phobos | ccfaba472d2e6d1ee23eee843782da4982246bf2b7582a39937ce846818c8036

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-10-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Size

55KB
MD5

ea6d3083f8c1c506fbff457bf09a7ed8
SHA1

f159c4fc7d13571e725f0ae9e0749c77cf859b4e
SHA256

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46
SHA512

1167b9ebe03c399c5915394592f97ce60bd07e92f589a4a0d794255c7a9c46423dd28efbf96b45aab6a67763a20676627f35683cc6790bf1383c7f07b6e28405
SSDEEP

1536:ENeRBl5PT/rx1mzwRMSTdLpJVIVAxN/0nVS12:EQRrmzwR5JiWxNIJ

Score

10^/10

phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>5578A767-2803</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

5904 bcdedit.exe
5404 bcdedit.exe
6472 bcdedit.exe
6448 bcdedit.exe
Renames multiple (550) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4580 wbadmin.exe
6616 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3916 netsh.exe
1080 netsh.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

pid	process
5904	bcdedit.exe
5404	bcdedit.exe
6472	bcdedit.exe
6448	bcdedit.exe

pid	process
4580	wbadmin.exe
6616	wbadmin.exe

pid	process
3916	netsh.exe
1080	netsh.exe

Drops startup file 3 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3870231897-2573482396-1083937135-1000\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops file in Program Files directory 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsRow.base.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-150.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleBadgeLogo.scale-200.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\sl.pak.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-30_altform-lightunplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ca.pak.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.scale-200.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-30_altform-lightunplated_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDRES.DLL	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxb.ttf	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msvcp140.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-125.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationControlConeHover.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsList.types.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\pl-pl\Resources.resw	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\sv.pak	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-24_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-20_altform-lightunplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-30_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\StyleOptionsState.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.db6743b9.pri	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.strings.psd1	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.id[5578A767-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-100_contrast-white.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

3696 vssadmin.exe
2680 vssadmin.exe

pid	process
3696	vssadmin.exe
2680	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4328 NOTEPAD.EXE

pid	process
4328	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

pid	process
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exevssvc.exefirefox.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe
Token: SeDebugPrivilege	4296	firefox.exe
Token: SeDebugPrivilege	4296	firefox.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeDebugPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeRemoteShutdownPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe
Token: SeManageVolumePrivilege	3360	WMIC.exe
Token: 33	3360	WMIC.exe
Token: 34	3360	WMIC.exe
Token: 35	3360	WMIC.exe
Token: 36	3360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeDebugPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeRemoteShutdownPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe
Token: SeManageVolumePrivilege	3360	WMIC.exe
Token: 33	3360	WMIC.exe
Token: 34	3360	WMIC.exe
Token: 35	3360	WMIC.exe
Token: 36	3360	WMIC.exe
Token: SeBackupPrivilege	5736	wbengine.exe
Token: SeRestorePrivilege	5736	wbengine.exe
Token: SeSecurityPrivilege	5736	wbengine.exe
Token: SeIncreaseQuotaPrivilege	6556	WMIC.exe
Token: SeSecurityPrivilege	6556	WMIC.exe
Token: SeTakeOwnershipPrivilege	6556	WMIC.exe
Token: SeLoadDriverPrivilege	6556	WMIC.exe
Token: SeSystemProfilePrivilege	6556	WMIC.exe
Token: SeSystemtimePrivilege	6556	WMIC.exe
Token: SeProfSingleProcessPrivilege	6556	WMIC.exe
Token: SeIncBasePriorityPrivilege	6556	WMIC.exe
Token: SeCreatePagefilePrivilege	6556	WMIC.exe
Token: SeBackupPrivilege	6556	WMIC.exe
Token: SeRestorePrivilege	6556	WMIC.exe
Token: SeShutdownPrivilege	6556	WMIC.exe
Token: SeDebugPrivilege	6556	WMIC.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe
4296	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4296 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.execmd.exefirefox.execmd.exefirefox.exe

description	pid	process	target process
PID 3928 wrote to memory of 5100	3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	cmd.exe
PID 3928 wrote to memory of 5100	3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	cmd.exe
PID 3928 wrote to memory of 2736	3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	cmd.exe
PID 3928 wrote to memory of 2736	3928	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	cmd.exe
PID 2736 wrote to memory of 3916	2736	cmd.exe	netsh.exe
PID 2736 wrote to memory of 3916	2736	cmd.exe	netsh.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 2256 wrote to memory of 4296	2256	firefox.exe	firefox.exe
PID 5100 wrote to memory of 3696	5100	cmd.exe	vssadmin.exe
PID 5100 wrote to memory of 3696	5100	cmd.exe	vssadmin.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe
PID 4296 wrote to memory of 3736	4296	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
2⤵
PID:4360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3696

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:5904

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:5404

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4580

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3916

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- System Location Discovery: System Language Discovery
PID:6408

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- System Location Discovery: System Language Discovery
PID:2052

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- System Location Discovery: System Language Discovery
PID:1444

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- System Location Discovery: System Language Discovery
PID:304

