e8232709450306bfd97b689

SHA512
7f04084cca466da20b1bcf5a436114df49f05e6cb6163a785ead4a1fd984c339fc95875e439b5c53bfdd241f8332280da1e806238738fa310c20b527a15ee362

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
9bd80ff9c596105fa50d6dc7799f5489

SHA1
90b10ea2e3d6fbcc3457be42ae6c29937de14df5

SHA256
7da7fa35d704a8ec485f471c5ac443faaada584a3ed75e42ba42ea17a8643ad0

SHA512
1c72b1ec9d62be5592f2d0450e771a57ffc3bc638602bee7012108e9079719fd4633186794413754c36cbb02b2e599ee81178fd7836f47c37d7026a507fa4f59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
6c79999d3839ada7357889577e074d9e

SHA1
48ffe0d8ec7c64df830b5c651dc1ca8b950b54d9

SHA256
fafd876fa8bd506e6c9646e4446f83e33ad34580f720b831fab3e5e975352af2

SHA512
2f63bf2532d31defff43f6e9d7e039fe4b79bca6f12d70ac3e5b5b48a8e2d7b59eaaf044ab5fc08ed1cf5febc6e70971e26ec42c7ebb8edefb446fe00127d83a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
9536f99548702ad77caf30c69c7f00c3

SHA1
d07adaeb0446afc20475ee3dd87575d5307acb62

SHA256
2159a869a57e3503ee1e17ec4b1a88f58f8195bd1a6df331515bf747d2841b7e

SHA512
391337529786fadea222ad7f68fd79f25fe4d127989ff22b8226fc3c9eccdfb588b9dbd117976e5c6be1549890fec989efc9004ebec2dc356d514cbb2751aa72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
56e12ffa430d306b78df9196fc709eae

SHA1
f8186bd422a1627c9dd82d3d79136a46d335f24b

SHA256
f46364b223a47d83ac946b32ceef4d241944c8be8bacce5529077441d99f9a73

SHA512
fa541ac11cb3b5900d041f5aa96040ca9f8bc988aef3580aca0834254f9111f47c727f1101d74ce212cd846220c7ea85ac27b5ed25aabaaf15bc728067a5c8ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
4681e50f3262046a45febb58748ed2a1

SHA1
e57df1352ea3487f3b4f44c4606f193bcba79aa7

SHA256
df17dd41a90eb17e7e078e61b13fd276a3beeb2604075eb0246921afb1f4748a

SHA512
b6893e0f1895714f7fea05c5ded080fd8c011e87c2519aeec36c8164a54fff1d9244aa41fdc2b54ced2d2398faad3109d485c09cabb0933f7f140f99eb4e1d12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
6ba772df8be6d0e0f5886beadaa4b7e4

SHA1
0213281fe69a223408a1317d7445b99133e45a3f

SHA256
38f930dce0cad9af403feb32719cce5a1994fe40e365bc8e4a9b545d2d16fa30

SHA512
0398e9a836c239db66393717afb62d959c73d12f2252ca0e8bc6b2ef561ddc413ea27547495ca3341a5cc20db522e245df6b9505c28e8d76e46ea670252a5bca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
a125eba87ca3652f72124d8c6767e9b6

SHA1
78049271112655640f1d1d7d746dd49341dd3e08

SHA256
31a516f792405077c75dbef91fd79eb5dab5f455c09f0e4bbd3044f91bd821c5

SHA512
283ba833d31fb6e81eff4fabf62a19b48db2f60c552a9a99ceb84a5f8285c5d3e6c1edb8986990fee55987c8ea1e9e92b3ff6e2b6061f45b2510bfcd34f120f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
df27821c680100a86238d199f68af1a7

SHA1
a1667edcf0c510d1fa4ec4f0b2f358be462cc0d9

SHA256
ede98ba4d1dc6513dbdc799c9304114699851b865f7e9d0ade7986f7e8310898

SHA512
a5fbfc8a75cd429717e3a2cbf9ff9b94a78641d659f08f21f0adbec50b66f30f99756547053896fac36ab46dbd372f506340832281d2608082752bdde28dd22b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
ac84c0f51eab8e02cf0a388b792b44e1

