modiloader | hxxps://www[.]majorgeeks[.]com/files/details/microsoft_process_explorer[.]html

Analysis

max time kernel
1031s
max time network
1039s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.majorgeeks.com/files/details/microsoft_process_explorer.html

Score

10^/10

modiloader netwire agilenet botnet defense_evasion discovery execution persistence privilege_escalation stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Fagot.a.exe

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022430-1685.dat	modiloader_stage1

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
7468	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 34 IoCs

pid	Process
2488	AgentTesla.exe
3416	AgentTesla.exe
2496	NetWire.exe
4136	NetWire.exe
1568	NetWire.exe
6596	NetWire.exe
6000	NetWire.exe
5184	NetWire.exe
7580	fodhelper.exe
7776	NetWire.exe
5908	NetWire.exe
3796	Mabezat.exe
3000	Mabezat.exe
7412	Gnil.exe
7304	spoclsv.exe
1336	Gnil.exe
6236	spoclsv.exe
5052	Gnil.exe
6300	spoclsv.exe
8144	Gnil.exe
4360	spoclsv.exe
6216	Floxif.exe
5352	Floxif.exe
6252	Floxif.exe
7192	Floxif.exe
3384	Floxif.exe
2756	Floxif.exe
4980	Floxif.exe
1088	Floxif.exe
6368	Floxif.exe
5200	Floxif.exe
6392	Lokibot.exe
5812	Lokibot.exe
1524	Fagot.a.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Fagot.a.exe

Loads dropped DLL 21 IoCs

pid	Process
7580	fodhelper.exe
6216	Floxif.exe
5352	Floxif.exe
6252	Floxif.exe
7192	Floxif.exe
3384	Floxif.exe
2756	Floxif.exe
4980	Floxif.exe
1088	Floxif.exe
6368	Floxif.exe
5200	Floxif.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe
7768	MsiExec.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/6392-7063-0x0000000002D90000-0x0000000002DA4000-memory.dmp	agile_net

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6216-6552-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/6216-6556-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5352-6565-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5352-6568-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/6252-6577-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/7192-6580-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3384-6583-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2756-6584-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2756-6587-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4980-6601-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4980-6604-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1088-6607-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/6368-6608-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/6368-6611-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5200-6614-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

UAC Bypass Attempt via SilentCleanup Task.

defense_evasion privilege_escalation

Bypass User Account Control

T1548.002

pid	Process
6444	schtasks.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Fagot.a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
786	7332	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
429	camo.githubusercontent.com
432	camo.githubusercontent.com
644	drive.google.com
456	raw.githubusercontent.com
623	drive.google.com
435	camo.githubusercontent.com
436	camo.githubusercontent.com
454	camo.githubusercontent.com
458	raw.githubusercontent.com
459	raw.githubusercontent.com
477	raw.githubusercontent.com
626	drive.google.com
659	raw.githubusercontent.com
433	camo.githubusercontent.com
434	camo.githubusercontent.com
457	raw.githubusercontent.com
483	drive.google.com
484	drive.google.com
66	camo.githubusercontent.com
455	camo.githubusercontent.com
478	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\wuauclt.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\chcp.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\dumprep.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\imapi.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\systray.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\MDM.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\alg.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\bootok.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\services.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\regedit.exe	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\wowexec.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	procexp64.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chkntfs.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\progman.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\shutdown.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\logon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\recover.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\win.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\autochk.exe	Fagot.a.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 6596 set thread context of 6328	6596	NetWire.exe	189
PID 5184 set thread context of 5896	5184	NetWire.exe	190
PID 5908 set thread context of 6400	5908	NetWire.exe	194
PID 6392 set thread context of 5812	6392	Lokibot.exe	256

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NOTEPAD.EXE	Fagot.a.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 8 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Gnil.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
7996	6216	WerFault.exe	223
7864	5352	WerFault.exe	227
5804	6252	WerFault.exe	230
8060	7192	WerFault.exe	233
832	3384	WerFault.exe	236
7896	2756	WerFault.exe	239
5076	4980	WerFault.exe	242
2968	1088	WerFault.exe	245
3880	6368	WerFault.exe	248
6496	5200	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	Fagot.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Fagot.a.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D6EED60-2737-4425-B38A-490EF273ACBB}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CE3E768-654D-4BA7-8D95-CDAAC642B141}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D4B9C3E-CC05-493F-85E2-43D1006DF96A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51A21C32-DD1F-4D3C-85F1-6F8A6172CA82}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E93527E9-EA10-5AA7-B8AA-FEA866294704}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CA277DB-FE42-53B1-AE3B-098E51FA6A9B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41487E33-9A10-42FE-BA3B-15FDE59D09D5}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3580A828-07FE-4B94-AC1A-757D9D2D3056}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EA91CF7-8542-4780-8D6B-7BD686CD2471}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00000205-0000-0010-8000-00AA006D2EA4}\2.5	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B3AADFEA-8404-4CBE-A62E-B0B715412C9E}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{d27b8d1f-26c0-4ed2-a8b0-cf2e4c374771}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F1B099B-9507-4CC0-BDD5-CD04DC0C870E}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2090CCFC-70C5-491D-A5E8-BAD2DD9EE3EA}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C2AAE9E-6178-4A88-8904-B57169B655EA}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC098A45-913B-4914-B6C3-AE6304593E75}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305106E7-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3051046C-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00000206-0000-0010-8000-00AA006D2EA4}\2.6	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C11E0649-8237-5C93-BBDB-2EDA5216FD3F}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42abdf9f-14a6-5c1f-839b-86029505b1d0}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60F49115-CE92-4F96-8D0A-81CCCAE4AB77}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87379803-2FAD-4801-ABDF-218B5D2F076F}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1525E844-B912-4558-85CF-B1A3FE27D354}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB2114C0-CB02-467A-AE4D-2ED171F05E6A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE44CF5F-179A-484A-BB16-AD94F97C0ACB}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C892D1C9-0E80-431C-ACF7-58BEBC0C405D}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7d2312d0-f3a2-5091-8a5e-41832e632c08}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{607a20bf-32b4-5b8e-a793-3024f8d3582a}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1760CE-126F-46CA-9734-91A6CBF8B6F3}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B468D97-6A90-4E92-9F0E-90BACC6AC8C9}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4AC9E1DA-5BAD-4AC7-86E3-24F4CDCECA28}\c.0\0\Win64	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5B6042B-FD21-404A-A0EF-E2FBB52B9080}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF032216-2C7F-4682-84C1-76EF432D840B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9d82379d-4958-558e-a155-3a809bb16c04}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{521B4726-04E9-47E7-B3A5-CD93A7F74F5B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED25831F-90DB-498D-A7B4-EBCE807D3C23}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844dff12-dc13-5f0c-ae3b-e71a4dcce062}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{674DCE15-B9C9-5EC9-B058-AABA6F976C16}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510722-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E757B2F5-E73E-434E-A1BF-2BD7C3E60FCB}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD0AEB24-0EFE-5548-8448-E153D4903DF7}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D64F9DD5-6446-4B26-8C4D-927946908844}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A60384F6-3712-4CB3-BC46-81E6402FEE99}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9F3FDF1-7B6D-4899-BD94-72E4D4ACD2E1}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7fe52e32-867c-52a3-b3b7-d4dd4d573794}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E7A4999-92F1-4E88-AE3E-C0854212C635}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{683D7FC9-8697-4309-994E-E8A2C5628884}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83504C13-A417-5601-9ADB-F1FF18294DC9}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69D14C80-C18E-11D0-A9CE-006097942311}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6b5828d7-6b8d-58c4-ba3a-9f796710f53c}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8D2DDA0-FD33-4B6A-9A67-E8C9FB471034}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFDBA726-047A-4B83-B8C7-D812FE9CAA5C}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66BB2F51-5844-4997-8D70-4B7CC221CF92}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC0714F2-3D04-11D1-AE7D-00A0C90F26F4}\1.0\0\win64	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5B0D747-D4D2-4E2D-872D-74DA22037826}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54B61A02-4823-42EC-9648-A9AE80CDA270}\ProxyStubClsid32	Fagot.a.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
6324	reg.exe
6372	reg.exe
6552	reg.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ProcessExplorer.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BabylonClient12.msi:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Walker.com:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Gnil.exe:Zone.Identifier	firefox.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	623	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	624	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	626	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	627	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	644	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	645	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	484	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	486	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
712	msedge.exe
712	msedge.exe
5452	msedge.exe
5452	msedge.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5776	procexp64.exe
3392	7zG.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5776	procexp64.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5776	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6580	msedge.exe
6580	msedge.exe
6580	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	5776	procexp64.exe
Token: SeBackupPrivilege	5776	procexp64.exe
Token: SeSecurityPrivilege	5776	procexp64.exe
Token: SeLoadDriverPrivilege	5776	procexp64.exe
Token: SeShutdownPrivilege	5776	procexp64.exe
Token: SeCreatePagefilePrivilege	5776	procexp64.exe
Token: SeShutdownPrivilege	5776	procexp64.exe
Token: SeCreatePagefilePrivilege	5776	procexp64.exe
Token: SeDebugPrivilege	5776	procexp64.exe
Token: SeImpersonatePrivilege	5776	procexp64.exe
Token: SeSecurityPrivilege	5776	procexp64.exe
Token: SeDebugPrivilege	5776	procexp64.exe
Token: SeBackupPrivilege	5776	procexp64.exe
Token: SeRestorePrivilege	5776	procexp64.exe
Token: SeDebugPrivilege	5776	procexp64.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	7468	powershell.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeRestorePrivilege	3392	7zG.exe
Token: 35	3392	7zG.exe
Token: SeSecurityPrivilege	3392	7zG.exe
Token: SeSecurityPrivilege	3392	7zG.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeRestorePrivilege	6756	7zG.exe
Token: 35	6756	7zG.exe
Token: SeSecurityPrivilege	6756	7zG.exe
Token: SeSecurityPrivilege	6756	7zG.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	6216	Floxif.exe
Token: SeDebugPrivilege	5352	Floxif.exe
Token: SeDebugPrivilege	6252	Floxif.exe
Token: SeDebugPrivilege	7192	Floxif.exe
Token: SeDebugPrivilege	3384	Floxif.exe
Token: SeDebugPrivilege	2756	Floxif.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	4980	Floxif.exe
Token: SeDebugPrivilege	1088	Floxif.exe
Token: SeDebugPrivilege	6368	Floxif.exe
Token: SeDebugPrivilege	5200	Floxif.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeDebugPrivilege	6392	Lokibot.exe
Token: SeDebugPrivilege	3656	firefox.exe
Token: SeShutdownPrivilege	7332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	7332	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	7332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	7332	msiexec.exe
Token: SeLockMemoryPrivilege	7332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	7332	msiexec.exe
Token: SeMachineAccountPrivilege	7332	msiexec.exe
Token: SeTcbPrivilege	7332	msiexec.exe
Token: SeSecurityPrivilege	7332	msiexec.exe
Token: SeTakeOwnershipPrivilege	7332	msiexec.exe
Token: SeLoadDriverPrivilege	7332	msiexec.exe
Token: SeSystemProfilePrivilege	7332	msiexec.exe
Token: SeSystemtimePrivilege	7332	msiexec.exe
Token: SeProfSingleProcessPrivilege	7332	msiexec.exe
Token: SeIncBasePriorityPrivilege	7332	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe
5776	procexp64.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
2488	AgentTesla.exe
3416	AgentTesla.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
5776	procexp64.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
3656	firefox.exe
3656	firefox.exe
3656	firefox.exe
5776	procexp64.exe
3656	firefox.exe
3656	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 2968 wrote to memory of 3656	2968	firefox.exe	83
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 4132	3656	firefox.exe	84
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85
PID 3656 wrote to memory of 3424	3656	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.majorgeeks.com/files/details/microsoft_process_explorer.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.majorgeeks.com/files/details/microsoft_process_explorer.html
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7caa1cc7-a812-4986-9451-9459a85bedc3} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" gpu
    3⤵
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e6b1b8-df3d-4799-9dac-178d5762a78a} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" socket
    3⤵
    PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f1e14c-86c7-45ce-88af-6621343d261b} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:60
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 2632 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ac5fdf-d50b-4845-a1bd-0a32154e9960} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4448 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4436 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c90701-caa1-473c-a6cd-aa5bfc019fc8} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" utility
    3⤵
    - Checks processor information in registry
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d14e0cb-2f9b-47c9-8585-a770bb19e6c2} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f054924d-a14b-430f-a7c0-62e54d651bcb} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {246a30cb-6a8d-4338-84c4-ef38ad9a7673} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6256 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de4a37d-6585-4e41-ba9e-d39ca9861e0b} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6620 -childID 7 -isForBrowser -prefsHandle 6592 -prefMapHandle 6496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {463c799b-51cf-48bd-b469-f9663597a1a8} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6740 -childID 8 -isForBrowser -prefsHandle 6820 -prefMapHandle 6816 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c599aa85-6427-465d-8ea0-64e4a85e781b} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6920 -childID 9 -isForBrowser -prefsHandle 6928 -prefMapHandle 6932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {033efa49-c8ad-4464-8f41-2d1045ba5282} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:2412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3760 -childID 10 -isForBrowser -prefsHandle 3592 -prefMapHandle 3860 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a27fec1a-e250-445d-899c-20fa3bc3f01a} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 11 -isForBrowser -prefsHandle 6492 -prefMapHandle 5860 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e98defa1-84ba-4d9e-abbc-c7a5212f3604} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 12 -isForBrowser -prefsHandle 5936 -prefMapHandle 5940 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d46063-a24c-435b-a0a4-c84b5f2e528c} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4944 -childID 13 -isForBrowser -prefsHandle 4936 -prefMapHandle 4956 -prefsLen 30493 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51632daf-82e8-4460-b21b-54f9cac381fe} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1460 -childID 14 -isForBrowser -prefsHandle 1456 -prefMapHandle 6128 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ce41d50-c1c1-48be-898d-1c1e718e56b9} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7296 -childID 15 -isForBrowser -prefsHandle 1668 -prefMapHandle 4064 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08e562a1-6159-4a25-b748-557d06a3c40f} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7060 -childID 16 -isForBrowser -prefsHandle 7008 -prefMapHandle 6020 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b938ea-454f-4cab-8669-870e3d75703d} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 17 -isForBrowser -prefsHandle 5920 -prefMapHandle 6644 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43d8a69-923a-4c62-a458-8d1adcbc6a9e} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6752 -childID 18 -isForBrowser -prefsHandle 6340 -prefMapHandle 6824 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b38b883-98eb-4ded-8bad-30b11ca77e63} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1540 -childID 19 -isForBrowser -prefsHandle 1456 -prefMapHandle 2748 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba015992-3bd2-48c4-abb9-9f8bed97d948} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab
    3⤵
    PID:4164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc3a1e46f8,0x7ffc3a1e4708,0x7ffc3a1e4718
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15795301034767576225,16501545227801523191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5708