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:6200

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6556

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:6472

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:6448

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:6616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1908 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef32374d-bf9d-4f67-a9b4-489f9a3280fc} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" gpu
3⤵
PID:3736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {195329f9-3f6f-4fdb-a42e-6f0ba2eb4500} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" socket
3⤵
PID:4880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c89ba17c-4d5e-4bdf-a143-5722ab4700ea} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:1552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 2 -isForBrowser -prefsHandle 2712 -prefMapHandle 3880 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ebbe14-d29f-424a-ac7c-b164baa6266b} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:3496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1756 -prefMapHandle 4816 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1656a63-3197-475d-93bb-f750db27d7f1} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" utility
3⤵
- Checks processor information in registry
PID:2096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5196 -prefMapHandle 5192 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e2d3f14-793f-44c0-9967-bcdda57b38fa} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:5608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c408b8d8-0981-4ccb-9b3f-41045f7cb462} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:5652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb2acc7-4173-4c24-a003-463bce9e537b} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:5664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 6 -isForBrowser -prefsHandle 6004 -prefMapHandle 6000 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 940 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbbbffd-767d-45e2-ac49-3c0830411fdf} 4296 "\\.\pipe\gecko-crash-server-pipe.4296" tab
3⤵
PID:5352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5736

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2492

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d01af9824efc4799866ad90cdb5723d4 /t 6048 /p 304
1⤵
PID:5716

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[5578A767-2803].[[email protected]].eight

Filesize
2.7MB

MD5
92ac565697e62e0abc738d645b08e8d2

SHA1
7839ae9ff5caa32ca95f77437eab34f2cd6246cf

SHA256
ecf9f2c9f70a308f0cbb8e6c98463e27b66d81206d146f86cfd722acd8a4ebf8

SHA512
88b2404ef0fc0a92b1abd7e35fc1c5514aa59c1c6ed61151b53896a83d7438d40379c54b1f49851ef16b139f7c061d595599e32f93de4397545e74b36f207c21

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
99fbb41b941136d14b733f42d44a04c1

SHA1
8ef9c1ee3d874992efcc5909051d46ee90cf7d02

SHA256
3548643e271178c72ebceb29d2f49562058066bfea8cf78db9ebc5e4c25da379

SHA512
b04b67a0e704ac0289e0de6e4bacb7938aac35625e0bab2ed00327981d5b8ca223a04f03fce086b0d689aed113144870617456531595019a4292b26f662f4180

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
879701c017c0aa58a1819d7ceb00e097

SHA1
3c69c776fd52978533224df295079cb1ef262a90

SHA256
880cdfccbc240a5e089c0516fd9e38b8f255e9d66232c518efcc018289f6ca27

SHA512
e4e6f30ad3c1d559f2928c40290cbfde318d7ca2a3c927e925bd3f61eb9cdd2dd86ca9e027e1895c2b1d839fd8920d2c6abbc60354e1bf80a969e1c461d536ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3.id[5578A767-2803].[[email protected]].eight

Filesize
14KB

MD5
7fb170a470687b97db3dc5f5f63f0455

SHA1
d0309ba6dc246fa56b936a0424214690404e8c71

SHA256
0db27eb4a928e2685dbb74ab0369a465b688e9cf0f65232ce869cdcaf18049b8

SHA512
a47822f71cbcb5e550ca315806b99f21002ee22b0d5f6b7cb4c4dc2cdbcae596c0582e037e946045916432a78983dd3bee9b6e87ed8898fa5a38c6ee7678c6e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
1182b2f34e13f0ee192edd98fb850684

SHA1
918f9f6f6baf0cfde2ecd7d8a68739e933edc325

SHA256
0d3d9ae748f8f8bc85834a6bd5cf35320377e7615b58caa11c4c264ad4c7fada

SHA512
39ba99569d1b4722fcf0ae458d379aaa2c0c72135a28c01c85ee19aa5e6f5b461e07d6a5f1da8b1c58ffdfada43766cc705b84028e300fa372e9e9f1044ec23e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\07B2F04F8B3262F56BABFBE5233B149E2A2D3DDC

Filesize
12KB

MD5
066e50a7678beec96eb25644ab397a43

SHA1
7db9d4a1a7f813508dbbc4f0b56a511fd6f69f0e

SHA256
8852e5cd4f8156c5bdc66891cdbd691954ccfff8c10fde8094954ddf561bffd5

SHA512
17c72d3c2e59b610d31cc4f7460af6f84ea68a5cc930891676204268ca42219bcb9c9b7b42033de6aaf40f912b28f491c2f38d51f96ee8f1a1f15015bbbdf864

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\07B2F04F8B3262F56BABFBE5233B149E2A2D3DDC.id[5578A767-2803].[[email protected]].eight

Filesize
12KB

MD5
da9f38d59ee0c45636d23d05867e19f3

SHA1
24cafc3ca96bd2d564e8b032db29998297b6417e

SHA256
54791a229d7e2b900e8399e9cffe72901cdb87a57a8c366ecac997e15ce9f83f

SHA512
d28a2047320a08c1e6a904fc8c7aaf2e16185991cdf1f7da1db88a23667a08949a297527937a7195ca65126971bf0d37786b511385fe36f24b5f8c2d4a46ec98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2.id[5578A767-2803].[[email protected]].eight

Filesize
16KB

MD5
fe4d125c04e4738cf30f5608fad8e71d

SHA1
5b84ad6c547e2c8c0ae43f8d531c51304b4449ec

SHA256
e9c7d9425349861bb7c996338cd6139930d395a42614e7bfd48c04b5cc9d00fc

SHA512
b638f450815d75835d70a554814d72b66cfadcd7492dd1b07a361b68693a706399bd4c607ea03805c8345c7c5ecccf5da62d9563f8cfd98f3b4b8d25d5ee69e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\157186CDA05735F1848CFDE89C891C7827C2B448

Filesize
224KB

MD5
fa3f9b414de84eddaae30c618041d307

SHA1
df71d1d2c3827c4defddea5e4f98dfe9fd19f7b4

SHA256
1bae6a26cd5a400e507817c4cb14568e6137e7c5f42970dbb72f97fc3630e496

SHA512
d612d9b83b9a6e873478014905d111de22cbe6bc95da8c950031524557c68eb676120b67d2269386eaa6cdd9276a35baad3f76d9fd8d7c9b77ab5a3eb4d8d1d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\157186CDA05735F1848CFDE89C891C7827C2B448.id[5578A767-2803].[[email protected]].eight

Filesize
224KB

MD5
d9cf63c60bddb0236312c9662b55c3d4

SHA1
063b15ec8db6aac1187931f0093206d3213ca504

SHA256
7691edb7e61faee37fff23bc3ca1026e8eb489e8f0fe9c129a267c6436433224

SHA512
957847d6fef0609d3d4565285da292efef86ddce580d782bf2b03513df767d4792ad31cfd1a3f5554428b3ea9a53a6ec85ac28c69223739e7d212e6bfb4165f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\1611007487CDFCDB9FE43793C68D8984CF7DD7AA.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
654cf36efad5039396b2910c520d4b75

SHA1
9f6c9d044f696e15b10ca8d83b19a5843cdee086

SHA256
5364e23f19b1729f026ebf22f9874dcc61e0043efd410c5d2f9ba6249b9d0120

SHA512
da8e07bf84c4943a60842c999138bd0e2086537dedafb22919930f300f8ce03752cee85e163cde6c9c9a2c3839f481084fb171a6a9b16869a6183f3f511ff3ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\236F1F65D686BE46DC2953555D6006AECABE3BFC.id[5578A767-2803].[[email protected]].eight

Filesize
11KB

MD5
940db3de8c84384c4fb391319d0c631f

SHA1
5de6439a58ae85c7e90a330c1ec5e3d3499f5a3a

SHA256
596939ed4f6a0d4c2d22c57d8bdd6557e6024ce99a5dcea2f84059176496b829

SHA512
1cbbe83222d208510713456771af9b5fd329f2115a9d377ec543ababf22cb7000367d36ff83f2922a43a2eae70ea14c38019f03ece7bc91eac50e6f3a34e2aae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
1554b537162f7ed63195ee8492f52b2b

SHA1
23fb023b7d293b151a460fe5398cd9b3053a078e

SHA256
7dba0916fbac505e67a884d73a7f187ae9dc730e84e2b760d97ff5928f03327a

SHA512
af72547c41269b611a5ee2f3ed39bfd6a126152a574e89f335130f7f8c249a100d2fea50e38ae6ec590582adbfddfbd9b482c7d49e3766a709d1b2eee002b252

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
02c5a83df35ee028b963b4e16e937928

SHA1
75b1df581f2ce045537214b3cfd086385f00a71d

SHA256
a326840055413faad881cb16b4659b276407d9d7f34701b10f9ebf41da957441

SHA512
96d5296a9c50241a0d39c83c6c59298c8c218fb8589487ee860b0f32e789f42db03f55a4424548ddc4ef63cc298997b44c14f22548f791062c10dc02b08c709c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\2AEE44BE24F6B18A87E52B6F4D53AF773FFA2EB2

Filesize
15KB

MD5
e06282eff5401a16e26b6fd0373f2ba1

SHA1
ee9beb264aa418e5a35bebf80679a0ad6a0ca6e7

SHA256
0af287870596908146431aeaffe58eacb45c5b858f1165e260ecd33505e90379

SHA512
fc01f80207f20de7d748926950d7e610d136c3853ac0e3db32febdce421bc8184a75cb9610d2fa6a254144265859127eeaed401e2af736cd50c9be907116c80a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\2AEE44BE24F6B18A87E52B6F4D53AF773FFA2EB2.id[5578A767-2803].[[email protected]].eight

Filesize
15KB

MD5
8215ecff38f5febc80adab1695ef8c5f

SHA1
d3caa130a3afc11851b23b0407955551bdf4ed13

SHA256
075eb90769e828a95dcd7c7c5efc14ad08ff26687b7e9d0ceba78ebb70e961e1

SHA512
e923a93f25bf1ab6fe9637d513899639472ea0137b2fa2b662c37b1ea4563cd0b2d4a82ee94799bccb6977a3263ae0b23572eb4659e7c5ba1424211db974a425

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\38FF788A718C79DDC3D1E23EAA975517D9BA3BB0.id[5578A767-2803].[[email protected]].eight

Filesize
10KB

MD5
291bcd2055b2fb118ae8f256ad38fc00

SHA1
a525a05d7ae1285d2d03d4e7fd76697bd7687edc

SHA256
ef1fd28464e4d5951cf7ef8f9bc8d1bb79a32b922157543756caf75f50498258

SHA512
eb944326220ccb9d793e05810dac4d68061199bbde1e41dc8454fabb07846e74eed44ef505651769ca7c3ab026cdf892bec62fea050a27caf4963a024ad509e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
c41cdeea4c16768d4954a61210ab2473

SHA1
19581059b7ffc877426e7168abcf4a0495e88cde

SHA256
8f3d7b81020ba0dfdf5371028b63a67095002865714f15707371ab7f63b6447a

SHA512
56953a913c6b7db9c5aab462405e5bc27b1c17c1a7440db4e5cac425cbaf47bbf7a74b97aa681d57ba9256b11e51fe405f1c16e50f364c0148e1edcd3f1c98b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F.id[5578A767-2803].[[email protected]].eight

Filesize
16KB

MD5
3a3579cc0a6b94053f3ba00e526968af

SHA1
d6a17c4d7abe2402012c0b8defb7fb7e852242c7

SHA256
c52829e27040e68d3f37ccfdc524382b18b3af55aac24329c4830d95ad5eb3f9

SHA512
67d47db9888bf934a113f470ecf691d08474b6d97649f92c8b7cbf152f855a6ad1c230bc9b33660600e03a512a152a92332f8d6798bbd9f56b4b8943a41909d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\7688BDE11BD653890A1D1E73ED2FA10A03316894

Filesize
49KB

MD5
ce059f5eb8df2a214be39dd1da9f98bb

SHA1
ac5a285e270b3a59349b29c20981b59889efae24

SHA256
72a0065d79d942092a7c1cccf36ab61d9497f814d51cb5b832326ee420db0235

SHA512
b33a99ea71c61b8a359fc31da45c591d0bf65375b9fc1fdb33dd73bf43719fd5e11ece86a8b4c7a6690a58df51f60d228d2662f7debbdc27d1fd78d2d352a7b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\7688BDE11BD653890A1D1E73ED2FA10A03316894.id[5578A767-2803].[[email protected]].eight

Filesize
50KB

MD5
3376897f4b54a787603561a2f2eb6b54

SHA1
857a1f359810af4d620d9d595ca6e0966c2ec3ac

SHA256
12abe78159c03f839d3af4f26cbae2cffb5fcd9b102566aeec93f029963058a6

SHA512
3b9589fe62041fda756f2a4208702086739addc70d07ad51f7c16fbe565116df0acafc4aa69ca386384b0918b1c753a16faeb9509517fcf25638d7764c61967b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F

Filesize
16KB

MD5
84dff198b81147b9999b9432a3bd9d1c

SHA1
3b015945b2c2e281c714d13b2f12c499a6709b22

SHA256
c67211c43e9d14903f0f343bdb0d5fef876cf15e81efa2f868eb93874fe25d91

SHA512
205d91f639f2758bcc8319ac77a934fbb7a050fc75b1650a59fa9d3c0edca944fc00753014bd346682675bffd89574da8d08438d1afb5f68ea49281af3d63664

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F.id[5578A767-2803].[[email protected]].eight

Filesize
16KB

MD5
e4c4bc0e03ed91123cc76ce03a152403

SHA1
fc112bb753a6ed176ab22a0d5b7eb02bd393abc6

SHA256
02a0e197d5390c97b6a8549c73b937d33b053e30626787bb92ba7aca45eb6b80

SHA512
2475d529e6fde1690b80655cc842a8a60b16d0d0e601ab825e0117e5f3dda5c894cf1dd29cd16ac7dd146886d2638b6662808b67e3e82e59a72c2b229593e3ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\89C9B59023C6004C5FCA8E641B2BD533BAA7F06E.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
df3ad09b9126629ac4579a6fab6173da

SHA1
3f25ad0ea17b1ec318f913bc23208ce13e8232b2

SHA256
5045d78bac745ed99a9028969c452ddc438569b30a899c371c61178d9d6a75a8

SHA512
e3cb58c86a3bca807469479988f4ba27021fe65cd94220cefe1c4083635470fbffa18a1ca0f0bc13720ec13c78a9b138c05d423464834e81ca886edacda18f69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\8AF5D98EA49BFC5F75DBBB8CBE9CADF11B63E0F4.id[5578A767-2803].[[email protected]].eight

Filesize
11KB

MD5
afd9854d26d9ae1b72154b87b3723f6d

SHA1
e88bc4041fb78d7f0e9182cffd418604839f33ac

SHA256
9c0b9c6a3478678a89162e274c84ebd437344e7422f5ee310e393a5c96b9000b

SHA512
13526e0704f43ec9ae70dd990c636102388ddcf8118201311ae5d52800ad24b385f91ce1ec4ec9d3a31ab645811de9d7474e11332d2e62d022b29a92f92db0a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\90E321EE94230DCDBDCD2EC0B77C695A4FC21F78.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
b8c5a24ecf1003901f596713100f95fd

SHA1
bf89f937dc72189e11faee4d142e39802764103c

SHA256
034ef4b24602760cdb4f35f1c110373fb9ec4284faf339f8269f4ae56657487f

SHA512
32fe75d7d2bda8fe2a1c7fbc43769d9934952ae43a4a5f01c3b7403937963ca82da3871a7942c24443ec279ca84641f78d07dd0716d318d78ce36376886bb992

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\9648808B6C63CD1AAD97A7B68F84F35C95682143.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
36be519bff5ff9826bcd7784edb06e97

SHA1
e8d3edd9f8794065fa0ee27ca1cd46561362ff89

SHA256
1f2ab5277e5b2eaeb792e9ef708c05b9aa420c56170bff2825e954880c8f0ed9

SHA512
9a313e222877eb5ee81bb772aedb0e746d64fb66d9606ee181d2df638c07e084f408606f87107a17d1469df5a955c202e7e4e6f65fd6399a1f59e7e43d587fcf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\9C8ECD974D1429314EB373378B9605809BD5D61A.id[5578A767-2803].[[email protected]].eight

Filesize
41KB

MD5
c1509e349382b4b5e296fb25f49849a9

SHA1
19e4e6287aedeb3a1240182bc5bb6d177bbaa8dd

SHA256
cc2ba48c2f113fcd203c5b4192c7249ffb695ff31f1a0bc54d4e6dc397605751

SHA512
76fe657855e1b934df88b813508111241c9fcdb63cd9c3e095c441710f2b7c2cfecdd859009cd14bc08c60739a73c06f83049ed4e218565fa1655a9f061ffd9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B

Filesize
23KB

MD5
6b9baac34e71d213876eb865d125a49a

SHA1
5d63e4711d879f14d2ce27b4c091c77e5374cc24

SHA256
861e8712ae187ed83246b63c2c6a734b1c391bb47245cba4a16d3dc273a6cc7d

SHA512
e04403ae60a4fff7c91dc7c8351c70c037c960d65f28358919243902c5ec0ca0f307411e8b9d650eea5cfa9c4531b66e9a4a46f69e41a87548b972bb8b6d6357

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B.id[5578A767-2803].[[email protected]].eight

Filesize
24KB

MD5
3bc5a924cd64c87a97895567302c5f4c

SHA1
0306ed59d2ed72b6f0d76beb14922009f64845de

SHA256
fd150768f5243d7b54ddae507fc5047c8a67ede68153779c625e53a2c6c7af77

SHA512
94ce5919a07e93f11fc7cd106578e0eef4cb5b2a1ed387f773de5f75f4f62b0bb0729709f7b79ff11b8916f87ffecbf464376955f3df1436597ee3c70de5af96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\A165C64EADF0B57058507E7227EA872C97928C85.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
1aec8179fb6031a1eaf9dcbe86362b55

SHA1
442624dac98d988e42b4a0c7d6e2d597f937d90e

SHA256
ff00ed3b85bac707cae651b61654c8fb1fbc0fc9c62b80f55f9691e511e2a471

SHA512
cc5c6fbcbe83b787c3a569531bc1296a7de37effd5043f873dd16635744241c96afef2ffac13a5916d81fa64b600d7ffa517637c43c2be0cbf1decc7b425c963

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\A275306CF9BE2E63E485B50AD964B293F184533A

Filesize
224KB

MD5
88bed963a9aad8683a7c367a01f00527

SHA1
764e83fce6b3ef8e662eecf15bc8471a5eca0312

SHA256
ca427fcca99cca4ed566671e26d06f63671f313aa4ca09df91524b1eb38b39e5

SHA512
f0b9caa09c797625bc024487ee824bec2e2519f775f2a85758220864525e4cc54218585024b1b2e54cde99f1eef9080f190f5a304245317fb04ab4d212495b5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\A275306CF9BE2E63E485B50AD964B293F184533A.id[5578A767-2803].[[email protected]].eight

Filesize
225KB

MD5
e5cc23647bb37be0afad3448b37ebe96

SHA1
2e51c3bea48d1ea02ee2759d43610470fd05ef4f

SHA256
71d10b3b116ee6bc893424eb071b7659388be7fbcbd9e3ea14283e411ccf3297

SHA512
0f4e03b4879a1afe819a4b938b40889e235b02bafb2e1b12ef8f65011f6eb4580a88fd220f8ff9a96360c6a6e0061a48ce7b2f6b4a26f050b68b11e563f1b350

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\B479E5A0938B54A5CE8A0887A51524FD1DFE6753

Filesize
9KB

MD5
2dd0746c75b121235b97c34ef39a1351

SHA1
29b79a0a971d8b05a5727b0aa8e0fdd8c9c02ebb

SHA256
d4ca20be01a099b9ef9f6e213fc87a9a96cef441871cc98f1dc566c6c2f8b1b7

SHA512
bb6cb5ff9a96ec27c086d894ecafb4abc3b60092bfd737610ef03561024b73bc29a5121b6cfd41feff3017d8ad276a47e2a4cc3a59e123a38d8b88423bf1011d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\B479E5A0938B54A5CE8A0887A51524FD1DFE6753.id[5578A767-2803].[[email protected]].eight

Filesize
9KB

MD5
d9709d0533dad8b427e53e24bf77fd11

SHA1
e4c908a3a177e5a6a5972fe3aa51dcbb4e1e83bd

SHA256
7fe179ec82135e56da79f8ae27a3aacf2f200223298fe7b1be7ef4959cc70b06

SHA512
7baf65c607ac07a334a40e76679e04fcc818650c43fa343b780000e1b3ec1928f8aa425e5b5a9976846551c9cafeec547431ad45232069767e910d5b746c2d96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\B5828FB7F4A1E55AB23A7BD2583B87AC746240E0

Filesize
22KB

MD5
403d2afd5445413b5bf8534a04116925

SHA1
c869ad83452ff3c292f2a35273e9d7ad155b04ad

SHA256
24dcd7452296c41ea7412420d43228118cc116167f0d50ec7ccc88477d7d8dd9

SHA512
b49bb36e20eb2dcd062ce5cb27e9d58646cdac43dd3d62d0648f6d0c3caafb509241a05680bfa161988f362641a5ab437985a06612bc761a0aa5541e5bb6bdb8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\B5828FB7F4A1E55AB23A7BD2583B87AC746240E0

Filesize
22KB

MD5
eb07a034acd09b4f1625b54bd8bc5c3d

SHA1
695688b3bd298ab6b7fea26b2c65400b612a3ab1

SHA256
e34d7f4c94d065f0c666aaf2db4ff6e76ad1d7502dfe937b7ccbe6780a0e7516

SHA512
e3b60a56f5264d5f58f80543f2540ecfa0e6788adc8ed03a75bc91b06b90ca1525a68406e50cec49b566eac828c027b142404d969aa89bddbe23f9aeafea88c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\CE30F9E7CB4E0D8AEB054228E581960CC2812E48

Filesize
15KB

MD5
1ba51a14683ae67f8a9c336bca243482

SHA1
fa537f7ab312189a4ea838dc5b1602a20f99651c

SHA256
142b2e61ed5d68db0bc7e4878554027c9fdc6c4248f596437f26ea7f71a1e972

SHA512
2e19430ef2541d9918a7b9d9c7bede2960f4f34ed83a940fa8b6dedec7d3f9c2e1b42824de4f7a25c6e361a17738702cf47c1f9adf39e30d03af5a3aeb55d875

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
131KB

MD5
c75bb221f6fd30d12b893e8edd0cffec

SHA1
893c9ee6cd2fe0244c36a3eceb898606777430df

SHA256
a943c4eb03b405a87a9acc395562d486c496cdc5de4ea16f7d82c7ba3138ba3b

SHA512
107b0dd3ec9b0da0ef6a7380dfaab2312fd1d17c3a892caaba7229ad57ce86bc6d59ae418b71553854c40ef35e097b28e6e4c60d93413545da97260dc4270188

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
298B

MD5
b53fb876825e0ca9abdf15e19bebc4ed

SHA1
236ff107342920638e32d1487e3975a3864ce522

SHA256
38cb18c4a9d446db1b876e8e9f729be4e6bea532e01fac895be68905f5e071ff

SHA512
57272e5e440d4f6e15a2d62d38e8a01b3f8f80912a9cdfe191116978f864ea4e1c21073ba1012e316cdf0e6f13cf4db5ace7ce2410d718b4b434050ef09b1ab9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\FD3C8B7B2C5FC530AE8D3FC8050677579C3D2E17

Filesize
10KB

MD5
86c551d93eb6b0d7c41a897127965373

SHA1
54310ddcf12f60f8bb1707163c3ca60e13499639

SHA256
784bbfa931fd2a50ba8854150b07cdece50754fc25830bc761ee54b641ab185f

SHA512
f0d0a7624525fd389ec360ec5839381e39bec210f9337b2f9262858ee72cb8e4b24f038741d3c25b260c6fdcc3e5aa38de7f9b0438f0a94ed0bcd719e9484967

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\startupCache\scriptCache-child.bin

Filesize
705KB

MD5
8ec6f0cbfe5f9d87f944115fdcc66df8

SHA1
add1b91725be116115d558103d1fe8f0b216981e

SHA256
86040760ef773fbd5412389adb2477a078c31a32d2189038d620410e62d331df

SHA512
60c5008c66f31313cb5642bdbbfe332ef70402e300a3dc101ca21a7ab0e3a36b60d153c40784cd55493a5047d0d5497c2197b6502776a475721090953fe440e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\startupCache\scriptCache.bin

Filesize
9.4MB

MD5
bddb00c6caaf40e59aa2ed36b599ef41

SHA1
d8376993245156be77a6a6a599c0103d83e96e00

SHA256
f7d5f217d307c34ca2c87c3bcdee78a9f9aa780b4923c6c61f5011d41593819f

SHA512
3be1b52b815d515275fbb5ee52c85720181ac64610179b5072ff43b2c45cefb57c63e9f120d71db7c47764dc6289d7fbc011e6fad576158ef71cf4e54544dcbe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\startupCache\urlCache.bin

Filesize
3KB

MD5
380b1d0df7d494253a5e7eae49a367c5

SHA1
aa9de670b89a861abaf099665e9554927e74a6ae

SHA256
d1f74e6123fb6fdc99ecb3dc52da87eb8668fccd0cb69ed387a32b02b261e977

SHA512
c3c6f9a605d441894175ff5327f33748973c24f113a8e33f9ff10f0493065a20efc6b3bd3ee841a142b16faba359ffe6fc759686cd4105bf60cf5115530617a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
d831fb2769179996904df7678f89cbc5

SHA1
23932eefc617d028b8deb18c0e83d14f4ae5cbe4

SHA256
3207780e48852ee1ac5146359a4d01e856bc3abc33622d619fefed6c31d60764

SHA512
4cd5c9578e93bfe6757708393ce03037644e641b1a5f1177940465a2b98b4e54d497d0b33cb56d50072675e3a69240c48f8f9e13c8e689d8a5adaa2d687e21cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
10KB

MD5
4084b18586cafb76bcb69324325c8841

SHA1
3deecb76e749ba3af3497e1006ed53422130409b

SHA256
9141efb4f87d8f2b1a68e9a4993631cabb9a1c329b0b9e791706f34bc7168b4f

SHA512
6b29b96f9ec8dce5ff834c34db1c1cbd228f42b06e27699cb1e54b2286a0d057d8650246681a5bf7f6da2f5adf1a9f90c90f18a2ef92461be0d7ce98dd7ee308

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
c22457b60a367f6a06cbd75810edaa86

SHA1
4273e93ec94401edbd604aa68eaea2e20b835f41

SHA256
671b510f6a2299e643585ba72a6cfbe5477f80668920ae31da15f0d167a61183

SHA512
7d2a0852d4e8f4e3bfc7f67a8723e6a379e5a1a2907447dc1378a6fa41fe73525cce767ff775b395ca83b96546337d86dec235ce7f2f981babbb52e0a481df72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
10KB

MD5
119c182ab7f69e028537e99bf7ccaa10

SHA1
1df1e3280b7c4139808842b85dcbb7c00f2bbd92

SHA256
ae898d6d39480994d0efbc71011a8db38cc80fadf4d102ff2bb8dfc9404027d8

SHA512
71b308d82bacae5da4076757134cf748c30fa5a4138fa4b448dd3a11b0d56dbd6dbd3ff422f56f7fcd574f87909a0a5f37d5f28a52c15b4357d71af8b9f9940c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
35204849bb3b7e0dc5e4368b36797427

SHA1
9067060c352fd837e3e8ad34e7b7ff5e903f2079

SHA256
07f0a820915eb4558a50574f400e635260d8c9d61855cdce6ae441ee54fb67dd

SHA512
db8f38d10068ed0966d616fc167adebda1d083bb12575580a434a59af8ac176053fa1ab5becbcfcfdda49b4a17625d1d5c396a35f535fe53abed8c599b9eac0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cookies.sqlite-wal

Filesize
128KB

MD5
4b3a8a6efdc82cb59b8e0fe797a53ca7

SHA1
f4ca05546396879b596fbb2286b488f649c8821c

SHA256
0c63045549078d63582742c56f6b805b3ca621c3e9bdfb2cc1bba171fea828f9

SHA512
e4419fac9dd535835befc9c088730e3bbc887d3f6c0c9c4b18c15267883a31905cfd4c3893e9a82bd41eadf3b717dc8526a0721365f58ee86e06a815848c2f57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
ca4f958ac6515212e946f8e0f67c8c12

SHA1
e232b3d534eeb77ea247575acead66c85c5fa38c

SHA256
484003fe05685c792193e85c68d029f1d3a695af9de83f6ad387ec524b276d6e

SHA512
866813c65ede9346d91791052c3bd538a10ddfdd09a9c399458e370efcde1404ffa43fd2ec45a3cce118a48c0eec08ad7458894d31d9bde76540ffbd2b7f5096

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a31425ecce99aee447c2d3702a5dd63d

SHA1
82445448691c0ced24cbbe609cc2c05f260d3954

SHA256
1c00e8f60803be8e7e212a29cf06d8afd9ecbfd0c04701c3edcb7be25067ac27

SHA512
472a93a1450a301c476b41737c6c145c734eb5d19d562be77c43263e096a67ed8736afbcf28935ea737a9463c685776e0b53b45722a2f36410185afec723ccc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d1f52ce7b008ac45f80d17442f472816

SHA1
ea8a5d3cfdac6f685d2c7f1d5044143957200b3b

SHA256
089875bcde2e387bf5a91bee50661f728f3b45b68f3933dc8ec1c5829b1bacd4

SHA512
fe65fc1a009c63098bfbd3677892950794489652e2025f6b9904382ff7810391616bc1361d83926f03269dd73b2109b13881e6c322a75d53831224f585d1fc35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
79a00d6d3fc5deb79c527f2c56394556

SHA1
78b01d6c17db25a074a34d0b9034d661a6065baa

SHA256
1904f25fbd2cc67eeb8d0ea23632be3a08ce46fd7b590f40efc69f5d01afed86

SHA512
daf7378ebb227bc03a05308e67b9c503892a052d761b675aa28e80631e46d4787c67f392b0d84bbff660a08f154ec1082ca2d8966d5c9044ae55e842dac7f334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\events\events

Filesize
787B

MD5
b462e881575bc3f4ccd085a4dd309e89

SHA1
da0787c7cb5ae436c1502db2ff2fe49fed9116c2

SHA256
3441c4c90c738059104b7fb1c9188e2a6cc7b746bfb980fc667329ea10181ed0

SHA512
78b451e76e5bd779e8ed440167503e01ab793c5989b6357d6b9406b70c29bf3ff690ab65041909c9c823e2ffdb2b9528c0449f72a0ae515e581929b231e2e718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\events\pageload

Filesize
219B

MD5
2dd10977a33133e58dac5f365c9416a5

SHA1
efbbedf17fec3539afe5b3bf72b6440e148ed119

SHA256
42460a2b04714cc89e79c3a2585d846553e3a48318ab43f9ace6250959e87018

SHA512
6eb6a7140aa80e71fce13b4e98b6836f08cc31c7fe5520e6b03700268ef32a9dc610d1d7adf953b56bac9a3d1cccaa37a053eaf98364892f9726db57c3c06ceb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\41dbaf85-e8c9-4d15-8c87-28c1d6500fe8

Filesize
982B

MD5
4de198cd3238dea5ccd84a68e0e4da57

SHA1
47969c7a4104f63e262b77c9beff3f4041142f10

SHA256
02adaa2034d49d66e043fed1aba0904e7b57e7994d12aa1d567057a86e85364c

SHA512
c65a82053dfa5664acc13010cfc2ece158cb2455101fffe36eb0b54527bc8d70e7c2ba60c9c14dea315ebc032ff43fdbe7f651187bb13e311cadc40ea9f63a00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\728aaa95-097e-4e48-ae74-c06b5c0dcad5

Filesize
24KB

MD5
d2b713abd46882935b22b34c20734c69

SHA1
6bbda3be3974661953f0d4e2beac63affb27ef92

SHA256
b9481c50f36899ddddfb046938e80acbe0ba423cf04018056c555170b26e05f0

SHA512
fdcaaa6d1150b412a33c553e1611bf111e37265d099fea6e4d2e0273757acc55a2d56e0646cb2377ff546533b5dabb6a3e98aa26dad073c2f423d37ef2f11259

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\c8fa544b-d559-4557-bda6-35e4c6bb16ac

Filesize
671B

MD5
a178b5d0c50f6e3a4bf2f7f65fea0188

SHA1
3495e9a88468f375a70181ae1ccb640c1c27312d

SHA256
64311b1f007ce1b4fff1e6ecd3fb14b84114e04f284ce8368dfcb59eca762b6d

SHA512
fc31e97a553b5741d0e09cf564a2f5921129c9a5732bb2b2e20fe2da14dda2d3cbc6b82007eea291e2208e1982552ff5d4e1a61c84067f0ccad26f9c4b47231c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\favicons.sqlite-wal

Filesize
800KB

MD5
e8332bb78ffe80b7cdbbfb274d586609

SHA1
04d66fead83dc3be2ff0f8cb66d2e898d8abdbee

SHA256
764e1e619188f1417c808d049d851f07ed2eb19e6e9229a785554aaddac99fbe

SHA512
03be0bd4f045c4c43758366ea2237ea5ec9baf8b399186dc6c7662e9535c0ebf58c26db6ed506223cccc3a9ec4096a6244e9631b187c21cacbee6c4e3bc38587

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\key4.db

Filesize
288KB

MD5
b0a719bade2bd95da9cd0b8fc56fe728

SHA1
1bc39437911f071117bd1a6b3961e70f06e55989

SHA256
857dd538ab8a4511df1dcab4ec15b21d109240498c9c67ee7b1b72a1b3e362e6

SHA512
bf41673090d904e3f1c94f3413f3e62222d614003a785caebd00dd58265c07470c3b07380318d35059cc315779697a4fb1a9d078f718c14535311338ed9d3e21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\places.sqlite-wal

Filesize
2.1MB

MD5
6109ef6f536be1af7eb9b851f0e3a104

SHA1
18b0417e3625464211400733528b3b87f0a0f2f0

SHA256
ad0dd7e714be5a91878565a6e82cd62c0284c0145bd0f63aa8d37bd47c4b0463

SHA512
29d07b6a00fd1451a1a9af4155d5984af2db063c6e3c3a5058bb2490e689e544658cd88f712bfe5beb93fa5a015bd1f7d58984ad26a8a204fab3e5c01b011433

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
11KB

MD5
8f42292dea604249d4b37042dccc547b

SHA1
fd7c27de2d26fb5315357d5c267b44b57c9d3e9b

SHA256
3fa4711ccaa72e507175fa7eadea4379ab81468f020ec08d28dc0cc2c8d87c2a

SHA512
2271fb38fa7e78514aeafaee19f187e54a73ec4062df057a4213b63baad9ecdcaa4fef9095ea256d004fb642b354b8917f6da1a7a2460779d1e8e0d6d6ad773e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs.js

Filesize
11KB

MD5
fbbc53e2408e263c99ce7dab6cbe58e8

SHA1
1d5e5df18b465fb89d5c8781db67638bee85e866

SHA256
ff0be7e9da3bf599e33f9cfe8c247f2cc57c4e3349081aee7b45818b5000040a

SHA512
32343c57880293761fdc5b792806a7b7a4ea62180388eb279999abfb213b68f3c1a3df6f0f441a7b47b3418260bc31d0cda05a82744217f77818d980619d4a75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite

Filesize
48KB

MD5
8d8ce10212e3042062b9cff815c38c40

SHA1
6114348f5737a69fdd4cd4702cd469ead3924375

SHA256
e1a7aab94d86c8a3ed2bc6e461528d12f4a7e8916c5708e047a17cdd3f3e77be

SHA512
d0d84b8212f65f83612961ac97b11c16b46bf9d9a9a587a793a7bd6dc27c34639095179904824ff14aaa9f08a4d56e815f55cdca05f0da773116fccd71b9572e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\targeting.snapshot.json

Filesize
4KB

MD5
dabaf3e8ae02526b729a8259570add34

SHA1
c908d230dce5a628e06eb34b10a1dbff09fcf0a0

SHA256
a705dcd0462ff020b1bec281cee6b1a79d7fc9c17bc6104345fd9b82f6784272

SHA512
92c1b10b35ae76a4bedca078503eb5f0b14317b9db3a3eaaf187db3b2691c354bb574032d7fec9e8a8ec9786934298b705ead2c8bddb66dda66683b51c639f03

Download Submit
C:\info.hta

Filesize
5KB

MD5
c22718da431bffb4aafbac59e6e6de8b

SHA1
29a251a18496d9ccecce1cc06663373f9ceca8b3

SHA256
8f560d32cb98c76800244b0c3a010c9be7d96823461e58488534a2b4ff3f957f

SHA512
38f73681d68ed838d5ee4985580f7a247ed76c5725361d46986932f7c3b9a306398337229af1d05e50feb5ef176a742fcd76c1ae37c848d623bf781814e98302

Download Submit