SHA1
e55f77faf4bfcc745720341840c0a3b853dc3c03

SHA256
ed6d41bdec0da8600954f29a4aa1d98ac72c93ff4589c02fb297f0072406bca2

SHA512
8415df05fd577f791a02db3e12bec45be7cfe24f75931f11334fe3b8a3d5ed52b8fb080c4f44a97e0fb35542638556d70bcfc636b1a5af01fbe2c705be3baebd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
c6e71468b9f96e1919cf9269e9743e6d

SHA1
8d77ac0f7cb6f91dbc321fc3004f7ffb593cf079

SHA256
aed534d169fca5d2edbe50a63c78a8bcb257c8edbfbc2a0b0ffa02d2bfc8505a

SHA512
d10b28ebca8e4646e49a2c0375f646553bcff4af4d7f677f64190ba1864de5fe0ac8e0798eeff002283cb6d7be704370e71b90b21615ec20bf9d91ff6a2ecf1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
d094cac5b3881a689861707044bf772b

SHA1
6f87a1a26eed9a17befc3c12a8c875520a64ba5c

SHA256
582c86f2e6d1641ad0d71e67552d74a5270f20e6146f8f134844deca1c1c803e

SHA512
b6e198fee7c2764e858e836adb674cc289869ee79a8f1df20066ac33875cb20955c63996bb252e77f7d8c372c6e03a8cd29eec803a15860726da92830f6c6987

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
9e9b32c0456a9f5c8bed356954070988

SHA1
9e0f62ed210c375ffbcf4f9af0fb47c83241698f

SHA256
61e03ecd1bdf5883997f89fd4718e4c480941e171e47adf978c0e16ca44fef09

SHA512
c4bf85fbd2c298d2a6d3db645b0abf66c2c905f395dd7686310dde4ad1e885c3e8f5017e507f16229eb35ff9d5b468ce016280fec6453dd464369870475a874c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
d8de589c3a6ea3bb07930926f72ff78e

SHA1
39c80cd18856791153e57c187432b2b567080b53

SHA256
b3a2a181186d2f9fbb8806b94404faf524076c670656176f3103a49664171fdb

SHA512
c5b64366ba25b40299d141786a9e50140fa9dc492bea73b07ad64e40b81b5186000fb23c1616c302cb53a85e33d657dcf3adf587270ac2b3aa339c618e3abbb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
43c4a488ffa1d3bc6dac4c8257a0a5f8

SHA1
1777045a366e43fc9001c37a34c30ae332f1cb8e

SHA256
da442e8aeef5f2f7ccc30f679a3dd2f78e8347291e59c7a06a3f52df469331e0

SHA512
8619c388582693291ad6e024def85f2ff4f5b0814cdca12e25ec8c238709502ff51208f083773c17ffdfbeb55fefd983cbf6ea034a4453465c1b3de1cc72837d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
b620a7f561f58e1fbf9b41a13bdb7b4f

SHA1
62acadfe75ba3b5b0df8b555b4baa5fb7b73ebdb

SHA256
1dae824f35b4e2a52d07ce47230ec7b3eca73fb21caa23a8540d861f409ea928

SHA512
5fcb67950ac03aa55bf2060744ce9b436c801b50d4298e8c5d072b464bd876f6db0d0c48b55545db6de7aab437104916a4a3980098b8d4646089de563cb29fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
afd67af5216496c38d0c7a93cf4a3581

SHA1
bacfd62f5f023e376647dcaa24a39d01391a6580

SHA256
30cd214aadffc6dcfee3fcdb28848bf5705e3def686b3f79304577682b26aac8

SHA512
438e3f2b75db98b3095f3471dc31649b9e6b44a8d594f697576ad004230fdd09e53b61825dfc909c1abf021097550f96bc2a433b20f971171c72f76a19f7ad50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
68e095edb2598e860d2c824bb4930c97

SHA1
29e36e8b797227c201e1272e71d526e64b18014f

SHA256
125b0b6b07d9a5ab06d9d1c09fe70de8b4510a5d9664e25c47db8ebc6ab0604b

SHA512
09294bd4da65ecd802921f5d0dbd97a0b9836eb1493b395d8205c9d04d45a3f0b1b2b5eb3ce530c4c83546d46fd16db3b9c96bb7bfb5fb307cff8bc40408cdcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
98e06d35218cc1f9db6ac3ee06043e76

