Resubmissions
23/03/2025, 19:10
250323-xvmsfa11gt 1023/03/2025, 18:49
250323-xglyzsvn17 823/03/2025, 18:23
250323-w1gb6str12 823/03/2025, 18:13
250323-wtvk8azwcy 823/03/2025, 18:01
250323-wlzvzatlz3 1023/03/2025, 17:38
250323-v722saywcy 1023/03/2025, 17:35
250323-v53kjayve1 1023/03/2025, 17:27
250323-v1pswasnw2 1023/03/2025, 15:05
250323-sf8n5sylt7 823/03/2025, 14:52
250323-r8x8faxrx9 8Analysis
-
max time kernel
333s -
max time network
346s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-de -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-delocale:de-deos:windows10-ltsc_2021-x64systemwindows -
submitted
23/03/2025, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
EICAR.txt
Resource
win10ltsc2021-20250314-de
windows10-ltsc_2021-x64
General
-
Target
EICAR.txt
-
Size
68B
-
MD5
44d88612fea8a8f36de82e1278abb02f
-
SHA1
3395856ce81f2b7382dee72602f798b642f14140
-
SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
-
SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagot.a.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
description pid Process procid_target PID 1420 created 4072 1420 taskmgr.exe 108 PID 1420 created 4072 1420 taskmgr.exe 108 PID 440 created 4292 440 taskmgr.exe 113 PID 440 created 4292 440 taskmgr.exe 113 PID 440 created 2832 440 taskmgr.exe 112 PID 440 created 2832 440 taskmgr.exe 112 -
Downloads MZ/PE file 2 IoCs
flow pid Process 209 4420 firefox.exe 278 4420 firefox.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 47 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe -
Manipulates Digital Signatures 1 TTPs 33 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople Fagot.a.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation FreeYoutubeDownloader.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation Free YouTube Downloader.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation Free YouTube Downloader.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation Free YouTube Downloader.exe -
Executes dropped EXE 8 IoCs
pid Process 5760 FreeYoutubeDownloader.exe 4072 Free YouTube Downloader.exe 2832 Free YouTube Downloader.exe 4292 Free YouTube Downloader.exe 456 Box.exe 3228 Box.exe 2192 Box.exe 2436 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe -
Modifies system executable filetype association 2 TTPs 54 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell Fagot.a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" FreeYoutubeDownloader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Fagot.a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 210 raw.githubusercontent.com 211 raw.githubusercontent.com 278 raw.githubusercontent.com 208 raw.githubusercontent.com 209 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Fagot.a.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe FreeYoutubeDownloader.exe File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini FreeYoutubeDownloader.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeYoutubeDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 32 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDataExecutionPrevention Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHIM_MSHELP_COMBINE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowInformationBar Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\FilterLevel Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesDelete Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-displays-topology Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URL Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\LocalIntranetSites Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\AllSitesCompatibilityMode Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\CommandLabelDisplay Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\MSN Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\Extension Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\P3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\BlockPopups Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\AllowedSites Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesOnTop Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\MIME Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\TabProcessGrowth Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowLeftAddressToolbar Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\PluginsPage Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URL Compatibility\~/CONNWIZ.HTM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\LockToolbars Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDevTools Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Help_Page Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\NTLM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\Negotiate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\wpc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-connectabledevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\P3\Write Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\PlaySound Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\TrustedSites Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN Fagot.a.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\SmallCommandBarIcons Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowCompatibilityViewButton Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\IntranetCompatibilityMode Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\HKLMEmailName Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableAccelerators Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableWelcomePage Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-availablenetworks Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\Insertable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ac3\shell\PlayWithVLC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{12D4D747-6B55-36F2-9108-3EE9BC0FFEFD}\4.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShow.12\shell\ViewProtected Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-meetnowflyout Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0039FFEC-A022-4232-8274-6B34787BFC27}\LocalServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ra\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ContentDirectory.item.videoItem\shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cpp Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72C94CF1-F24C-4C2E-9A4F-B23439BABD5E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E167-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.sdp\shell\PlayWithVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD0E5FD4-BCC4-3913-82EF-19EE05B56F04} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.Notebook.1\shell\Edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Repair\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00030001-0000-0000-C000-000000000046}\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.gxf\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dxf\Shell\3D Print\Command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\OpenAsReadOnly\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-cxh-wam\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{df8cecdd-e4f2-4e16-9c30-19782c66413b} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\DataFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\wbcatfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dvr-ms\shell\PlayWithVLC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E2559A61-42BA-38C4-8F9D-AD212A02D090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{152E5811-FEB9-4B00-90F4-D32947AE1681}\Shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pl Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\f3602b3f-0592-48df-a4cd-674721e7ebeb\ef985e71-d5c7-42d4-ba4d-2d073e2e96f4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DataFormats\DefaultFile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zip Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.inf\shell\Install Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\RecentDocument\ShellEx Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.ShowMacroEnabled.12\Protocol Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSStorageSense\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HNetCfg.HNetShare\CurVer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31114B0A-ACCB-4E12-A053-754CB41C1D0F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1711-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B0BD075-929C-4E52-AAD1-458C81A10B24} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InProcServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-calculator Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MAPI/IPM.StickyNote\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{2C7089AA-2E0E-11D1-B114-00C04FC2AAE4}\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.desklink Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mso-minsb-roaming.16 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AllSyncRootObjects\shell\MakeAvailableOffline\Command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104BA-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\InprocHandler32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\protocol Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.thmx\ShellEx Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0330-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0E71F38E-C5E1-3094-9487-5C7DD1E998EC} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\RDBFileProperties.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CorRegistration.CorFltr.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ContentDirectory.item.audioItem\shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72F1B36D-E413-4025-A1A6-B8D612CF9ECB}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNotation Fagot.a.exe -
Modifies system certificate store 2 TTPs 60 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\CE97FCF4ABACBFC662AF418EA1D4862F951D3D5D Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\9E78FB9F9527D859700D303DFA589B3073951DCB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE Fagot.a.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3472 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 1420 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe 440 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 5760 FreeYoutubeDownloader.exe Token: SeDebugPrivilege 5760 FreeYoutubeDownloader.exe Token: SeDebugPrivilege 5760 FreeYoutubeDownloader.exe Token: SeDebugPrivilege 5760 FreeYoutubeDownloader.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4440 taskmgr.exe Token: SeSystemProfilePrivilege 4440 taskmgr.exe Token: SeCreateGlobalPrivilege 4440 taskmgr.exe Token: 33 4440 taskmgr.exe Token: SeIncBasePriorityPrivilege 4440 taskmgr.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 1420 taskmgr.exe Token: SeSystemProfilePrivilege 1420 taskmgr.exe Token: SeCreateGlobalPrivilege 1420 taskmgr.exe Token: 33 1420 taskmgr.exe Token: SeIncBasePriorityPrivilege 1420 taskmgr.exe Token: SeDebugPrivilege 440 taskmgr.exe Token: SeSystemProfilePrivilege 440 taskmgr.exe Token: SeCreateGlobalPrivilege 440 taskmgr.exe Token: 33 440 taskmgr.exe Token: SeIncBasePriorityPrivilege 440 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3472 NOTEPAD.EXE 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4072 Free YouTube Downloader.exe 2832 Free YouTube Downloader.exe 4072 Free YouTube Downloader.exe 2832 Free YouTube Downloader.exe 4292 Free YouTube Downloader.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4072 Free YouTube Downloader.exe 2832 Free YouTube Downloader.exe 4072 Free YouTube Downloader.exe 2832 Free YouTube Downloader.exe 4292 Free YouTube Downloader.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe 4440 taskmgr.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 2576 OpenWith.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 5760 FreeYoutubeDownloader.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 544 wrote to memory of 4420 544 firefox.exe 90 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 4924 4420 firefox.exe 91 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 PID 4420 wrote to memory of 2280 4420 firefox.exe 92 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop Fagot.a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {223f4c56-3930-4ea2-bafb-1027a3bfa89e} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:4924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27136 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {3e23d811-ad3e-4a04-b22f-b255b8bb4b38} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:2280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 27277 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {4657a500-7b85-491e-a3c8-c091ff5f9542} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:1576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4000 -prefsLen 27277 -prefMapHandle 4004 -prefMapSize 270279 -ipcHandle 4100 -initialChannelId {ea8e7145-57bc-4910-aa3c-8935e18d1786} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3128 -prefsLen 34776 -prefMapHandle 3132 -prefMapSize 270279 -jsInitHandle 3152 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2656 -initialChannelId {5e5425a2-e5b4-472f-a9f4-069479b68ee8} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:4948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5040 -prefsLen 35013 -prefMapHandle 5044 -prefMapSize 270279 -ipcHandle 5048 -initialChannelId {faf6beca-eaa8-4b2e-a7e5-51c03db43c89} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:2340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5304 -prefsLen 32952 -prefMapHandle 5308 -prefMapSize 270279 -jsInitHandle 5312 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5320 -initialChannelId {a2e56a88-b073-41f6-9a71-2ea542fed6f8} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:2108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5524 -prefsLen 32952 -prefMapHandle 5528 -prefMapSize 270279 -jsInitHandle 5532 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5540 -initialChannelId {c660de91-2df9-4679-bd7e-8c80e9132c96} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:1952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5700 -prefsLen 32952 -prefMapHandle 5704 -prefMapSize 270279 -jsInitHandle 5708 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5716 -initialChannelId {b7b283ed-16d5-4311-8725-44abf06f34e8} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:4432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6328 -prefsLen 33071 -prefMapHandle 6332 -prefMapSize 270279 -jsInitHandle 6336 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6300 -initialChannelId {5a178a54-66cd-461f-a66f-65caa48c35d8} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:4848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5896 -prefsLen 33071 -prefMapHandle 3308 -prefMapSize 270279 -jsInitHandle 6492 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6876 -initialChannelId {8615a9d2-fcf5-4b2c-bb33-5217c5e3191e} -parentPid 4420 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4420" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:4480
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5760 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4072 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456
-
-
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- System policy modification
PID:2436
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c8592⤵PID:5624
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\ab596e9e69de4ffca782cd8f3b39c5d5 /t 3024 /p 40721⤵PID:4036
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\acfc75a71d4342b498c31980799d00bf /t 5200 /p 42921⤵PID:2488
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\fe3274821b89487a81763d32482d77d2 /t 1880 /p 28321⤵PID:5856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
10Subvert Trust Controls
3Install Root Certificate
1SIP and Trust Provider Hijacking
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.contile.json
Filesize4KB
MD524dcf307cfc12a4a2a432f228db63621
SHA16b02466bbf27606a3eaee8296e708f5c191ff378
SHA2561126fb44f4ddf01b6ea193061ea298b183e276810e9ca83fd47c9d4b56dc3c84
SHA512f6d4377a381cb0796a7d7dcb231f9c59153886d4297c6991514b3ee785ac6b2c9794f408b930bddfa07b03321038f40034285ec2ae5e93da992b3accc2ed6fc9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\1A5996C16946393FC0B184220943714409DE2FE0
Filesize43KB
MD57009cbb2c436152e47612dd4e88d1c42
SHA14252b0b2fe29c3ac8a0969768f24e6c4c53b8218
SHA256615d54666bbffc6dba5475ea44c1f8f6b2a2264cfea3fda2635cad70f4fb389b
SHA512cb667e1b66fbd6983dbc6065839a76c200eb63b2b898a201a300d1ce1b9758d28eb7b4e324eb10d2d4d05757c274ac8f3d48420c90fe25c86e04f5f2a3114a1f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\2F879E430745EC79E1888DA9C3EA593AA94D739F
Filesize96KB
MD501a6efbf7f0d142d1febb62f2344d325
SHA1297008763f858b0d8df7c8bb6d98d4caec48d86e
SHA256fdb8694be852a4ef39f577b2674f4e015ed751089ddce48d3674d715d8daac88
SHA512e430b65e7b02f8cc8411075cd1ba69bd9db0ae98e9fc8083bdcfddc7b5e6da2b470d428af10518be24681101be1131176648676669475722f869576c4a85b45f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9
Filesize43KB
MD5055247580f0a5d6bde3c800bbc382896
SHA17876aac8f33b57d4c336ba4fe58212cccfc2b27a
SHA2568ff5499766a8776f27db0ba25bb9d2d9db1b35563362a21d79d60f897afa5c60
SHA51278f0c76cc9c8d9b3e0734bb88aafd6fa1fac5508365a4c367e3f11421f2ababa60ba925f8da4a79771faf52601c1e1a57095b2d0dd854d76c61c6ffa9610c7c1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C
Filesize60KB
MD544bea3d8853a38617580e7d6037bc907
SHA153f5f55292be1cbf36ac60551761ded65ae4f237
SHA256cc99d8ef35634c93553187b575a4213e75d6f3b700fc0385abe8c83dca7b5202
SHA51221b47f8ed7aed6243fded3380cf62078bb6fe854868fc777a9d93a0dd840472b1a71caaa6d8623f9bb6321fce8dd94d8d2118d4f0d16cd113597df6cfdded472
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\35547F305B43F28C7F3664D49C1AD32A7112A1A4
Filesize141KB
MD5029efc8d62c16b1480f6bb168363dcdc
SHA1f857bd2100f7ae41a2383e9b3adc1290c34b3ce9
SHA256c84b2172cafc972ccafe71e2eeb46fe4ad268d46f70d566c973b0d7911b14a7b
SHA512e0ee8cc6e5c054cab784117f17020ec5902f582c890cac1f11b553deeeb6976a6e337de04729aec812e23ed91903707ee5b626ed6f17bf6528389a6267e802fd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\3A1FDC6B34A57BABDC117F984BC456C512AF3C8A
Filesize95KB
MD5ed4feb76223005ccaee3dd17fd15bb96
SHA1666a29d8becd69b7cb01df408836e3d3c767f622
SHA25685a6bfe9e58baa5f037cc905d84cf3f081b286e2559bccd08a3263622d643b69
SHA512d7cda1415a5029c7e7f0abf1e59d7e34c0047a3ae0363f8be79eb74547ab20916e3be6352b504d60ed60376275fe66df191a43fdcb8a7c4bb12f650c6d9df60d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5ACB46A5A72DCA2C675A19F9DCC5C68E4EEE16B7
Filesize34KB
MD538e2ba13101873f2bc77ae5e7aa41d38
SHA14b8cc69de3f70526da8b674f605d296119e91469
SHA256435561adfe794645628cf114168f5c5942ab9de13dc48f04e2e33d060832d91f
SHA512b194153ee26fde33a0a98560375262e79ee75b36026c92ee5a7e26b0f5e658ecdfb0cba89c0d09dc089000a40f0c8e148fa797ad9d8001d246354ec1db2af938
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\8D11864F69B6D9276086D87F1C72386DC26A1DF7
Filesize47KB
MD52edca67bd3c725e0471cb72c8c42ff65
SHA143baf582dd9541211e13e6731e51432c4570d991
SHA256f697eddee295f431450b2e3063b78e03c7f8ef8767b1a8a72ada77bd3b2a644f
SHA512c84a4feacb1d04cf5c308fe17921162c79c3000807f3df722a8d8c2dbc6a5777316fe1d2428e4cf78a421299c6e8a64e3849a7ec7ec4497b442fe5b189422e7b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\956C138E7E189A8F1B675B499ED2D87604EE6E73
Filesize47KB
MD5039b16363af57b2d8713d5356fe62b2f
SHA1d33db961029b42857bc890c6cd9624f83ce57014
SHA256d8e027204d0815b1cd91bc748e2f3f721d67af8eebbf2dd7d9d4c2e375cadbdb
SHA51247d0315b080e47d43cda5446008f39a299f4ed2aa3e411f3a30509e1fbf33905e80bc6f8f72de8c6a491a02426a3e6eaadbb298272861e934b17b300a52205ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\97AFFA25C9ED84269BA5F8059413E057B9831B3A
Filesize41KB
MD577d5afd9ffcdabce852a1b58b45af3db
SHA120f247c29b1331116f801697c9f972fb8dab8d52
SHA256f70e5e636f917129b5d9aa50789782629c00a63ccec0e0209306f6d5844939e9
SHA51221c13f1a5484eb0775d1bc5b75f5dc79171b0494ff85a638e9ef02490ba7247d19466753696210f3673b1c19bf3d20bc919eec852e88ee2092e50185bbae90ad
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
Filesize39KB
MD5db28e228610731da38e6a43c35421246
SHA13c35af55ae6db9ccac225c2476dd57c31aec2b7b
SHA256e19cd8155432f3861f3a1d817f250d7230c18aa25101b058dd1206c8bd060f6a
SHA512a5e2e54320eb5ab80979bfde94b727d156b388130e004a08c3d5894cfc5e16b3923c5d2ac1986743bbfedf03ef910f115e4e254f2cfb6a73c7bd76d88be3f348
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\BC02779E4549B742F87E407101403B7CA65078CE
Filesize45KB
MD5508912b5c45b3fabd5840c2d27c6432a
SHA1507d817dc792474880fd41bcbb9598ebb3cb5fbb
SHA2564fa776130b8d2a226319cb7125416904ba221e1c1a7d530df38a8c836466c436
SHA5122a81f2d560f5cf5f6ccd4ff91beb55ca06e15d1cc558eb04833f054f9d5c90abf79ac9bb3a271807cef56e4f0c18b293eef3d4eda84f6e53039e008f58da2ff8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD5a834d79ccd36f501e43d32e8d17b7926
SHA14c485626072b19f7e568cff2c368044a63b82b6f
SHA256ff16b0dffdb7834ed7132b26d6f0fc392acd6936b980d1a1bbbc67737cb9fdb3
SHA512151e5f939ef2ce1556473dd8d14cd4909dcbf4e32672ff67b4a3e4d21e38b942fb2af9e6e85a7c8c1f69a9891736de22bc5117f018785666bd5e2d1cb78d7d21
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD546a1c27cb81205be9ba62a1fa7016665
SHA1370462b63573aaef0627921832ae5d92f9ac630a
SHA256c0e688af56ff842ab44976a0c459f22dc2decddd65bcee108fd43125b24399c2
SHA512a63f00e4dad8ae5de6d97b39b1624accf80b0e8913122691d78b207f49651137c9961cb54343078d14a733a80ed6fc678254314006b9047681b47126aed528fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD5e5ce82908a42354daee9c5abe317bc7e
SHA1ff8037562432a725e98fe2883d6826c7c4f8f276
SHA256f22b336d5c77955a182f5707c28c3dc0a641e22259ed1467f882ede816907c83
SHA5126da7da6245963ccebf3c129e4f2ab9cbdeec2dead09f3d1dcb15e32c6d7a3efb78da94e6afec6814256875abea1482d9019765744a224a242e2b363aabeae405
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin
Filesize6KB
MD5ac9d04477379b4d67ad7073a81413163
SHA14a5b660679cf82261a13128cbae599cfcb047083
SHA256be6e6de1f09d424e6fe6161d9566479a0715ed698e7d97433114b17773102d06
SHA512d71227bfb3ccdefab9d8c929cf3c38faf1f9beac56e74576d749cbc1199df119af088327cebfca0f9e30b5d13ee31c9b9781e78067b5d64ac34fad7380218480
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD568f0211d6f04941f35451cd4905a20d8
SHA13d042c1f6b5b0f715f075e4cca1ede2db3c7668b
SHA2567f040d2ee87cfc5d26c303d773aa4bf4708cbb7b12442708952a91887e056b90
SHA5121850861523eb0abd34486e419a492b1bf103f9ca8b759e9b29ad75f83b4b31bd4c02b425004f0d847cb95a0c7dfdcf989d5263af05e3168e5fb10795c5ef9703
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5012f4b4505259c2a13d1419ee2b027e3
SHA10b5bbde3e8e4b9802657a698759ea5dff2cf98f8
SHA256e9ecef163900b577a2220c385f5c4ae47e569e0dd2631968d2f3c5832cd48c0a
SHA512650bcf1737040019eaadb005e4a2405537ab2e9ca966f674822d6d1889777af2571a102a5aec36a5aa25add46af0baf56028b0ade0b49feff37d2f9c230ddb7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize91KB
MD511bdf78f30085e13423e2abf4f748abb
SHA15c6a4798afd786c66da7fa4e661fed56b4b40205
SHA256d21b67f4c5eea5b611d595d9559643485d5af95fa9d27f5dd4b45124cb6c0b44
SHA512c50c0cb6dd2e5ae9f17b9526009b2887eaafe2036ece9213b2ed122a2e94624936058bec685b75f656218a2596f4886b3c6affe65adbeb196b0d5298cff6918f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize91KB
MD5b775d9b39acbcc2b0600758e751bdd7f
SHA11deac954c3fa2560939bcf23c042923784be6886
SHA256596c89389581139bf99b00e7a0837cc57bc235a2c7d71901ac5e962aeccd617f
SHA5124e1830a7f7ba73fe746f2753507a48d6990cd5dd42d89a2781a744418078bc68290d7724acdf82c35a8b3b62d2776df5e1a6b888bee495f5e6c8547c6a47d84f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events
Filesize1KB
MD528df813ae9b10920bda95a210476a9c1
SHA1cfd994ddd94a6a3fce61df049dd21d5e25185df4
SHA256befe10088752a51fc44003bc30eba9abf9163e2c35d50cdd8b153d05757aa08f
SHA512c8cf77f9bfeb3c6d69a13529a65085e2bee1fbeb3a9b4c09dc533b9460e77dc3e3872e1e05059085b32085b7569aa3f8dd37ea20148559d066e6b522b8f40df5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events
Filesize4KB
MD53c04f9e92b32965bf730c41bcc73ca8a
SHA1e2abb08f3b7b355640bd4ff25097758e0c696354
SHA25605dbf87bcce39c8cd4ec7385bc10f9a3bf9ca93a9786042ce490bdf2b41e4847
SHA512196707a0ac78d0617ac46704c674733cf748e33197dd962c49d9daa95c3f844e1d2bd756b499a0e5373ea3c1635060564d321e7ae113670d051b51723c1e6ba6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\561ded5a-0dd6-486f-b0c6-933e7703f75d
Filesize235B
MD55c9545ec85336d735bc345b01f4446d5
SHA1046268c444f65a1eae7bb6ee88e6e851feb71cb2
SHA256518f26a1faa45c831b34e1cd3f495eac46a0608a946d19d022ee5471d80d61d7
SHA512e4be05f9bda915595a72387fee8fd46a75eabe20c4a6b403f9228475fd1ccf6255046eab2bc09dcad6164eed20bd37a670f0ed418d23490abd0ede2fd68dbf76
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7509f4ee-c2ee-4b25-a52c-0d91be77e3d7
Filesize16KB
MD565ac1109aacc014a8350f89b6f7d03d2
SHA1d897163c1ad078105e97996cf5f6f4fd75a3fc74
SHA256fc9f2e7410f311014c8485c696e175a221fc3036506e84eb1dbbf97406bb96cf
SHA5127d44216a9ced32e3cd6bd1551f6a7a50f784051f2810ea175d2c09edb934fcd6d6dd8c375dea65282825d12c8b3a67772cdcccd7c478d548467088a036030097
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\8e1a1c20-c657-436c-ac5c-81cf1fed4fa3
Filesize883B
MD550a35a0d8ea665082f5f82a192b4754b
SHA13963f69b54fb398bb62b1431433d1ee836f379e6
SHA25634cf9341196cc1d243bef26afd0318a99f3efe073cc443a21839a2ae7d792410
SHA5126d062df320855e8b77d5cc2b20e5d6a543c02b225cd141215d1f64df666ea5cde03e8a33f9f351f63b69a9ffdde4a499daa2393a35f943cd80d92b695bf05fd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\9ec93c3e-0cf3-4e51-b8c9-6ee85d8c9d73
Filesize235B
MD5ceea0548417ebf5ef7e452388932f41c
SHA130cc9af8651d61c21de82887c7ec9c5eaddaea80
SHA2560eeddd721b2cf04d02371f15b050f6e98a77075922b4129d7e8a806e4bcc7073
SHA5120337497f0de9d84949ee58daed0202b1f0a1bb32a18b4a87cb9616418610f4796d6209c14d3b58683d1c3255f040d45cec57afd236645af2962912e8a4020463
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\acee4229-97d4-46df-8c19-1796124e01b1
Filesize886B
MD517de4c35a331a8ff67566aeea4e68ed7
SHA1e515b3760e80d0d6c05f426ff3a9604ea8b680c6
SHA256be6c67416cb3488126397e5dad9d84f3b1dd68e927ee83ce8c24a09634dbe107
SHA512861ffea578a84f77492818a17f1c7455c6c4bbf655a97b44e386e3a63acd5319c0fbcb8a0a594573edd44a20854518f1663f966c947d9e7a5dcc815278b15c9b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\c1d879b0-5d69-4950-8098-399b1844e301
Filesize2KB
MD568bd4476df23ff13dd88f406451b6326
SHA1973ab8f6b3bf1d6befdb277b63f6b6035a0fc7f1
SHA256504fda5c9b024fe6a78adde5887e1a19e3f091bcc272d25f9f7b7c1a5bd4b0fd
SHA512ce38767edbf10bd87a69b8f1dc81a0b4f17b44eeafe5781471dfa9cafc80d18784690891190631f9db7764ef15727e6c5e5cfd64fb1c84bbd392d365a18b403e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD5ad4861cc3570860354fa23b040a8c34f
SHA1321b23cd7c0d6bcd2758662f9859d152c5f70d95
SHA256ba0b52e376583c1d4a8b6b2087304423baa498d96b1a3ad9be6c75cac10a3109
SHA512ae334221af72af96cab84c3b8972b726c6592213bd3238ae9758894c67b666978029252f0fac8ff0ef5711cd16065ba95ed5cdd8e5759a54a714b41b34fb6dcf
-
Filesize
6KB
MD5857d16dd5e5a7929fd98af3d265414de
SHA11df0c0bd244efdb7e859fdde4ba68e9b5c33ea27
SHA25614d7598c10ff623a5787e741fea1182d2ba1ea50067533fd3978c618cf565b5e
SHA512d785ae37220f351cff03207320bdf7059cb4a9aba0dbc628eeabc8469b48b2c45d7f56ea3ca7e701a4be57e3815a234941bba7915d2481a46267daf9b9f3a37e
-
Filesize
6KB
MD5c8b5642cb403e53337436d19a34ada30
SHA1728044eb09974fabfd63f4434939909e8cd71f0a
SHA2561e07ab8152c5257c7638510c9ed7629b2aa58c50b37dde8bf1314cf3999f5afc
SHA5127a69269d7fc39f1b50a2f18987d77ffe37a5015914c8909f8cf695f4b746ed38fecf6a707c13259e7d3fba979267b315fd7c3ce6509cafd408bc8f3802d221ce
-
Filesize
6KB
MD5e50bfb7ecf546dc0ea2e2103b8e96d50
SHA1d8c3312dd9c7c84d678a973a84e776489c33e132
SHA256f94e058e26576d9f7fe773741ec4787e7b59c8b0fd4e1143959a284bd351cfe1
SHA51251a2026b5dba63387a374ae761d5759c43d5fb7d7e163246d290d1e81b9465a91eaaced633d6b3a704d60ab125d1c5f366cff7db059c85059c8118508cd4e6de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD55fe85b0044e2b9c6717b275e21a4df33
SHA139e04f4beacdf1704666c0a38dc9527ef148c9a2
SHA256993aa66b64525b8ab50dc2e58bb401a608fe04bc1d9dde26a38783a4d39ee56b
SHA5125bbda790e935301676db4ead4b415cd0d15db4762e261b94134d0a766a9653ce90348da593d8b5fff182308ca974081e1fdde9e1f319152d405379b2636c2781
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD587d82057f3c581775a0405c8dbcef4ff
SHA1a7e71b6c8e65cfaa0db944dba39f83e779f730f2
SHA256988543cb3fa41218aa7a0542f2f2a5f35c1930433e0e580f42b8f4ef913b75c2
SHA5122b13762d016ad4aa0d39a5c3389d4836df2850c467acdf4d0c78df7ada65b7962ebe2440bef1bb474a2bfadf1bdde6a3fde7b8fd4ba6976a86a21c475022acc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD50e62d98953db69f96cf5d6526d720182
SHA1e819bb73186037246bcbfcb560cfea383c5c47b5
SHA2560d9fa7c5d966d460f81f091b3d63ecda54ebfe5cf610d059c94e0e26cb4406ae
SHA512ea14a5e0771b001840ffd6a89c68b96184e729d87fcd7dee3822f5746c5afed63e73f74e2385b5457339cdc1055d6a9015f46f9e27470fa14b81736202f3834e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD52ca4cedc950d04cf30398b49abb1d1a7
SHA1219d069275b9c1aca6c005869eeabb6065e16012
SHA2565dd97cfc83ef2cba5d5780cb78610c410478037d56741dc18b177863e881f0a6
SHA512c6bd7cc17111c9f04090447b15d31fd0f6c78f55bb26df81ed47c7e84c4014da3f7ae765eaef69d9c1e7dd766cc87af454d009b2675a9b8fe4b40eb4e8c336c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5cd4e4af3f9c7bc165595904665e11f72
SHA11a6ba22d02756a2d005e1d6f96425a4b1f0df1f8
SHA256969ef39bb63aa33fed001073aba98da8a3e0af984d95c80c555cf062c57325b0
SHA51252a04be39fb6ce934830d86cc52638dcf0f5bbeef87072e680902294b8f13d240651e66cd8687685412e0f1dcd60893c731f4e3d07ca771f5d7e825c08740652
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5fab1e50e7436fe80bea347396e0613b6
SHA1dade7041997701cf9a870077332f7e0d18b681d3
SHA256adf7838a4720b96218d82370971a632bae3ed632d48699e933746ff0ac4d6571
SHA512a4b4fdb0e5c49d8c4b10df5dc72dde04903fef9d732f72fe4bddec85c0fd84769a0e932ddfa8211ed5702d0e911ce5facdb6f4d56ff39eee0602108fd781ad7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD586253a8ac939aa7468c0e7d565eb37ea
SHA1777811d1a803dc83448faae984efe1f593b8c4cf
SHA2569c60d91fd1f6c1c339f7b2c3810c7cee17803bb3315e9381c9a27b5444330255
SHA512b97b67093e4bd33b5f33590277d320f9f7a990129f77458db45488f6979c31e8aae4b761bb34b31a6703dfc1d040327247e8d66494ad6a6ec477929d3330227e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5297657070cf745f9d0974e70fc8cc6d3
SHA13c6d3f4bd0d64743e7fe8f958394c02f30b390b0
SHA256fe7fa13bdab2676a9b29b18f9a42d28478cdae8b826206860aac6b7884eaac56
SHA512ae04d641457baadc0ab2f0cb084e521d2679a1c58ff9b219daa91ecac02eb06c4787c86cc22183adf2c1992f2b26020c55bc77709ccbdec1cbe023546125a3a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5f385d1a8221a2c204dc3ae25950c24d7
SHA149dcc0a700ba2e7a00bbf226b8e85239bfa5f200
SHA2561092a724903d5e2412a9fdb7be3df798a960e2e32c568cefa43be575c5c2748b
SHA512bdb94a38327319d2db79b2239c8cfba1dfe57d575a13bb8cac8732759c0c7c9cac2797d3d2052c6f97bf0277c9785da204b986195de162754336077824860933
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD559b8385bd45d358110f4e5677587e810
SHA16c18b67e44bb7887cb314e78fc0e5ca7144ed08a
SHA25612c71785f8e6bd3eda95583693f155a85964f61da6876406709e29b0873c89c2
SHA5126dbe0f4d2e8d69d081e10c00f9bd843d484eebbee152f057d78ec796482140c7291fcb4a79bf18e76cad944a5f11275982de9f7d0545f56960210c206a629466
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5e12045d529da71b2c181c770b74557c2
SHA1faa7815049dc07584e57311deb143a9784908f0c
SHA2563af5ff61e8b5380052375b99aeff8e35d5fe91baec8a0e7b07803bc3a1c5950f
SHA51232a06aefb3548ec5b52cf2d6df249ceeef7fea7e38a10ac99c3ca23b99f80357dded49c789fc9995aafc6a12c3c177f7813c35fa0d704356418d52543f714ac8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD56b2d2f604aff26d3879a3b25f9135d2e
SHA1b385c3642111af943de9534697650da0e12a4aff
SHA256bc3e63c622eeeab0d2aea3208421a7b72764f12ad6759870282a7f5748ad216c
SHA5126efbf0095d7ed1fb560f4c32176a3d2b74fdd4bab351c87881f916d3bf8341f35ce5c8320e0c15b1cf8004191b94b3eeab4d443b1f9866e7387aa0a2e81b45ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5074dba6fed316a56767fe444d45ae0a5
SHA11a2ea79da3d6e2a1aa01c54cac99b25d0ee82907
SHA2568f5610d8524e2d8c84f9deb3f397b0ba536a1f73960a2348b205cfd106ff04fc
SHA5127ad8dc589ae17659ef93b893efd4c5b11bf4cd54d606995cac2b0be95d011cae7742d039da6190cba7235cc48c23256bbdc81461659040233d7778f644df327b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++github.com\ls\usage
Filesize12B
MD59e89f8d581f7c22679122e5e61ada809
SHA119667207e15b1d36dc50c4a72ce3163342b7862f
SHA256421d4cbb4c59f5e94dcb376548fca28bde43197ecbae6fa1887b512b498919da
SHA51214f5611a9a0f9c5060377765c08c205f63b06a06bcc36ea4d1e837734906a56ed887a1efa9101b0b168ff9d22a16583f02393841ad26c090f2a0e57c9ce0f899
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.5MB
MD5de3249013705ed8ec571efe560bdcd30
SHA1b911b31387da25dc17802ebce53ad337c238818d
SHA256b2e981776376102609cd030b32f61456da7c957c4ce33395727c4af298630bcb
SHA51223b16c6fb50984996a0e72246d443b6c772a08a3fba1d6c80f85b731dc50ae5ad33a0345fda53952ecb1cb8f0486ab043dea349014680c353168ed509e5e927c
-
C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859.beJ4lAfH.part
Filesize8.7MB
MD5799c965e0a5a132ec2263d5fea0b0e1c
SHA1a15c5a706122fabdef1989c893c72c6530fedcb4
SHA256001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
SHA5126c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
396KB
MD513f4b868603cf0dd6c32702d1bd858c9
SHA1a595ab75e134f5616679be5f11deefdfaae1de15
SHA256cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
Filesize
438KB
MD51bb4dd43a8aebc8f3b53acd05e31d5b5
SHA154cd1a4a505b301df636903b2293d995d560887e
SHA256a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
SHA51294c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20