C:\Users\Admin\Desktop\AgentTesla.exe
"C:\Users\Admin\Desktop\AgentTesla.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Users\Admin\Desktop\AgentTesla.exe
"C:\Users\Admin\Desktop\AgentTesla.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4136
- - C:\Windows\SysWOW64\Notepad.exe
    C:\Windows\System32\Notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        5⤵
        Abuse Elevation Control Mechanism: Bypass User Account Control
        System Location Discovery: System Language Discovery
        
        PID:6444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:7396
    - - C:\Windows \System32\fodhelper.exe
        
        "C:\Windows \System32\fodhelper.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat
        6⤵
        
        PID:6968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Users\Public\x.vbs
        7⤵
        Checks computer location settings
        
        PID:6732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\x.vbs"
        8⤵
        Checks computer location settings
        
        PID:7300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cde.bat" "
        9⤵
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7468
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:5044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x4f8
1⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/gui/file/086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d/detection
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc37f946f8,0x7ffc37f94708,0x7ffc37f94718
  2⤵
  PID:6428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:7860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:7908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17340913330304293143,2980833413579613384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6596
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:6328

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6000
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5184
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:5896

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7776
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5908
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:6400

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16696:70:7zEvent1363
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Walker\" -ad -an -ai#7zMap15300:70:7zEvent19357
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6756

C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796

C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/gui/file/2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb/detection
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc381a46f8,0x7ffc381a4708,0x7ffc381a4718
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:7708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:7760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:7524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:7232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:7832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7306956145256140070,15832123627203540688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6800

C:\Users\Admin\Downloads\Gnil.exe
"C:\Users\Admin\Downloads\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7412
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  PID:7304

C:\Users\Admin\Downloads\Gnil.exe
"C:\Users\Admin\Downloads\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  PID:6236

C:\Users\Admin\Downloads\Gnil.exe
"C:\Users\Admin\Downloads\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  PID:6300

C:\Users\Admin\Downloads\Gnil.exe
"C:\Users\Admin\Downloads\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8144
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  PID:4360

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 432
  2⤵
  - Program crash
  PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6216 -ip 6216
1⤵
PID:7044

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 400
  2⤵
  - Program crash
  PID:7864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5352 -ip 5352
1⤵
PID:6104

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 400
  2⤵
  - Program crash
  PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6252 -ip 6252
1⤵
PID:7972

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7192 -s 400
  2⤵
  - Program crash
  PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7192 -ip 7192
1⤵
PID:4240

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 400
  2⤵
  - Program crash
  PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3384 -ip 3384
1⤵
PID:2984

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 196
  2⤵
  - Program crash
  PID:7896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2756 -ip 2756
1⤵
PID:7884

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 400
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4980 -ip 4980
1⤵
PID:6500

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 400
  2⤵
  - Program crash
  PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1088 -ip 1088
1⤵
PID:8028

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 400
  2⤵
  - Program crash
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6368 -ip 6368
1⤵
PID:1128

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 400
  2⤵
  - Program crash
  PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5200 -ip 5200
1⤵
PID:716

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6392
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:5812

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:7332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EAE59F16C7B87FAC329C0C1BC8195756 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:7768

C:\Users\Admin\Downloads\Fagot.a.exe
"C:\Users\Admin\Downloads\Fagot.a.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36f14c6d84591a1b011119ea272806ac

SHA1
eafd311b2466e7e5550bfc99338bebbafb97e44e

SHA256
a843b7834bd9c5ecddbaca0e7e59b1dbe87bdcfef205fc612a436c8d30281046

SHA512
30c3167bed3aa166706f38d99a8e9eb803c308f7f67d744cb0a7773b656020b8a90735e18daa34a8de055cce53064f83fb9291fb4bc8e6ed1501a2bf69b73e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dbe46f82a661d0ad699e8e7e742e72ee

SHA1
4dde6bc2ec575d4411eaf2fc19a13597f3cdfe87

SHA256
a9613834feb68bc16aee4ec20a98adbc19aef47e94d3af5409203cf965dc003d

SHA512
a1557deb1a906a2d82b0d821fb6a777cbba9ba87b4ca240dff8bd24aa5685d22b47b06810a103c7587e23183e985b7c5b1f83ab55fd417017da361530e69f305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c10403a2b35020f7f349c42dda2d91e

SHA1
2ace58b3567dfc4f2daf94127b153279c555e35f

SHA256
c8f0396f3dce5472b75f5c8db654e60d4ac1e2507454af2bfa34a7f78957aca5

SHA512
afb3ba8115e525f900c635550558e6784a0ac59459a17f79726ccf4937bbc5e95def6b0dd24d78d361258df5aed618b98250d6e4ca58bc7c91d896f1e9e6080d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8b627ae2-7fdd-4386-a362-b94337b608df.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d8687026cb8b9e207e35e80686593d70

SHA1
db14958caf21eb8ff421a43dadf0d8590c2b3e09

SHA256
984e0e8b2ff6b9c3f8d28d3e139d1c01b2986235c2af0dfa4afbe279e4ccb2f8

SHA512
58b20dbb39b39976657cfd20d1a02b590727afb4dba969acaea68423fa79adf7d18d4941b51c24e7230e0cbbdea845089c1efc7d0137f8c9ada46805d0946b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e5d3dbc42901d9fcbfc877dcf1161941

SHA1
17c05939bfdf1f3da5cbe1740c5f0fb955267f13

SHA256
d9bffcfe62046ea035e738aff25bee4da0f52cf25df22996cb4deb742a5a47f3

SHA512
a3ba36b03a135c8baaa9568f8ec6f0fb08c10c8a0ba82265cea3df5705baafdc83d7acec8fece1aa70d74b1ba81b4586fd0dc2d482a6892a3018d469e984f48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
3edc820a2a762b4194a0420d6025404f

SHA1
0df4352a9f7057e1156a91f5e87ef8a8101b54a9

SHA256
aff22690e8b806a912303843914e231279848c8130865ac9c0af0557ee08cf29

SHA512
83c0e869ffdf2bf6cdb1cd9c5b5cf76314fbe6b7d17cad8ec6219b16bbe7b89e4edd9d39ae6bd456996feebd04b74e3f798c742889fc03e26bdf0103992e1f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ff12f922900306103efcbf60b9b5ce38

SHA1
9c1d4a663f377e6298ed26fc2d2c755076f3b130

SHA256
3be4effe393370aa267a4ca068c0206f529b34690079dec5a5959037ab0ed8a2

SHA512
302855dfcc098cb6cc6aaac7db9954f3e09af307f69658bd48a03cbeab01e3df81600787300c8d966c8b21553e1a833550c2ae13e60376a62c7b541198efd21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
61e7c2f0390c8320a5902f0c77d65dac

SHA1
cceaf88fb4c84f87d6d3e595c204a3a254948d57

SHA256
4875e73aa7f856eb85fd1cd5f078e954d862b5055c2cc0e06f9c820747d078c0

SHA512
96f04e2b9aa134198722d02ce360efd1c26b4564e6aee7428df7ee4811f38a9f233a602941cb9593538469f3600a8742051586fafdf4607f1e45164e60e2acd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c85de9ed7c58ffbe555a125abfd91e10

SHA1
855eb4506dab08826cd1cd43d1b28659433c333e

SHA256
cb0525922f6364ea7301d23d47262cc78783e6d43db551b7bc9b81025445bf8f

SHA512
5cd792562ed1307ad6f1edae6f7208b50454f41edfd91eee8be216153e2fe4c0f2830da8a0f37a68a0c175fb6fc558aba9f68a38150fd755433572ff434458bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
858325ca27a9dd5cf0488be114459445

SHA1
4504c24eaf42681418e6c70eafea059a9cedac54

SHA256
7e37adda502f3a2ee49c667714da11bf20d78011093ba049e9a177d9c7dd3cd0

SHA512
a40a9773a6c24ce2e2cffc3f3b53f005e20bd5052873a69b646dc7d6204542bbd397a06187bcec51800172d96f41fbab5fe01873f3c5f71d86038799fab4a720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
9085a547ceceec1e930593cdbeec2368

SHA1
f0a5e13be297236e264b2623215212ef5459765c

SHA256
dc28e599a508e7b37294fd065189b4294e4de58bdfcf6c439ad2ea0801db7174

SHA512
9af13aa4249e04b74d2f94aec2cee3bdd478b2fe4d11391d674cd74d2d3e35b410127e1c57f164412a382ea2ea65aab7c624e7f3c18ef1ffceaa7ce186af415a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
a55901dd8dfaa9b8168ab67510e8fff1

SHA1
305d79008b89437697d6ae9e53b002f2919d0da3

SHA256
ec41b1a26c7ff7712fc566e5a9bba6d632be2d7748f9898b26b4d794b8d3769d

SHA512
e90bdaa843ab16d2c95304db36527fb21b163af574df28b16c7a8309c179dda638a91934c969c40e35042bb9d8fac3b78a15a08dd384c1c9dd1934e6aa50028c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
9a7827bffdcef0a88526e20b1ab1f265

SHA1
0c361ebd8872968df4fd4e666b396daa7ab8759f

SHA256
6176e658808269ea3a0ec2032c64af22b311f91883c16cf36964eb94433a79d2

SHA512
fc3bd6d50f87090866b87a554851e7e882e57c3fc47cb2b4362c6ecc5119d5ecacf7ad7806cfa2e89b5a5ad7283ea63f84b1b3b79c3f9f51336d200879307666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
6f0d7b9cd614ff31282b19a6df0c9f00

SHA1
67e1dca4eef4ab63ae3aae3063f41366b5fee194

SHA256
ff6210614471d2db328ae6112f86789f2df0de510f083a1c79cc6a14415e3376

SHA512
e044ce687ffb6675fd9fbdb461036fdcd1580539ff0b79d76b9edab9ba788f95afd8e14021872ef269b2e7d1c22e4c88845217285f86e7248269bfbc0e766798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
58aa3847aa926172fc4c1799c932bc69

SHA1
90a876b4ce36e6f3da32405ae0d3587f47abbe3a

SHA256
d09edcab593b65ef3fcb64b6db35aeff3754589caed2b6094ff67de4d0e67b43

SHA512
c8f9564249b4b949901a2657319d230af3ffdcda1225b39573e5867f7dbd3758be799addd028fc86f49cc68b4b673950f2c917ad8ad65fefb0993208ab23b51a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
b38c067b214122dcd0a5f78543d35b3a

SHA1
7515a34e29f424f5ae90e79b4073962b0fe7b93d

SHA256
a953879dbdbec29f61256e03dcaf6190a79d2c71828d3d3a8e573e59dcc03d86

SHA512
726131a4aa212df6b39cc8b0644c0b602e8c57e662937ddb003e3ac62e42797dc898029111d7b149f592faf88b7eb98f84fa832a596f48c975558d786cd9b5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
037d20e3029495d12924a43549aeb26a

SHA1
abc2009ab2f960d08a38debb38bc06598d72cbf7

SHA256
60d986d7f90e7c830faf283974fd871a9e2eb795cf6ca1d15d9e4140e20043b2

SHA512
30136804d93a8ad8dfe8375240c2491933ffecc87e0e44404181f32a34a360400f0b3d5b497b47905b6d4b13ed78ca6ac8f673a03dab6e66341cbf4a62d3b44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8cdc45939ad25ebb258506905a9ad21a

SHA1
34f2e22750371c2a16f9b7cf092fdfeda43bc5f4

SHA256
5a084d072b91f7d78e666e04712538efac57c2476374a35f3be683cc9ffea15c

SHA512
3e2524d010c0e96a74ed4d9958ec19867ca784b9b077a7ac4f141dd795dd4954f4725dd87b0fdf4152bc11694814af380769a76db9b0f3b9dafb29ef067107cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
593174941fe0f06c99a4ecd079fbc396

SHA1
02f5098c13eb4b66938a73ac3b42b7e4b38cac21

SHA256
8094895e368927514827dba2579a8cd251b134d97ff1cb2747ed6569d4eeb5c5

SHA512
dc39fab28e4b5e4998b0df47ad132f02fed7eb72d04f21feb1577f4b7904ca1ec88e666f64c94f54276f83f8420bcaa432a677bc242256206d67715aee46819f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84ab273a45ad3de544d8a3168bc2a3f7

SHA1
19d3fd43c79bbcfd99087c4001ca109d76416459

SHA256
0073b36db72c9c52f98d923206fb2d2d4c85811b88fcfb51477d2261f309036b

SHA512
167cfa1a82a3f56002d2cb3de1c085b024c7ad3f4ad363ac3f9901a4c39d102df5f6df10d17345f9b62edd906a2d874056a84cf3cb8aa98248b4469b50fad111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03ff85ec16876406d8208f5595ed8567

SHA1
257be6e6c344e2a5ea1897f49b8d274ff68b00c5

SHA256
228e5cafbb41bd9efb4031789953cd78370c4f2d9cce317ef79b5397354dcee7

SHA512
35c447d4811a932f82d0a932239f5ac654279e33e8bbeaa310e026261125d654ba296a6c4afb426ae65b7ee2ae7aa2f3793acf975062570cf2fa67aed34f82f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
41991652a06aedf24ba75e74a0254660

SHA1
05d9a5b38cd636c806d30b63d1e1e45009e6bfc9

SHA256
975462be2cf32249e0758043d068d05c512d04627ba329ddd8af199a2bdbfeaf

SHA512
c74a6747127958fb6dd2b7c42ed78ce3e9cc4fa13ba35bf712eee02b02ff262f19a866471cd3e6213e05478650de06406ece64d16865044c0285a62063b475c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47ad0358aa4c592a336557d313a9936d

SHA1
b2da7ed27b71ccef76eff1bb128c1c0e809d0cc6

SHA256
3fc1a207fb5f9f5bbd967c8581952dcfc8bf0a419b9c53d4b1ea962a8601fd48

SHA512
ab6ec6b2eb99cbc38e8eae1caf95a00aee743def34ecc3909b1f7ec7d7355ee70380a85493e570fd39fea2f1ed866394ea02610955d9b515110b9f9a11a2e628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
082bc6e596f4c57cee9d4410a40ed469

SHA1
b3707359e69eea7afdb61ad1968f59e9b9fa41a7

SHA256
3972649030e625b1eac6cab10f66863f619d968ea003631416855ea8f0418f93

SHA512
bade41b3c1529ac72743515c8c2338075fb4a098d78a4b717ef07eb6c554b65b5f488a15d9bf52a23478211226a22f398e4c372a290e7541abdf50b87b00c61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
dc3025f4d3ca80122f81c1c84b8f6e66

SHA1
af6b97eae6f87552cb506334a82ba4cad2f53837

SHA256
ad38ff6e7ee100c41a2e50f135a32d459a70fa906ea96b821064303780f63a43

SHA512
07d7bc11e3c41773938826fafb5461a1ea56fef58965d0fc957be80603880bc6070411d1a930063b449dce826ded561de41ff0f5d868d06f7ed62edbf12f7b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
59896fd7ceb2d0b3d30236213c84de48

SHA1
ab4d5da50ae0049ffe8a0a4dca7f1b4f1f29798d

SHA256
050e86e81a1a96a02fba4179f26e02170395a109038f4199add3e1383f9310bd

SHA512
ddff25e936077c0ace8d44da03831cd124d29e1673a9d61854559f4585066a47bc99980f61289eb826cf691bad64e88b00c951b4cd3b20f0d3bcd23cfa918431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\af66257a-0340-46ca-9c6a-a28e4354655b\index-dir\the-real-index

Filesize
456B

MD5
3b670b36fd30f2e25affde33f07169f6

SHA1
da304e08998bace19d022eb9750af9401c05bf79

SHA256
4feb37543a16a60d4247f38369bb1c5f0f902b0b8b898fbdc65a1f9dad9ada6b

SHA512
6acc47c01736e9f2da6909888956f6cad2c2e2562cb4799902e55f333ade774a466beaa6279efb915a60ca00b1d2374c7f74d28892677f3eef5281dd621dec49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\af66257a-0340-46ca-9c6a-a28e4354655b\index-dir\the-real-index~RFe60bd68.TMP

Filesize
48B

MD5
bfb5a218b0516ea788ce2beef87e3755

SHA1
4a5deb3d76cf6115c2ca3e98a6cf7a0394d70241

SHA256
1c242b09932c31ebc1d6774a2b742155710e5be8658e725d15c78cc96f569391

SHA512
057dbd3481c0524ee3d94b6116f515924f703c393ada60b380f1e381ad5d6b3184a72f9748d41cb3785d1fb428f0d70cb8ca2d97c1d6bd850e694f76785c113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

Filesize
95B

MD5
43879d3d2c33e1018039f4218e7333f2

SHA1
4ed1b3ecdc251b03435c120404e3d24d4481310a

SHA256
50bac9d69aaefca8316dbbfa2155c975518d05baf6c4d7751c8d9a189736f315

SHA512
350d690283a1613d6928e9a62816a5b1443fccb1552ab3853053c59974d8c917dd367114ca5543bdf7d7086ddb74d12572376c4d90cc8ec1ea1d8b09b4a45f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

Filesize
90B

MD5
0a52341e7dbc2caf92eda9ab49f37028

SHA1
5d6faee579914a93dd5efda2f82b2adfbe349d49

SHA256
70e63afe6da74f04810f0275af3a4c33853fe7e1aba132e441421eb4a312094a

SHA512
97fb7b7d7132dfb4ed1d4976476cc823b29fc22152627961ce018d843b39e663043d9393dc3cb932d64fb40dbbed2aad903cc241f0d5d0fd29ed66e4f713f512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d4d973ce75b5ca6899ce6bcb91dab0ff

SHA1
eb1ff805fa5c9f1c2b9375f542a12688fb9b8eca

SHA256
291cd10a5030d630c0acc557007ff23869ca5209c3d44ebb574d75884bfab349

SHA512
9133b09890326e206f98f6be55b7a2a3e07480054cb3414b9385fb7cdb9da4011fdb7e7fdf1cff36eb168c4a55bd6c42e20b53e43a07785706e83fd2c149cc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8c4b6838b01af726d1c7e87326f1b2b0

SHA1
1bc99bd94d1850a65d30eea8cda70e7d44c0452e

SHA256
5ad1d35ebc83e74301899f3a46cf3f97c01ef86018a91c798ea97d58194e512d

SHA512
328a7ffb9f8f1949e5beb592f4436a576562986b941f4e4d6365261f1b22ecaded6638ac1c5c5b30cfbf53b5c6ff45f51e3282df39b0bc8d5ca4c68088f006bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c9c76.TMP

Filesize
48B

MD5
36821d47118c63ab453a75a6ff5e61bf

SHA1
73ed8e0480eaa738fc5a7fce8731e985059fb85c

SHA256
5cd6491354f2cc434ca1b04e63ddcec3bfc0a4f8d9e17fe854ee2552ca222aee

SHA512
e040a764dc4c55973b6bcc36f3fb108e7c741d14f7131fa16256f7a12050a4ff6f4f82d2493507648e15cc37b4ee48bfba8c20a368895ed9245ccbdef6254971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
583B

MD5
bdaf197e87a1196b6939db13ae160f69

SHA1
4e21a08d33d4e5499ebe5a7456c8d9049798bb29

SHA256
cda7e220f03ac2fc61da28fd180a9c0462733a4fd3076de4fc05a6f8fb0a04f6

SHA512
e49ae164bba5f0bf5aeb4be3e58033e52fbc19f7e11bb33fc32799e5f08094b45df5d282415ba7eaedaeccbca4f99f2b3d86f8fcd078b868ef427ebc164e7e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
5d2bdd74dd3c6a1185e6ee6ed37bcdbe

SHA1
a8b097b43ccc1519fa85bb56ddd44319add1247f

SHA256
0ff99b1fc705985adfce3140a2acac602111e1770b5c944383e6bb278b0ab131

SHA512
30320cc6ad60c373fd050bcd584875562c8d46561e4b96608bea760a38d14a6379c9c65f36469f105877fba91867444a2aca46ab5b7d4a142d2cdf3ee84b8554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369781097142065

Filesize
2KB

MD5
1f52ce8211162679ee4da34e02028149

SHA1
aaca69be7adc406ce67477456811378a2afc1471

SHA256
24b717a2c72bfd719b811488154e2c7b00c4b7678d1a5ba77bcb1bf0ca3feacd

SHA512
f09df99a0f9f414122b5fe674130002eba614365032df1690d58e6aa35cc6deac113f184267d5bde2a3dd3d9298cf26b15d07058fcfca9a6136ee00ef9f56303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369781097354065

Filesize
1KB

MD5
adf65232fedc445f47b91ba99a88b765

SHA1
47d87004b72d0bbe966b72f4d7d563c0545eda9d

SHA256
f682ab24704e1bdfb057cbeaa100aacf273f3eeefca34899605e2fb14df64de4

SHA512
83f2a89fa26771ec9ebf06413961d94a406fe49bb4b72e039774d43a4cf92f9fe86f0b6b611884f20ce82cfe951629213febcf5ea172961d862f3ce84c966ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
31c26a7966b70b621010abee1fd966ba

SHA1
8a59b6b698cd38c8022a344e1e03f6cb4e9df3d8

SHA256
5f3270c5a262c56262ea22e5b70fe7bd897f8d7a1c8c3a2615336085fe43d16b

SHA512
05469bdb2fabb3b9fb6cf9b64306f4f048045e06c2aefb426f5392b90c7cbd37824ef7e6389defca1cd082fe382a9916e453ce4d34e30adbbee104ef30cc12eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
dc5b0c0b2d9b0387e8e8a0997c5f9b4b

SHA1
61b579bd89f249f788e3f1c3f0dfd8687f4f1707

SHA256
9f28e468ccf0a835598e2bb88f7c5fa802de863fc3c938b5a9ea2ea4f673145b

SHA512
3decffbd422957324be4228c6c711c2bd37c08e99501ce1c4d5e40e1cca65d5ca093fed46763404ff08ada24df6d2ae6481812ec4e551282305278e570c82cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
294fa21319d84ee988222b5f5c168244

SHA1
5c50f926e6e97c0ba422206ff10778cffa487a2a

SHA256
8f466b6b254ac9aaf9ec5efd556479fc9fd095d2e77cbb4037c1419584133e15

SHA512
56b669ffbeab0235c4883914bd421e6e87f95d618304324be8138da0189ebc5f5d78f9e6c28bfff7e354c2f25138979a1465ba397c8a3a07f300213b7ffd6e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
e437443e33401530fd2bb2a6d4d1cfcc

SHA1
2b747ff379fc0fdf9e69e57f3a22a24aa045309b

SHA256
26510431bbe1fe82874e64fcc47d54c4913aefb195af655777d52c0fa8cd73a7

SHA512
60df58eff881a528951840023eda13ab105e44a4803da46f7907d76cffebc9afa366b09e8b3d4bef9bab08cbdbb1ff1f16e0de5c879a2c313c6e4a6e657c2fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
74705e5ff4b1cda01be29788105e9d8e

SHA1
81af9049e3e9ed725cf56a00e144c85a1ada2e61

SHA256
c843703e7844280f76a983f66d61138efbeb1a31d05cc60c56a9c6405285da5a

SHA512
9ba031d148581fc6bb8bbe26cd6cd80cda5378249819f339e0b93beb4e2216210d55e89d42f08feda02697a97285f37284b25683d44d09b8b5932775a07dcaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
865KB

MD5
5c9e400732af2d78844ddf62582c31fb

SHA1
064f566a5e4565e0b2a0103bb57761306b4bd2bf

SHA256
ace4d063892b9d9e89366a58883647247f6ba3879236f050c689e9e2a353c407

SHA512
07f6643eea48a0bfbafeefbd9fec4a40348c4d1c434c11d2772470ddbba6ca7f5244150ef15b0bcbd646421ada21f32ee8db0e983d4ab6068c682de5e20388b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
9f77123d34918a600b63a3864bd05445

SHA1
8aa21fe349c51fe8cb4202ff4188c951949f9bcd

SHA256
844e4ddc1bd85923671e94206001837d7883cd3ea7042c8d2dee4498e7bbf878

SHA512
702dc8a58fe075d9f6d49ba5d825aa8c6a7b2131e606548560514761ed1e288e3a618ea4f5ffa3fbcbc63eba3d7fc317c5d073e13af087bd74a2aed486b8c48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
ff815d07a20ce2c27d0fc8e4a899d895

SHA1
bad6ffdebe7bdfadefa6a070e819d70d2c514ed2

SHA256
5e070200a6756ae3bcb42c48a6f9b4b7605206ded00bcb3b747b085e0ebd4f96

SHA512
35929cad8f297e1d891275727cb0245f321d62ba0465584e22bb47ce7958f07e8b013ce0415ab665da2cfeecec582000d24071205ba49e77e6c9fe3e649c6d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
78fb09d2d0848d3f80cba3662f97c728

SHA1
cc2f3f93cdae9bbb49687eba6e47a7b0391f332b

SHA256
7d67e0907be6d7aa656046e2ad87f83f7f45ab509cd388ea8427561d65d8b5ec

SHA512
7dd00b186940fece14fa0e1da3136edc56f0aeb95ed550dc4b50943845921b5553f752884b8324a6475de8511bea0fd549cf48a126f2dd729af9ac4976810842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d4217239538faed06ce59c69c876931f

SHA1
4607f6e8ffd4a97f3509467d31c371e5928a27b9

SHA256
b7eff619f694de950fe92e8739c129db57483eb8d2c812948013978df7d41fbe

SHA512
9a2efaa988a65b0537df29d979a5806041806b52ed988b597198a43077d2283acfac3c52b4c892953186eca740f0fec9429b85c6fd0d94b2c588fbec7b139414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
74838bb5887a2a24e85c50e3b6c901eb

SHA1
7f7b351d1423ea000d68c8bc312a7ee01b0cde86

SHA256
c3fa5355a2bb5bdb792d099d3e3395da3c6f2c1fb657c402ff7be7bab0a3d223

SHA512
544594665ea2da364f5ac4dcafeec536b5583be7b9b921c7f9c430aa5ad2600ce4143792e6e9a4e5230ea2aa250a74faca2cdabbc2dd2dc3bfafb819834a109e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b75d362cf5ba67e865a728e9d9e9b38

SHA1
c19e8685fcbf94941100a8b0d268085daabdeb85

SHA256
d25e4e99a74877d82f25bff1c1466f84d9d770e0d3319f0ed90889859c64f563

SHA512
fdba6428a8922db884b67a7e99f267660cf46d789dc53f38a712ecf3130600cc3d2a3465b042879c5b395a10de3481059be73519dd7a2cb04b38c76db4b07b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b1a86a5796d156b1736543c32252051

SHA1
6164b5c98e61173ee069fbb239c2e69f47ee7b22

SHA256
b8c12388ae97777b81cbd34401a6d2f95da16dcdf703f86937430a6c4020e5bc

SHA512
1f8d1d11a3e1ab378eecb32ea6472cf456fc42ad1b0227bdca3b194ab1de61be219cd7eb50e4a72fb158eda582a99fee31632b2a04c9330b5c9b92f108c8c821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
082e48312cf2a6c0020bb6e3467e1d5c

SHA1
a17cf645e30fd5618cb1e0af3abe55ef07510320

SHA256
d6667fa247169010d7295c49d8e67240c8108cde0c122c4b19c2987a20b6555f

SHA512
84e41262ff4ff0a03a65e372064639060d6561754e9b906106abe23aaf5e053310c6b65eab59a2462bf54259762c2d7d930e61a568503dd5aa57c469a2f6a582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a9ff52e0bf36e57fc0110cde2a20b1f

SHA1
41ec67f32eab188438a9c7f43e984c0c9d9ee62e

SHA256
d68ad513aa7a9b4246d8cd3523ecc10dcd0adc4585731d8ad06c84659fa6ff7c

SHA512
077942ac47c22876341164524ca168121b464c9e73228d1c8ff9220e620e4eb595c80d5400d5e0bf90c4193501c508504bb7f644c2d5f8e6de7ec19808b831cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
4bc52bd19776147d5f22e62338342f97

SHA1
8659be7737b0420a6eb7cd343c138d68ab448002

SHA256
8d436080ffd8cacb719c6a664522b35d4f557b2b344698260cfefa8fc90a63f9

SHA512
08a5783fa2fbcb084997b51aae1ba6ed7f09f9c9026af6b598a555b99ec52c656f29038d6b396a6f5d88f969ea74d9aabeb8f628c4b36cc40f5ff85161bcb886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
2e9ca1e942d4dba19b61b1fc40341077

SHA1
da1d3dcec06c4ad00e10b4c996b962aa41c44e77

SHA256
732c30614c0d77445a5c96aea80a2ca534c66147696806a86c409e1cf2a998f0

SHA512
3b6aa465c89ffdde0136f62ece4cca36fd50a35b69bb0b5d5f8ddb04c6e4271331d70d490a1ab2a9a46f7844ff23231f4c8a3c9d1e052258409199be57233cbe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
e536fa9a42b131ea81433cbc4815336c

SHA1
8d34ce0ea45c45fc771c3fca72561daf7e5be819

SHA256
c078be69b84168252fc338fd68f12657ae83d6803d7b2ec2b2b75756af890bf0

SHA512
4db4182ee5df7170c6abf1b166820f7110030ac2ae44a0f032bdfc99d78e33139c4b8ca717037c4ae56ce44c7382c72e7e341d93aa932ddb6ff575dcb89c3eed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\doomed\8499

Filesize
43KB

MD5
8cbc256f3978a7dd3dba68651b71b15d

SHA1
cab68e23f1edef18c74fed45a99ed55dec760578

SHA256
76362be262b48e9f0dac5f467263d0be19e456e4c0eb4e83918e9f3632422d93

SHA512
e150525063d81739b55da10762955169840ec7f6bb3c269f9f65c58cef2761afd82ddd684e9ed4edd0238c7e861c9defd8a7f16c303ba70d418d981af21b96df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\22BC66147DE4D9CCB3F524F6E89AC26C10296C33

Filesize
40KB

MD5
6886b9a288b8f2b4fdc74e4969534b7c

SHA1
2cd9e64e1884b49f22270d69bfc55bd72636ef2b

SHA256
555cdb4d963a4e4268dd44ac3d0b66a64233115a504fdff58c9c19e639349269

SHA512
1e55a15a928570693c62482312f5f34b7ce8488de3ad15e3da6c5182e34e9cd616f5387d4919daa5002d193d8e9d25544962c9a57c4ce6129e71397cb6e89528

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
791KB

MD5
331b4c1fde8d0fb8e19c214f7c474123

SHA1
56115ba7165959e34a4fe359997a7dfc268c2325

SHA256
27f2b2c010a94f141160b55f1af6f54bde4d0b8bb0d233cbc37d35295fee4c48

SHA512
b501c8097b819516897150f599e8557e17009d050a429af07b41da6f2e04d0823108b21d6b43b16d4ea861079e6962181f349265581fcc079dc7252710222446

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C

Filesize
63KB

MD5
04bd1f969243d3ebb29dfff242187061

SHA1
e75593b917a5babcee0378646d1cfc6fefdee9e6

SHA256
eba762aa43b0da2ab56f3fada9f266553e5721be2be066e6bef52f304360843a

SHA512
37d1797d34eeaab7b676165d211b47d19502e33b3bb5116d2a9584b5bef305beefd9f0353db32398b1667292d1ca5d1eb8882eb87975303a44809d54ce47d0f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\3B5769283C179770F2CAA780FDC2929B4B9E5038

Filesize
32KB

MD5
c521d9f4da86923a2930a3dbc929395e

SHA1
dc067da5a4570dae14a6fd1b1151ea155ad21d21

SHA256
4365975fdd273fdf920930887415b80949a0796818b7743401d372458dfa03f3

SHA512
f19ea4ea26e809aaa7691b138069ad73e630aa6caa510b1d17f9ef14b6f9b96f7d802840ca98b6a1fd2602ebbcc4272649fde4898c291206cda78ef5879a28e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
80KB

MD5
9f476c1a279b0b42a269699db33de3ba

SHA1
f46f082c10072f07ac2e7e5aed341bdda7f0f758

SHA256
4d851b70dc2a7bac241b5e5531abb628f84dcaa14e4ae93f8c1592272ce0b016

SHA512
7651a876d92803deeeecd6d46924ec6361c409fbd5664fa77a7dc4c96f3cb0b6f675cd8dd79acd0dd4bb1924f8b9d539e9ba980432d10fe1a1481225bc6561cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\4CA2E679CEC293F142684E37B6B4D5F01FB00E81

Filesize
41KB

MD5
cc302fda65dcf417d2da68ef23d5fba1

SHA1
1f065c15573e8a44c122c9ef1eda7c2613bce79f

SHA256
ddb8afab9cf4edc242f1a556bc3d65994ea2c7683008273bdb0ee7e1bbe6d1ea

SHA512
b6adbde19e0c33efd962a0f731bd4127e93e229612b423c33aa7b76f1c45b49ae58bc28fc041d39edc562af4b93984e588d5a8d5d2b16cafea952632ae41c89c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\4CD1E24439AE7E1E453F9A13A8B1BEF76E52CAE8

Filesize
168KB

MD5
67d8f3e75e9cd3360273b6f974292d2e

SHA1
e6d73ad87249a91b3f28aa4ea28c4472003e74e6

SHA256
20ad8fe48f4847a6d448d51ae3e0ae80301f0cd41d5150ab0b8a91c389b04c92

SHA512
0234ad05ece4be4172676fdd8d628adff4ff3bcb91cc61c090f688920d70396aa7cdd378928b97eada148bfc3fa76d54581bb4285aa3afa1e2925f914106ccba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\56967B0DD89ED4520DEA6B6B147403FB33151B28

Filesize
30KB

MD5
d639a48f38b9c4ddc5fa9983567dca17

SHA1
f1edf740d83742bababb029ff7b009ff49ea8fd0

SHA256
13b51e8e7eb0a99f18af576d9d75c38d7577436f7e57926296d005ef6c6022e7

SHA512
4f6bd9175faf2e8201d612485f603123f37803cc14da4547709393d530d003ad116d091bf9099854a7cf62d09726f64db12d261ec3b59e6cdccdfe9a14ae1b8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\572F0ED336AE2650801061B8F31BB2D7362D6B9E

Filesize
74KB

MD5
6cc008b8347ebb29db965d3caf05abba

SHA1
e0983a93aec94b513068b9e97daf63da8b98a56a

SHA256
eba23a44a3099d2a96f7e9483253378ed56312c417026791409154f13e9c67a2

SHA512
7fecda9ae065f8d71812d36a665f384303d601f31dc0f3cd68f9797c99ac65ed159b92a069a10016b66e38e559da46c14285bf7f751dc797529dacf853e25b4d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\5C2A2B940E0EC346270C250EBD62F95402CF3D0B

Filesize
33KB

MD5
5ac31bc851ab4949ad04964a2977a7c0

SHA1
5ac904a935ba52985ed2f4ffa6692399271b3df0

SHA256
7c16a059154f84b72d131bc33d4ab1249c76d4c648cf0e5a8bfe7700bd12a14e

SHA512
a6af779bbcfd6c831c2d3d59e891c4e298c238f85d5fad3adc1e307b93d0bc73f42176d10b0e2351cf3c412857019b2eaa7cf1b2759fb2a69e35c8110edbb8a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\635B48880E56C89BCB1EFACA38CA66013A086AD1

Filesize
30KB

MD5
fe28053163de821d92ae163ee6737cf2

SHA1
5e9697efc2efc27cd0720c8e0a7d0acd9b8583f1

SHA256
07293dff316328ce5e900a34d01b2391d4b2860171f7eb98ca3b7ebc294e04bf

SHA512
73b82e7d8b6eeeb28fa79f8f1fed9b7957d1f292a584d665876cdde493f074c2ee0aeb64f2929534c546122a70119aa41965f903c5865694716f63aeb787003f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\6DA69A746F9687E1FF413119EDE7AAED2F9783B9

Filesize
2.1MB

MD5
43940c8e9e6163cad86eef7746c9192c

SHA1
40c750b31c351fef5abb85df409dbd6b4d108263

SHA256
6ad7cb998a23ecc311ca0d324b57c9d44aebbf97d56e8e80ccaae7edb23b2933

SHA512
3765e870879f562d74ccc7c8f900976b07a6ab7c6a76346f935d214c171951843245ea49c780d790a8d51b9b9affbc0bba414e1fb1145b4ad10a5e425a98db57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

Filesize
95KB

MD5
d2367cd955e479a5e7f295691f29101c

SHA1
99904136a3e50c7b04835019d94bf2ad3cac9daf

SHA256
1fe27b3567e726cc19176fa8e2027e201bab41e991f90dfe98c830f9eb3bd47b

SHA512
e6f17bdea1b78d742af46f1fe4c6a23222bc8ecb5612f4debb7ed856f826a4d686bbb01cc554211b3fe6746039958d41f4d8a0fd1c96ebe57ac2d936ddeff5d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\7F439C9D3207370328EB4A4F1AC09F1A849BD46D

Filesize
33KB

MD5
2d944828205cfca779315abf82c9b900

SHA1
b053524b71e3e596b34683c014895af563d074a7

SHA256
584328c8d9e52b809c1151adff5e2eef036e831132ee1625f829a6e544fa7a15

SHA512
2bddbcdd33e84c18cc5db35f32a991287e6a2b6fd651c4c1f79280d6f13fcb1bd46152cd1163bdc39a6f12c372e6f5c234faf8dad189a15c6fceadbd4f5ff51d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\878D57D194D36A5530D4BB67461357E393C85A3D

Filesize
46KB

MD5
9c1db5ffce137e917bfcca5b15d4aea3

SHA1
b26a263a6f4448b28a6946878b07718388296706

SHA256
81dadb6e6518ed5d970c3d85e676cbac491151542d38484c3d0fefa0cd45cb52

SHA512
8db3141056796361305d0852b1ba00e9d2de820d45269d1eb3f76270dec358b92e1e1589664d8389becf6343d63de0c242a686566f34cb09bb376d3f894b5870

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

Filesize
39KB

MD5
3bf2d51587eb353a2154a93a8e1e42da

SHA1
d93877f96537284f234b24b1d4e228bece546664

SHA256
2ed994072dfe3a1ed14747ac94c9b4fef43553e495f79d401e8c83505f177962

SHA512
4cb3e3444a4cb1e48ae20e71e0280045ce9956333fb8fd33cc826127926d81f6abe815b90e5fc092e717353bd25d47372e4f65dea149c822b423c305b5489a46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\A7BFD7F859FEEF756C6ADAE32A931308CD5C619D

Filesize
42KB

MD5
250ca30074d74e72b9e997eec9b0c2c0

SHA1
9cafd2254a6f9e6a4479ee6c00aa1d7667bc27f4

SHA256
e39864ee56dbf02bfa22a35d0e3f45cb5058c0fad1ff3b725cd651f0b9d2f711

SHA512
b8c57dab8e953032b1a54b955882350f1d344358b00e38a94af2f755c43aafe396508cf729b09fc3265bec77d42744383edb55521bf4d4a2a79a34441c9db227

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E

Filesize
86KB

MD5
15fae44dd046181cbce90a65ff714fe3

SHA1
18213d230a5036177ccfaa268da7d2aff618a809

SHA256
b41e2353778e9e9f831cb6490f9a9ecd40aa44a4a0d7fd2557ce803b3fa9d933

SHA512
51a53deeb29ba7b3da8587ae7022ae9f2570a4b53a6c82a09ab65f844f4411d55c77b90aebf70147a9be0a5fd06daf05ca735b7ec0a6afad753e41749a4a12a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
81KB

MD5
de80ecf8975bdb3fb4cf3cfb69f9567d

SHA1
af9b20d84a2d80f326b9511d6ebedd5557d88384

SHA256
65ed782c670c6936204a3b24f3f9e18b87032932a9e9150ef585babfc763e5c4

SHA512
e674f9c3de4bbf8606bb34cdc8e03a9983226e576a3c069296483c5f426d0b6350e0803377603de5e2ad869d2e1068601b1855776f4b57ed30f9b3fd3a38ed97

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\C3C1B73261AC1D76E896892B7C9776351D4E38E4

Filesize
32KB

MD5
d626393f4e11c83b63101d13b367b782

SHA1
9836b4cd8e7b2f39875d18a3ea709e6c2891fc7c

SHA256
53cfd6ac067e68ee38738a21b5e283df1201722ea604b0d89a5ce12e6352ee05

SHA512
6bbdd9ade5a3e92352458457073ae4e6245ce4880043e7db8d431463cf1de4f51411f765e026a64e1cf9c11c16c26e980220caf1a9910fc3c2629b1631ca4357

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\C9A19F720C659128631F28B59E979F9CAB42A166

Filesize
27KB

MD5
3f2b950f12795fbc8abd4214f3fc3a7d

SHA1
c23b14d422237cb54b133bd26bf4552fb3e72d0b

SHA256
d34f907f5063832a16c77a470642fe8ee524e67d88257e667ce634e6405b8d8b

SHA512
bfac7a5f428f4827f7847ce8f857ed3b2f59417f3423acd5c32fb020096c92131d45a4d0599ce163bbcaa1edc20843aacd0b8132e15b9c4d9f140070be757a06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E2E8122A6253CFFA077D0D33D689966608450980

Filesize
26KB

MD5
00ee0c4b9592518f57ddf7fe370541b5

SHA1
11313e4b565022978759980156c024d1e73f08e8

SHA256
09057cedcecdae0d15ee4b230b5629c8ca2ab39a1f15633dd10e6431e3c92373

SHA512
47fb5cf67292d0a94c9c649e6e28e43807c121ae8efa25dae2f2218e8fe1ca6a43f3ad0bec7bbc5c3ce3d6ad1195ff90ab6d9828ec1ee502ea43696f6ea227e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
39KB

MD5
4d0439fe1b1650731fdd6b09eb2450af

SHA1
bd2fa3682fbf633bf7badbb898ccdaecbcc5bb5e

SHA256
a6b3001a8f48b37236414f1b5ef99960884b0727b9e56f9e8efeba084952ee3b

SHA512
233e7894ad7e319eb190c9620577f48cb42513ac2d67380b6bdec6e17471824fe80bfca3876d45ef62faec0df7b2e65f825d83d62b11304c12e5a4e7af755a74

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E82C79F80897EACFA36FD4EECCC130ED5F36FD6F

Filesize
33KB

MD5
fdf6addad4eecb02adbe044ff30ed110

SHA1
8fec1ebbf5b61bb1fb1660a892602a81329b5164

SHA256
978326530e9a695d17e399662f4db002ba754030574b0b877baf5e12c3bfebb1

SHA512
44436bc2af250c86a7a3c8d6f2e86308bf1c806daf782f7a37d8a5f513db4439b6bf67b84bf3b4213d35375755ac7a2681805104bc14e74e380c3754b1c4c3e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\EADD8AD0D19BD56212728537973592A5A83C9F56

Filesize
27KB

MD5
563073e301784563a5e20c8ac5e76214

SHA1
8b63508bbcbf8f21c26b26fa0cc4fd612c877e16

SHA256
63301465fcc22aa45c2aa80f8e4ac036a7aa82bd64b17f42f0d452e83953d3f1

SHA512
cc912674f2902d804fca864b8109dd36dcbb95627ff73eca16ab82efa62666f55a738b92e4db35e255e578056d7f1dbef68e4dd6807d021a08622e1979f62ba5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\EC8927C51600DCFB101869E2BC0169F040E712BF

Filesize
12KB

MD5
5d603afcd4c92c4c64810e643c06dbe0

SHA1
aa6883dff22369294b13bc9e09ca96a8f8fae49e

SHA256
78c7bde4f415489c5ee37b881e6749ba787bb44d48267a21acfc89a9914cf627

SHA512
2fca0c077121ca2626168684c03ae3a2a937c6fc932a155ea4e6a53f920f77cb4f191854102dab533e32ef2a95ed86a8e4d3e9d7736c158540977ea1f28e8f4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
79KB

MD5
cd7c7627d687c080a7b724b7830af0ed

SHA1
251dbba032942187c0ba4b35df251598b54e251c

SHA256
037e3a0153f28fe1c20761001c270468ce6b1157ef45c205b27c5c925a00c58d

SHA512
510f87ff45330286354a895455a79581b33706a7144630595c027b913d2e5edcf013f8a29e1743706efc2d6ca45b4c574674f570a3ed344efd35bdfdf826f30b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\FF405EA908A0CDBF948198368567C7EC073C7A02

Filesize
123KB

MD5
533a1522b23b488b4ada26461f589e11

SHA1
c99ce469c8ecc8d903b00e910d2d64d273c0ebd8

SHA256
ae800ebaa7d6ce82b5d652b64bcfa33aaca7c914787b272559c76d8304233dee

SHA512
f1fd35c564d820c28312ca321712477b858fc0e77d89e394b0ada6e2ed2126946e4dc2b66d5e562342bf01f69f18a0109e5991caad98b557628b6045a2c075e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\jumpListCache\Vo4+odcdVjjrt6dyqh+_g9WqprtmHhqR6aJf5Bg29Qg=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC06F.tmp

Filesize
421KB

MD5
6425466b9a37d03dafcba34f9d01685a

SHA1
2489ed444bce85f1cbcedcdd43e877e7217ae119

SHA256
56f8ca5b2079bc97a7af9c015ed4b6163635baef0d9a287d19fc227fc330c53d

SHA512
62f4c79d165282db14b662d4242a065af4c8a642f2023032ab5a059e2d6001f0b80e9a0562989013acf01a80a67491be9b671e6bd99220cf9d4fb44a17719371

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sif0exi0.nad.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BException.dll

Filesize
142KB

MD5
a2d4928c9836812735b3516c6950a9ec

SHA1
01873285eec57b208fa2d4b71d06f176486538c8

SHA256
79ca108d5c51259d8fb38ed1cfcc5a70e9cf67a5954e52a4339b39ff04fa20c8

SHA512
d03964a2bb597bf0fdefb787de3b462010c4cd02d286b16587a03b5228553a307d1b8f472c312e0d8bb53f21570aa5b112d85193cf42b83ef33fb7905855eba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\Babylon.dat

Filesize
12KB

MD5
caba4f92c996b698e7923ec7cf6d66f5

SHA1
5af3f322dc56c85a1bc0f4a884dac1907d2efa7f

SHA256
04c4ee982e3838368579739fcc0da68b3770f34fc6e2f200dc1499bc3268f3af

SHA512
f35f3a46b72c4a9b83de7ba1740b8cf2b4e32200dd43f687bf2f7ca16d4113b640d814525a5c4cb417aff66ed9cd5b03eac2b692396a332ce7613fa1564ec969

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\VersionInfo.txt

Filesize
3KB

MD5
92b68ca751162552c347d760831c6bd1

SHA1
8f7ff93ae85e965d402d0e114ed0abccf8e767fb

SHA256
13663bb607172b128e4b2940f250afbcd0e52ab9e92bf0dd3f3870330c85a5fb

SHA512
865246583fab1e3a2747869df9f75439276eab749a45a22bcf5629227629942c080b5929896cbc01849084ea58559bb07db744b9bccd68bf240c83cf6c647977

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20S9BD1SOIUWJ2MFGIJF.temp

Filesize
20KB

MD5
4c5325eb3a6679252027c5d375b61bab

SHA1
a7cfb41ecd666a4fd9103ca837530b1ca914c5c5

SHA256
14fa0f659ca52eb32214bad4a10b1e92c8315ebe5fbf0bd9ad8512a7e4cc20db

SHA512
025a31ebb211fb501722df179ab72686431091ef3d1292981da4822203391a1c7735a5c6f1f0b8c4dd018fa27abda2c8f01df4f982c809fe7326882516136215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
8d729d72ace1bbf7d0a6504e42e3cef7

SHA1
645462262393ae663c9aaa2b593f2e85b06b439c

SHA256
a0220c992cbd545645836fd011883e119a097e27342f6fd20527fbff347923f7

SHA512
e63693392909f81f116ae8c30c3f8357927b6905ff6a18da8246eaddc6d5a26380ba5424ba6252bf277672cb7fd60d87df0c96ca372aebd05ccffaa0825d3fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
cc49c61ed0c5d2a1de1a487e6a981e9a

SHA1
428e2c0b2ca5a74f8c5ea2338b06525fada815f2

SHA256
e493180e0d6d72ee8179f239c658c6617e016c77a8d7ed30653af697fbc9831d

SHA512
b1e989a10d06c15674ebdf465075bb9e30239cadec5d544fdc3c086f03ee6403dc4036e72c8c16e5ebb08d98021ebd8ff9410b6b57d259e5b509f83628d30db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
7KB

MD5
e984a3942006668bc68c80f0a237894a

SHA1
ada9be2068388b20e975c83ee94ab0b871b86923

SHA256
77931414749c8051415f52fa4fb274ea04504524c6d6b667460207cfdb5aee77

SHA512
cade2d1acbff19c028d5c418b8162d74c217131d18d7497a0ecafd0d3c10a1855066f2ca79d295facf9c2b4b92596cab0b1a8d9c816b6334690b944e3da47382

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
37KB

MD5
3ac6d9bc8b4791d16e96cd17a19a9337

SHA1
a208d093c8599a585ef3de86ade9b8f967409568

SHA256
d31acaf23b074250a54400b6b1ffb7fd7db66610257b9d9c3ea0c05586ebcc18

SHA512
20a4d336e2b27e427237addfecb921ecee79caa2580befc50f8c4decc60de8d472e255ac3cd26cd1b34200186c80adffd089f6547410b8b527d05c286179333f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
37KB

MD5
422cb96d1c681d603069039885b23396

SHA1
f5106f445fd7aa82486a1fdd6704f70aea9921aa

SHA256
50db555da8d6235ceecb9d0cb851ec97698e36f96a9237066b55d38f08ce207d

SHA512
5619746adc70c56cd300950085bca01602d56e14584f6017ea16485e6d9523a867dea7b4fa457e2a666a722e6ac9660d6f3d2b074d847d48252d7ae57d63cb21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a377b2442c2b5c6b61b693756ccf202f

SHA1
84266e9be32a18bdf15b2714e53e6a0cb81786cc

SHA256
3353a4445d80260cee88c597bcb9293c30fce05844008cdc7c6d3a648afa1a4f

SHA512
b17a8cffffe94371f08226cd30b6643f91d91eb7817cc67ccd8e0480efa620aa6cbf5acaccb29d0bf070afc94a98c8047346ebf54d16b97866488cbe84eb5742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
5a7e095dad1a98870436afe583606359

SHA1
06cea2034fad83c1ea671baa22b22e89b184cacc

SHA256
89715e857f2fc02bf4836d1dc1f070e528d91c5d72d6fbb9ca582a884aef8413

SHA512
70fbc2774319854ff7d7a9a45dddf25f3de869d8bfd3278025033390f50f5d0fb88a9596d4f5f596f1db09e95291df2e81af8042136388d2240ba5f4dbe8df3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
b9e52dfece106e6b0d81eb0c1f5c1d2c

SHA1
34fbcd14ae83b0f4b63c35d038b68735e2cd1b5a

SHA256
39ff741adcdb974db9b2cd76b3719d88010e367a9b26a9bbbb383d2f75138a8c

SHA512
d211fc325143c7958ec6798a8ffe697f0e962f53c8895472453f381e0c3663d33b36b558a4b3599eac89d4918ef6613353ace7ea32ac4325f8687402a52cbd47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
110KB

MD5
d9bd364a8650ab289fa441113dcf9edb

SHA1
3c62f4a76259e4854dbfd431ed04bbed809012d4

SHA256
ed06a53e6c13c622b0506171804355de8d8bf6ffe65b76923fe0f0833156567d

SHA512
971951871b14ca204b27966791d4b7da643365d5105340b7d6115ab927f6ab5b796413ff70deb35f9612871256805434971bbb6a043d9311236ac0fc97c1b7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\2947b088-2e5f-4ea5-93a7-7978ed93975d

Filesize
798B

MD5
0b3f73f46b8fc71fde9bcc16b5dfb820

SHA1
9154a3c7a519774dd21ed23c4077aeb28b3d175a

SHA256
3e9d8c44f66dcc8e95d59768f4b2c4df0c1d62d21ac79ae89a48ef9a316b9f03

SHA512
ef794cb7cb1d6312908eb0cd5946e3fd3162bbed589b091b6dd92191a03e3a217376f4d61e74d2e362f5aa5ddbf8be5233bd6dbab09d362d6d5b543314d57a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\a1fc0069-04d9-4dd5-b110-c309ca5ef2ad

Filesize
982B

MD5
451ed0e9a4b2826234f97c7185b8845c

SHA1
51a4fab3197743da29a5cfdc0cbdce26764606db

SHA256
1fa2972a87f8dca9bc86476012273d2f2097c7c7216c46308c31f90ec37eed17

SHA512
3acd9beeffad8bd6270a79097af13748163d6b3c8bf240a71f49f9ddbcb2c6029ea013730156916ce349901c5af49eab53231b595b0afe29c02e067ba589c85e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\df65ba51-df15-4520-941b-55e9bb0ab139

Filesize
27KB

MD5
b9ff4c87be64b11b47552d5035978080

SHA1
cf3447a9b78b85b189e44fff030d42623b877ca0

SHA256
9b7645fc700ab764733a03c0e456cb09eda5bc30107b1ed0e509cb41c0d50540

SHA512
6d2abf06cb051bdb49b2d67a3264c3113d288230620e9e0075472b7eeb2d4bb6cc5c71fad16b0499d7b9653f7b0a3ec6fdc96549e7380da2f27014fdfbee8fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\eee020e1-7033-45ef-bd22-e70ddb3a872c

Filesize
671B

MD5
291fd186113f9f622145c8b5e386f1de

SHA1
66a66123161f3891480d6d277cec2972b7dd634c

SHA256
bdcca3c4e2f6a7ee8b463def177b4500e1af037fd1cd2047d5015468121bf4bb

SHA512
f63f14be4b710d89ec3026a300c2bcb11c56e6bbc549cd9bf835854772fdfeb1c851619c4e351cd2e57fe778fe4abd49935b7ef6214903613b1c965d418c2c67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\downloads.json

Filesize
784B

MD5
c4f6aea142d7b5afe0eba1868d258c00

SHA1
8c1a83dabc7ab989d1dfd82124a9d32d4c4801b4

SHA256
a4c591b992fbef49f8566a7be3c41e39cfd67076a0a95c1db9d5db1c639cbd0b

SHA512
ffc04bd11b1f8625d6e13fbc4ab9da1eb7bdd7ef86db08364240d9d4aaf14b7a2703be6597dcf2661145d27e3f7f2335728736aa0015715c74b33ef268bf2c75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
12KB

MD5
d1d62b88b65f1a5e4a5476f60ba6f86c

SHA1
2341c739b980066e226ed8a858e654765ba423f0

SHA256
a6958c0f02b3394925a5c97ef4d3b785c82209ad44cdf287c2df9a9a8a45eca6

SHA512
963b4cde72c5ab13c614aba59f1a678c145f63f50187e2368295c60d83f549b4d1e749ad96227bb835de05ea00f2b20f6cf48670d07f95cad0eb1c700f3a5b17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
98ffafba01fe7d7cf6d27a533c5dcb1e

SHA1
ab1d39188c19b5901d0fbaaef62ee02c71875e0e

SHA256
a8d546d5690159104666bd451a37771f43f78e9ebc3abdd94f7cde172f667915

SHA512
c5431f10343a1e828bfd3ea2d02efde9dfc49068dd478b28afa2a1a89c836acd2a7429fdb62b6f7351172a70ce2cfbb54ef11cb2b896e42053e1b776c42e5001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
d981279dbc7b430c3c9847a0728a84f9

SHA1
2525c566fd25f54da624e6ea7c7f9f471dc1d50f

SHA256
0c8d049a165d309e873e80e3a73800e183edc38d6f397d538e9eee0b1f860acb

SHA512
c47ea8c7d6357be8dbe7e2d894db436f3c1bb63fad2edfdd1b6aab24f4fafb53dca4d79b3dcfff13a0109e18229b506743650b80088f6c71e8ae130f19ab6957

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
1bdbcb0637613b88bb1cd86bd077605b

SHA1
3cefbf6c10879eb35e431312552591fd6c82a331

SHA256
149aab50a9b5aab2ca1ea981e5d74f5f362156febb6ce4dc4a807bd2a7cc8388

SHA512
f7f24267fe1077f825657709d0111de1964ed414b5a2b95ef816de8f006df15115d06689802ce9a937cea79dcad94250ea6c29fe7558ee909d43deff6ff5c142

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
e9dfcf63493773d99e736b952c40b283

SHA1
b27cff30f6b711cbcacddaeb61ed1fff6dfc04ae

SHA256
ae6d5a444b4538799f2bcb7d96012a31ad74fc12ef08e0a5cb7d033fa068ff12

SHA512
df8ac869eb51c2fbf6e843e63a84a3dfedb62aeb28c1e8baa3cc241f1749512d7c4298dc5747c417dfa50ea0e63978db6a78410bdaccaa6e3f77524b121973bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
bee67512892d25c2327c59d5e79565e5

SHA1
0f3f8deab3464d89ac8c528bd057ac34f4fe1afa

SHA256
a5e71074b36fef07b768047291d37b1c42144558a5c70dc77216411d33b2092f

SHA512
88004fa4a233ad4c3583efe96e9cac22eaacbb7908843dfb0e62bf2b1d3136d40635f5c734db1aa0324d7e96f9f33f8dafe740bdc05240a3840c1e14279f387c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
8626ef191073380e181f86b1017ff83c

SHA1
fab8cd0fbb60af9028e93190df68304c59332eb5

SHA256
96fe4b64d00a7fcfab5312fa27fa22551d30db3d32f4c8ab6eefe8ad1f087c13

SHA512
80d9e0250f6b316fdfd8ac69fd2454507bc32494340140eb2a1dd1bc3782ddf54a39eb0a620aa2306177c072ca7079736d50da819cac9797dac8df7460c8b280

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
546a1dbbcaa328d410262761558dc792

SHA1
b4e04eaf401a4abbb2d907a57a2600bf1bf2754b

SHA256
a1b6a82b1dd14b696f618f7212bd977bb203c1bca0bef6c3f6f856271aa0d27d

SHA512
810213a775bc714e44774f5b678e066edbb2597deaab85948b1f718f89feb91ba08e9b7c37967a2ba68f65f2b5476b7896bd7fe20cf034744ba9ffcdf37c4c15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
a22270dadd552150ad6d2c1ada96c42a

SHA1
986df75cef4b025e792da7db4d697847d0b94e68

SHA256
52e6ee938921cf95b3ba89c94b3e570420f888ac3273d0fe1d3c6e6ce97bc49b

SHA512
b09bbf530b770a2f262eadeb05070dfaff10bdf90387c6ce030e7556f3a6e67a2055741c2e94b02e779b68e8dca6020a977873f3cfcbbaeff794848482e6dab6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
c7f1f5ccd11d132e18baf481df86226f

SHA1
03b6a4bb9d8aa877005534c4c054836f8b2ae0a2

SHA256
84cc059937a9631cb19aded0eb4cb3b134bd6b4d66d3153343cbf77778158d35

SHA512
f0b8841fa8201fef233a1a7eb3f640f125221ff6f5916b79fbaf1d668c572bcdb4cde201733e93f5a4d9c9d4eec0ef858532bbd07eb9a0a2a2c1df279119b27e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
733077d45158cd2ccc4b9e8f0279d2b0

SHA1
1aca6f1b6c3d5ff52806be9853193d3dd001139f

SHA256
dd60274bb0fb4f2f1ad4680872716e7e181099bdcfd474dc54b5515cf223cf41

SHA512
5411a3b978d97aafb05411db864021ce356a1c37e29254277b635a985a7fa280c296e5fd6e37e78836d52d0f30b155a8b983db3bb5421c6aac45a1db4f806f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
bc89a5fec6e6c4d2c7d66f489d914551

SHA1
cdab938a1c2c1597ea0736bee38c8e26e9a27eec

SHA256
3b32eec9d5a879bbf72280f620ef7be9e8d876a70c7c25ef09612f60d881042e

SHA512
b4ab68595724bc023db27325fc2eff7d1d5f8656459c4a0be0c3bb81846f7f7a36197e1ab32fedc9915f2ad00bac2697c3ea2bf85664f8fd18e3f8933c30c4b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
f642bb5b973829d90b217c852e900ca8

SHA1
dd56c986bdd1d6f5b1cb4a18de1997caf57c560f

SHA256
d126f738f152bf880aa7b81223bb36ac87fc35e15c32c47d83992314bd8f3ecf

SHA512
3b2bee3ef0213cfc8a21114ab47c3b588bc214a093f7ec30ee07031efa03e82090cd698f98c60afb8c4f5a79c854a885a092654d23499c868cda2241fb86cd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
97818380b3b905740cbba18273581a15

SHA1
69920010c59ac5f0ff29ff19bb4d34cf3f4defad

SHA256
5522f474061a02c99ee789821dad4d55c371419cc4e5822fda2b587aaf41793f

SHA512
0b0bc1a8d6d5473457aa3a4c9176e1ccd6086315f41c7a681bf97ed54c476730cafd818747dba54e6ba0a81772a640fcf71118049b85efb6a747440d8a8d6fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
4a25926f1e965421a398192b059728fd

SHA1
0005704cbf64f3a5b6f6a9082c16d48db7dd676c

SHA256
31e83882b7ef2b88f3b4d8f0d0f1fad30bd765d95f123bdd2a3e829108660d03

SHA512
278e3b2e4b83f4b6ad47bc6a340e6cdf9511320cef592ff35eb641c9f30f0c0f2ef0dcfb82a5be6d460f3769ae11d4f92f6862c739f97e0aac16dc6490ea6cad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
988a3e51fed8c520231993c2edfbf39f

SHA1
4b07d130566177f8acc7a17d646de0f959f1c055

SHA256
5a2d1a91ff530b4c2a0f019195950bdcd024ee070145c8d0ddf1624bcbb4e41e

SHA512
f1da25019321b05c6a03ca78a1548a50bc4d76cf7c0a7522f8f6a15a451b5cea72cb6ef76683dc8fd07a1edb4d9946f94540b1fad4637655bfe51aed6185d232

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
323e471a680e66d4a87a4f8c5e6ba8a2

SHA1
b2026de32c884ac62dde622565524fe988e5534d

SHA256
ddb43bfef52a671cfa59d17a434441ec49d31b2e4c60cc2cf6c1e0fc8d6f5f0e

SHA512
b3c756f8503d2f6d6dc335d91731341915128b4ef87a3f4f7ff51ac4d2f39bc5f6e5beceb85572ab059f4ec19aab0a6456206ea489ad99b9b2e0103e59c859e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
6a735172a4b32512c4d455b5914e256e

SHA1
827132975e4d4e3228c4ffca7a56feb3464b5c92

SHA256
b229fb976b6b132c43018df6e4c46bae3ce9252b2c5998f9f1041450f91c4e8c

SHA512
6bf6c4f1dcd3b9ff1fdb3a563e009bb67473e9739d5c20766b95ff232872d518befb9cdcda3c7cac8371b9cb5efa0f9af797b71b54274d4d745c6fffb6e1ef25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
8565cee1d82661f7b37f2ed0919a6cf4

SHA1
ccefadd53c9c901908b14affc3456d3b18ee193b

SHA256
f00cf2d6da93516e0def527482a4ed9428a3344c0b2d2fc2ffb18189ca6aaaa5

SHA512
3b957367c2533cc9b08974d8bf53e1958e8cb1b4949e4fd9be8988002e429659f6c518886ef09ff4a056695d36ef4c72b53d56ca1df2d9c56fdc22f6facf8344

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
393149a54f30581bdba9035f53acc1e5

SHA1
751c96dfbd96a78781f3d5f39522c9a9033c3cbe

SHA256
442d0a21c61a8669fd21a261f24bcb199705841fcede34683b9e1d084ba9d453

SHA512
25679fad0d61102bd651b9321b36aaa64a8cd256e10b8172b79bf079ebf2dbbbb2f30e559dc9d3aa6e31084d30bc2cfd60f3ecb3c9bc255e244a06164122a3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
35bdf824573c76718db2b7d855e3ad1e

SHA1
5bf8d23568b42956dc320466a5e59f25309aa6fa

SHA256
5b089842821f3d745832564ee452b9563bf2916ef1241264e49ed67de583795d

SHA512
2f96e525e1bea7dbd314b0923d654e955f6fc29ce6e4b75e7a2c11a3731c0962427839ac40906eb58c99cd8f56178f86c31d0a3110a7f3668e9d57acd30268bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
63b4def712b1f505b5a69f8ef64f60ba

SHA1
326825f23dd8491f00d363fff2b78bbafd36ae47

SHA256
bed831f4faa1a34832e4e590066e0394c7e38cfbddb233b8cc66e05758af7fa8

SHA512
9f0a2c79375d54223bfa5c5c0dff4e6faab6f0da0e47793e20dd84b26d87e7119dc25f56678f15e45e32d38acd6aa30b37bd8e47d4ff83e729a0788328e9dc93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
92ca038acb8c9777a7dc830b6d19efd7

SHA1
95919dbf1c28cff2c07ab4988126b0964adddad5

SHA256
75c19c53f603dfb69d82566e91e60a02876b12153a644c89d684fadea6274216

SHA512
c6475195b781a90b84f2cc5e0cecf722058f010ca0942a995f0a345a962c61fcf561be7adf353c93f5083fbd4b40b175d7c399fe1df4ad2677393aa076343fec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
abf8d853e211477aba0d799cc35d9003

SHA1
a0a18b38651c3158501da5f18da5e13f51d03121

SHA256
6ffbcb61300564f3078230186bf830ba820f2b68932449dc0f6055eaa1c78ea9

SHA512
ffd620c718d992f0dc4ac47e9376ce382fc5c32db1b4e7da3a83d96272168c08ebd392c66b87d22341bf42d73e70a143c86171f5f5be20e786dea1d3f0c77717

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
30dcc76490772708faad96220c9877db

SHA1
db347fcade84e88f0fe6874e9b9e87d9bb0968c7

SHA256
7678cc9ac61db328d1d34ffdcf64a91afc8172c767605d1b99632ecd860e2081

SHA512
e6ef163194bfdcbf3fa9f055bffca2ede38c9bd337ce89122518b0737c67819182a779a0aff389622249294501231351a50c4f4d89b786bcb5fec518a9b6f3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
03c0f949e8131b0815a7741e130765d6

SHA1
ddb1950968ed07f9ecab02db39e2581f184595fc

SHA256
746a9a79ccdc0fca706fc41834946481ef61b1ac4c21761838de7f967da8f15c

SHA512
87f7b83474057d77f4b584d1613e882043ba2e74d06e067f562618df3124ef4b759bad775acf5dc3c9b9adc64c8effe8fd3a1000f6422db1306e5d8b31b65557

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
a02e15c65c50ad5e4a24b376f9adcc17

SHA1
251bab9b856426ece9ba206328208eaaf065c80d

SHA256
bcbd46640e121a38c5b43a0f490252d007a00432cea417334290df84c073f541

SHA512
9d2fdd05925b095bd30b79d10b53917608b78c570eb8ea0674e58db1676fe5ab9fb50d33068a006128968fd704f2395fbc4dc11b364d01714fe74a80642fb7c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
88e4bfa1aa377656fa297bc96b1bd7e9

SHA1
5f6be9543e2c205fb2ac883ac0b057d13b6d5da1

SHA256
ee4f6dd39062410b8c6b78827c3b8db4550f4ecbe42b22697858db56297580a0

SHA512
af6e59280aaa39214981fbf226249fe1df005fa6b458f97198f05c1eb6be9aee1b5becdcf93b51df43c861291086f19d6991aaf4eab94bc2a8f3b7b9b9607ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
4fba7a010b239501f5a1926c6772940e

SHA1
2925b22844803d583cd1c1a598376c6d21df87e6

SHA256
47a3cb358404490efe6ee5ed05e5db4da97797ddac23eef46c750d477e34dc75

SHA512
49e20e7e6132787d76986afb2b26246be31752d2e36cb80928f2485d766d9070503e18a9329406dd2e4a0e3e2876f56f80c9cb5b805368d8eb93930b9e02c16b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\xulstore.json

Filesize
141B

MD5
d7a9c29a5421078a9135ccf1cade552a

SHA1
e1b43108778d359d8d9287cf59225617e1769463

SHA256
bade20948c677d1d458e39a4cf6d8c4d8237263d55e63370d6272fa3243ffe28

SHA512
49553b13fa1cc8d257f2ca9056742e6e11fbdce21633edeb5af6f863294f97ccf3cabe851d94bcedba03e2716311a48dcf8064eb1500f8a7c400b049bf48296f

Download Submit
C:\Users\Admin\Downloads\0W9wu-yC.exe.part

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\AgentTesla.2GGOXG6D.exe.part

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Fagot.5on2G-h6.a.exe.part

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\Users\Admin\Downloads\Floxif.zXkiMOPW.exe.part

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\Gnil.Suuu3V_y.exe.part

Filesize
73KB

MD5
37e887b7a048ddb9013c8d2a26d5b740

SHA1
713b4678c05a76dbd22e6f8d738c9ef655e70226

SHA256
24c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b

SHA512
99f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af

Download Submit
C:\Users\Admin\Downloads\Lokibot.LK0n4mqN.exe.part

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Mabezat.D79WlMTL.exe.part

Filesize
141KB

MD5
de8d08a3018dfe8fd04ed525d30bb612

SHA1
a65d97c20e777d04fb4f3c465b82e8c456edba24

SHA256
2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

SHA512
cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

Download Submit
C:\Users\Admin\Downloads\NetWire.Dy-8M1Cj.exe.part

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.wzI9Y73o.zip.part

Filesize
3.3MB

MD5
6c33b4937c5ed3f19f44cda1a9fe0bfc

SHA1
09ac5309b4d112d7cdb275572c28e3513748ad8c

SHA256
54336cd4f4608903b1f89a43ca88f65c2f209f4512a5201cebd2b38ddc855f24

SHA512
de2d46289164c77e7e5815d011164b48fe3e7394228a4ac2dd97b58a9ec68e306e7d18b18c45913fda9b80fed47607ea7600004e5fdffcda5b1362e71ad68056

Download Submit
C:\Users\Admin\Downloads\u9UcyICW.com.part

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Public\Natso.bat

Filesize
283B

MD5
5cc1682955fd9f5800a8f1530c9a4334

SHA1
e09b6a4d729f2f4760ee42520ec30c3192c85548

SHA256
5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

SHA512
80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

Download Submit
C:\Users\Public\Runex.bat

Filesize
226B

MD5
f6828e22e6abe87c624e4683fac5889b

SHA1
b93d63354d4ddb226dab90955576a6d2cad05ba0

SHA256
e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c

SHA512
26afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1

Download Submit
C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier

Filesize
212B

MD5
3057de24b59f6493088d85c4ce9c3a43

SHA1
b23d82c01a3232fdd115910e13251e1a63493a1a

SHA256
e1fbb465fd1884ea2bfa80cdf664b890373d626129a25753c280febebad95eaa

SHA512
2d9eef489bd144e6339f4cf42afe2731f7196fc832bdedca0e8b2408dabe04f40e1e7f49db39965988a79b7ffd62191b9ac18937be1f33fa2595fa4b15b66540

Download Submit
C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier

Filesize
206B

MD5
740434ee7a635c53f6db72917da96488

SHA1
3a748799af7c7af70a91b04dbed300f92fe0a6b5

SHA256
a81c9809b8ce94789c88d2a682dfa651c99e49eafd5b4418dabbeabfb9b74115

SHA512
43f230f8483dc59df0ebf31da3137506a77d8f9f6afef48fc98a266a063ff5e15251ed73eb0dc7e21deb2fa0577fb6101399ae4daef005a568f8c4cf9fd74c5e

Download Submit
memory/1088-6607-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1336-6498-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-6584-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2756-6587-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3000-6167-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/3384-6583-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3796-6166-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/3796-6159-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/4136-1707-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4136-1708-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4360-6513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-6604-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4980-6601-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-6509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5200-6614-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5352-6565-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5352-6568-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6216-6552-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6216-6556-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6236-6497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6252-6577-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6300-6508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6368-6611-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6368-6608-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/6392-7062-0x0000000000A70000-0x0000000000AC2000-memory.dmp

Filesize
328KB

Download
memory/6392-7064-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/6392-7093-0x00000000066B0000-0x00000000066D2000-memory.dmp

Filesize
136KB

Download
memory/6392-7063-0x0000000002D90000-0x0000000002DA4000-memory.dmp

Filesize
80KB

Download
memory/6392-7074-0x0000000006700000-0x0000000006744000-memory.dmp

Filesize
272KB

Download
memory/6392-7071-0x00000000055C0000-0x00000000055C8000-memory.dmp

Filesize
32KB

Download
memory/6392-7073-0x0000000006440000-0x0000000006448000-memory.dmp

Filesize
32KB

Download
memory/6392-7072-0x0000000006210000-0x00000000062A2000-memory.dmp

Filesize
584KB

Download
memory/7192-6580-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/7304-6486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7412-6482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7412-6487-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7468-4922-0x00000177B2B40000-0x00000177B2B62000-memory.dmp

Filesize
136KB

Download
memory/8144-6514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download