SHA1
a5a69bf980eba92268a4ba9fe0fff66ae21b8199

SHA256
5526686b3d49afe55e8ffaf6682f49fb632e0e8f40e678ccbf8a0f4c40ec619b

SHA512
abbd2bde11da24fce62edefc374e5f6c4cb09b12093354ac37b268a78f2b6e92276dea84d94845b882a2ff8fbde02b06e3405e6b683bd723bf157a3ac797c5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
7ba1d3a62109caa381a7fc506f3a3153

SHA1
bc4d21cadd6f7dc24be33fd38a976078fd43483f

SHA256
deb22b3b90c14e23ae8376effd1f2493b33fed492defa998f1c5b3829626669d

SHA512
e0e31d91479271b3699a8e6436aaa92612246a7531aa16eb9dabcd7dbab09b2a3f285f5bbf3a8fda352d37f06d131d4f6e1f11d798eb1878e5a1dcd70b693def

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
831d216ff7ab90b90290d4747b7d1ae3

SHA1
139f92ed766e796c88e8b99267aabafb18db86a5

SHA256
aa4bd9c10802a87bc290af0d922bb3c98465d45437bb1e8f07d48a361b22b343

SHA512
88afb1adf7885ab9f7dc6a27dcb216522b5ae3bc9dd5019f12c9ea71202de8188788eabb7d1f70f844ffceec8dd1c5f136b16f55b0a28c1df5e577ef90484ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
12cfc2281321e7da0f9e99727a19abd2

SHA1
fce82d00fbc80a3bb63db9a7c9e244515e2f6ebd

SHA256
0933f955cc268e335f84cd4327f15ad893364645e9e7c6380de4ed800214d426

SHA512
e72a37c8324e44b5cc7797e1aae258337417d8c01c469b776563ff82a7fd6c2cdac1064098020066d01656bc996d4898b2076c3bc9647ae8ef1fb85f18c46a11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
30KB

MD5
b37141977ed6abf14a8b6a178c75b160

SHA1
ae8a0c91a87b9aa3a24d1da1276395f25a782559

SHA256
b28c665809810578e1df3cff87c025a0cce90dac891dc9183c2d65a0d606ed35

SHA512
866e5e33519499e4a1b9c83f1bb03a6db093240b6343711d81b89f545d29e084ab0eec5e51849faba942a94deff1edd8ab7f406eb5c731255607449fcb8ab36f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
568KB

MD5
631c6153e00bceef24149099c316bb19

SHA1
96cffab42ae17545dd3480aeae20ef0607367c8e

SHA256
2e0c6d33fd0592654585ff4d7636e82c2f70539439a89da1caeb1296b9225899

SHA512
3729378966a2aa84ec94403e357ec2b14511ab28af44de7fa856c4d36b10b9b8daf293410b22abbfe0551254ec3c64602c4a9e4d03f2c101f64cfc9303d47b5a

Download Submit
C:\Users\Admin\Desktop\BonziBuddy2.lnk

Filesize
1KB

MD5
33257011e2cbf86f2c42d626227523e6

SHA1
79a82fb8e059ea7383c0456a8d12dfd7394087f5

SHA256
2cd18f4fb312df70b8bd19ef52d09405d42d9655f70eab8879b7a5776ff277e6

SHA512
df7b2e5d24eee1d8ad736b62d58d39646e4ade3b88d4a429837693ea3ddea9151324fa25310d90197049ba2d7cc4a761f9fc1db0cdf49bb77a41b1a318ea538a

Download Submit
C:\Users\Admin\Desktop\BonziBuddy3.lnk

Filesize
1KB

MD5
16503d1ca9a55462f197fe0e580eb06b

SHA1
df2f5f271bb335d04914d9b69d9c87fcad2089a3

SHA256
edc11a75c0938abf6b1689c4b5fc39d5d596ad495e34e5565fef90f64bd1fb83

SHA512
ec09f01697935619dd619bb48305676b3722341b5f5d38470930f1007a3490f01fc67023b1b5c6ffd3efc4eab497fd56f31e093ecaccd2fc518edbf31287a101

Download Submit
C:\Users\Admin\Desktop\BonziBuddy4.lnk

Filesize
1KB

MD5
86220b6a9c2391eb9b376d2448cd22ec

SHA1
f9c1007ea2b0cbe7065f58fb7fbdef009e043a9c

SHA256
d870e94e9a92e982b6852df7cfe95a510dd4af63c9cc7970c916242f6ff5196c

SHA512
b227ce42d7fa9262d63ccd4e1f5cdc1eab6a2b8f0cf542c459de183daf77e7b188493791fe9ca9d2adb1bfd4e2bb16c48000cb5de82fb848476df130118e76c2

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\8Y2w6FX-.exe.part

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Annabelle(5).exe.ANNABELLE

Filesize
15.9MB

MD5
b429600464ab2475f871129aae4303a8

SHA1
8040d1dfbc29194b491f2dcc505c4590299d8680

SHA256
e7295f1b2e60cb142eef3be1c85d29d6259fe9d7f314ab81c58deb40d0e77a56

SHA512
4ab197e831e142db89e0aa95b40fbde7f66c0c83da36ae8dba31325da5bb4eaab8b446063a547b81907581e370d80c43c9b8c54f21a5b8f949615ccc07be71fc

Download Submit
C:\Users\Admin\Downloads\Avoid.exe

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Bonzi.eRrbqPD3.zip.part

Filesize
49.8MB

MD5
65259c11e1ff8d040f9ec58524a47f02

SHA1
2d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd

SHA256
755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42

SHA512
37096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\Flasher.exe

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\Downloads\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\Downloads\Ransomware-Samples-main.gqQ2jeze.zip.part

Filesize
15.1MB

MD5
e88a0140466c45348c7b482bb3e103df

SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1

SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\_7VbV5Vc.com.part

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\ln8TZO7y.doc.part

Filesize
40KB

MD5
4b68fdec8e89b3983ceb5190a2924003

SHA1
45588547dc335d87ea5768512b9f3fc72ffd84a3

SHA256
554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca

SHA512
b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

Download Submit
C:\Users\Admin\Downloads\mb5lDNFG.exe.part

Filesize
141KB

MD5
de8d08a3018dfe8fd04ed525d30bb612

SHA1
a65d97c20e777d04fb4f3c465b82e8c456edba24

SHA256
2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

SHA512
cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

Download Submit
C:\Users\Admin\Downloads\x15cxyvt.exe.part

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Windows\msagent\chars\Bonzi.acs

Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\chars\Peedy.acs

Filesize
4.0MB

MD5
49654a47fadfd39414ddc654da7e3879

SHA1
9248c10cef8b54a1d8665dfc6067253b507b73ad

SHA256
b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5

SHA512
fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f

Download Submit
memory/200-3015-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3364-5557-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/3492-4267-0x000001F0FE240000-0x000001F0FF7CE000-memory.dmp

Filesize
21.6MB

Download
memory/3492-4259-0x000001F0E29D0000-0x000001F0E39C4000-memory.dmp

Filesize
16.0MB

Download
memory/6232-4517-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/6232-4515-0x00000000006D0000-0x000000000073E000-memory.dmp

Filesize
440KB

Download
memory/6232-4516-0x0000000005810000-0x0000000005DB6000-memory.dmp

Filesize
5.6MB

Download
memory/6232-4518-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/6500-3909-0x000001C63CF30000-0x000001C63CF4E000-memory.dmp

Filesize
120KB

Download
memory/7464-3939-0x000001F9E5030000-0x000001F9E5944000-memory.dmp

Filesize
9.1MB

Download
memory/7812-4015-0x0000000002650000-0x00000000026B8000-memory.dmp

Filesize
416KB

Download
memory/7812-4013-0x0000000002650000-0x00000000026B8000-memory.dmp

Filesize
416KB

Download
memory/7812-4005-0x0000000002650000-0x00000000026B8000-memory.dmp

Filesize
416KB

Download
memory/8780-5451-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/8900-5470-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads