275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

max time kernel
46s
max time network
77s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-de
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-delocale:de-deos:windows10-ltsc_2021-x64systemwindows
submitted
23/03/2025, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EICAR.txt
Size

68B
MD5

44d88612fea8a8f36de82e1278abb02f
SHA1

3395856ce81f2b7382dee72602f798b642f14140
SHA256

275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA512

cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Fagot.a.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
193	4328	firefox.exe

Manipulates Digital Signatures 1 TTPs 12 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Fagot.a.exe

Executes dropped EXE 1 IoCs

pid	Process
5868	Fagot.a.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Fagot.a.exe

Modifies system executable filetype association 2 TTPs 16 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	Fagot.a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Fagot.a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
192	raw.githubusercontent.com
193	raw.githubusercontent.com
194	raw.githubusercontent.com
195	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\autochk.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\progman.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\dumprep.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\win.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\services.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\wuauclt.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\recover.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\wowexec.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\shutdown.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\imapi.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chkntfs.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\systray.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chcp.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\regedit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\alg.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\bootok.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\logon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\MDM.exe	Fagot.a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NOTEPAD.EXE	Fagot.a.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagot.a.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Internet Explorer\Main	Fagot.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Fagot.a.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\AuxUserType\3	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Wizard.8	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7F3F2ED2-0B48-3FA1-8072-2F9923016ADF}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFF808F-63F9-4485-BB6A-B05C2E9F9EC5}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\omicaut.MathInputControl	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\Conversion\Readable\Main	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.Device	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4AE9135F-6029-54AF-8AE6-432C12AFCEDF}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\ProxyStubClsid	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\Open	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B92EB61-CBC1-11D3-8C2D-00A0CC37B591}\1.2\Flags	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ee1a0675-f3c9-5c12-93e0-f2b01bdce611}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptoSys.Scripto.1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShowMacroEnabled.12\shell\Open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104B6-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000672AC-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.pls\shell\AddToPlaylistVLC\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.it\DefaultIcon	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.jpg	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpe\shell\AddToPlaylistVLC	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\setdesktopwallpaper\Command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8625CD1C-B19C-3ECB-8A29-2E12449FE6CA}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.TemplateMacroEnabled.12\shell\Show	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA35B84E-A623-471B-8B09-6D72DD072F25}\1.6\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0411-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{268CA962-2FEF-3152-BA46-E18658B7FA4F}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41E1B99D-CF7E-4315-882B-6F1E74B0D38F}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile\shell\print\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{417EC967-ACF1-3B68-9743-D9D104681FB3}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BAA3119-ECA1-4A32-9A08-595E71AE9DA9}\1.0\HELPDIR	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F96466-78F3-11D0-A18C-00A0C9118956}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B2AE522-F16F-40CE-A7CA-FF6D78AEA699}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03E1-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B783AC-9C9E-4F73-A1C3-E767FC211B2C}\LocalServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\qedit.RenderEngine	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55F88896-7708-11D1-ACEB-006008961DA5}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\Verb\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26E-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8351108F-34E3-3CC9-BF5A-C76C48060835}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1718-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mka\shell\AddToPlaylistVLC	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\search-ms\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\ProxyStubClsid	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{22D8B416-108C-399A-9B57-B61D3D683E14}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.ThemeThumbnail	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BE41CDF-29D7-32DB-8181-5117F580BA68}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26E3C1D3-6937-3EFA-8859-7FFC81869CE5}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\DocObject	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\Conversion\Readable	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.VhdFile	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amv\shell\PlayWithVLC	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{739A8B0A-D71D-3C99-84FF-1E3440263312}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24246833-61EB-329D-BDDF-0DAF3874062B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp2\DefaultIcon	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.System.WordWheel\DefaultIcon	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{981DC77E-CE21-3753-92DA-3C4A0CC7AA44}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8540D1F6-D74A-3FAD-8BE2-03F9CADC2B1E}\15.0.0.0	Fagot.a.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
780	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe
5868	Fagot.a.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	firefox.exe
Token: SeDebugPrivilege	4328	firefox.exe
Token: SeDebugPrivilege	6040	taskmgr.exe
Token: SeSystemProfilePrivilege	6040	taskmgr.exe
Token: SeCreateGlobalPrivilege	6040	taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe
6040	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe
4328	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 1504 wrote to memory of 4328	1504	firefox.exe	85
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1536	4328	firefox.exe	86
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87
PID 4328 wrote to memory of 1712	4328	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {ebc15f0e-7df2-4da9-80b6-2f2a3a8b780e} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27136 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {2ab09a7e-fcc2-46b1-bcc6-ded1383be750} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3892 -prefsLen 27277 -prefMapHandle 3896 -prefMapSize 270279 -jsInitHandle 3900 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3928 -initialChannelId {83771546-b540-48e4-92c1-80ee4923d6c6} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3896 -prefsLen 27277 -prefMapHandle 3892 -prefMapSize 270279 -ipcHandle 4180 -initialChannelId {fea98633-b6a6-49c7-ac29-5697408d3ee4} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2640 -prefsLen 34776 -prefMapHandle 3204 -prefMapSize 270279 -jsInitHandle 2636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4488 -initialChannelId {75012ac2-4976-4840-a8fc-8d2b4b5ff7fc} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5276 -prefsLen 35092 -prefMapHandle 5280 -prefMapSize 270279 -ipcHandle 5292 -initialChannelId {28160ee4-0a04-434e-a08a-0d1f788b539c} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5496 -prefsLen 32979 -prefMapHandle 5500 -prefMapSize 270279 -jsInitHandle 5504 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5512 -initialChannelId {9c517a89-d987-4949-b47d-a70b2407e79f} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:1756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5668 -prefsLen 33031 -prefMapHandle 4996 -prefMapSize 270279 -jsInitHandle 5660 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5708 -initialChannelId {0beddcc3-3010-4254-ad60-a09db90e6efe} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5888 -prefsLen 33031 -prefMapHandle 5884 -prefMapSize 270279 -jsInitHandle 5916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5928 -initialChannelId {764f20eb-dd3b-4b9a-b412-110f1568d2e7} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5512 -prefsLen 33071 -prefMapHandle 3280 -prefMapSize 270279 -jsInitHandle 6272 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6328 -initialChannelId {4c002e3f-1bb6-44bc-a009-6d6712c2076d} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5616 -prefsLen 33071 -prefMapHandle 5600 -prefMapSize 270279 -jsInitHandle 5604 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5592 -initialChannelId {47c09baf-c186-4a5c-9132-d05968ecde2f} -parentPid 4328 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4328" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:5288
- - C:\Users\Admin\Downloads\Fagot.a.exe
    "C:\Users\Admin\Downloads\Fagot.a.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5868

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
71cedf632d47b045c5afb5f865f65f40

SHA1
2ca02f5fdd76a6cad59c5c85daf2c07e62298fbe

SHA256
2a592bb3ee2b473db11e5a6791644da8ebf3ed3e067c15640ffb5f6c75a1857c

SHA512
52b127d5ee80175383b33f811423d09aed210295a5ccce85996a4323c1a17be1a67cfdcaa9e8e80cedb9ac9cfe2138c1ebae77a3391eceff0139f9e04c347799

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
f08ac39c309dc7e9f0c84787bdc8f7dd

SHA1
d07111f25e5f37587436127bd05149dab7477d31

SHA256
dc59d101ba0e989792d114891f167a54465e9d73c1814d77b93e29bc8329f648

SHA512
343ee6c97d03e74a7793a92a0e3e1583bfd5ff245bf5c845ab6f97b102191c356615cde2ecf4eca23c24b2dfe7d4b145d2a97de9d53bdf5aef4bad1b0a7d7d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\AlternateServices.bin

Filesize
7KB

MD5
39a84d81826041174cda058b26b752e2

SHA1
9e8c9c478cc9b57a6ac9c5024af3fad4a99b5d2f

SHA256
b52da9089b9775ce2921f1f6a79dab9c7337abd2bbdc5787aca5e3d896e4816f

SHA512
98791296b835a75fc36b822086acf5a74c9676c33db6b9766f5732c0e839c29de459faf3d954104366565748a68c9ac788e164f812abceb94fca864f1b506838

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
f72e07467b035a32adb24d4ec695a075

SHA1
3b996c3e2be076262c3f1a4b285e8dcb8c9db466

SHA256
52ac829b6dc8f6de1f32f71ac10282c9b168850e24a16f18a2c0a0a2b0701c36

SHA512
e57435f1cdc74655d61c77004611ffac8923cbb8577202f2e47691789282e42ad9edfd54b4b7d7d7d88910171fd181c85c94a2964257d5627253c43acb7183a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
8637bc1bccbbc09892bc47cd35a0b484

SHA1
9b9c081a0623b1a1d01a2b267894ce81e44676d8

SHA256
0f5f4eb0faceb2d27cd771871a536be0c0925e074bfa48f080ada65108d1dcec

SHA512
c8e0e1c79b65ec3d01bb878f6bf0c12e012b4b60e44bc99f734176a6e82ca470429a6b10640021c18e8ffe985c8911d18b614e4758b361321c2e3ff440676b41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
0d672101ca015039215615dcf72fc7be

SHA1
c4d7e671316552fd037a4c75bdf9a90c9f70f7e1

SHA256
2b34c28fae6acb7b6eb9305d4bf7d08c438a5358ae044054fdba299b5eef86df

SHA512
c2d20440c1609a240ab605649ef24ee12f4d91c61f7b466abd83a65773a259ebc9a8750311f79933d456339ce1f5930d97b35568bbeec91166c73a87d3078f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c8dc85d90f09ae236d7aa16fea2d88df

SHA1
7e3e5c178684a77de69a13b6d02eaae8314b65ca

SHA256
acb65658eceb41b68b8366702eb0fa2f76bdeeeb0b9e19793935e6e6162d2fe7

SHA512
c6c3cb304b0a4d00dcc5737b4a68f2b4fc3955268a70959b300fca7c3a49057afa6fe5c975b9c56736f940dcdc17e678ea75b68ba7da99a92023ef781002386a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
d9d67b26a2d5c3ba3e9943704a8ceac9

SHA1
48c9a81021aab0f43d1d3970b32f6d70ecb236c5

SHA256
3557ccd03c808c219dc4413a7a302c9557294eac54301215e3bd32c98644b500

SHA512
f97a260a0881801650caeacc5ea205f37acb7e31b80795987628709cca322bc111ea5ff09a629394cdc9ff01430d20b827cee5c2e5420ecdd8b91515a88848e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
1a4b168dbd79a1dc9e52bcd4965b86b6

SHA1
2566edae26808eb829020abcfe95902278ecd767

SHA256
4cb2a89c9bfbbd54c590934d1163e9ab4e5b76dff193d940f6ed4b72ba5cf4b3

SHA512
05d327eadcd9e26be25262c602fa50264f8b7c5dddb156f29c86c562bdc957ded53b22b687a31715c8686d21844f4656075ffa631ab9f98546aa6ecce064eedd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\3ae7c471-64a2-4d81-be1b-acc93c96ddb4

Filesize
16KB

MD5
940afd9eba988141227897c65e2268d0

SHA1
f454864e503b83222f21ce65e9e00f4a442aa8a9

SHA256
814a5db495ad0dac16ba38eb05d25e42ed1bb9b01949b56695229c8c10872c45

SHA512
b16f9124f524f6bd5994b8d2876ceaa11c223f097435d41399d11b0bb8b6236fdb62a48aac607a6daa88f62aeeacfa9cdfb7d193bbf61370cd2867c91bcf67e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\55a544a0-9ad7-42a1-b2ed-fbb9c78aa130

Filesize
235B

MD5
117df7794b4756414aa80ce1736b9200

SHA1
600b7223fbe4838b2479c3aa384f467e53f94437

SHA256
536ebff663c22fc4f4a434f69834f3c16047f578d75082441ef911008d269f73

SHA512
5a6ac6cb4c403bb301483ce0acb33a4c52e0a7785c14c3e57fe12b8882efc1198ed1af8368f4e8a3e8f74cced529f31b9efa197f516773d76f6303bd649db14a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\5c54c640-9cf8-4f4e-87de-6bf9e0ab4528

Filesize
2KB

MD5
fa457d0eb508f541ea5acad5f7e45770

SHA1
052f36fc3e94057e1217d321fb8d047c4970c7ff

SHA256
81bcc6ee2a3bccc6471ba4be937b7c0440c5278f0b6c76d59d09e369deef3da4

SHA512
67c58011268f72b333b8300acc6ecf9097d1620dd799e4f7d31ff9edab3f17a8872f40ff3053e1a8a44424684308f08a1619adbe3bc14def7b1091c3d61c0433

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\63148347-5feb-4c7d-a3d0-00dc5f76ce7f

Filesize
886B

MD5
f58665093b0bc5a961a897b80067a09d

SHA1
08c0705d6a269226afcad925bc537c8db75dd179

SHA256
270179ed2a87b5a159b8a329cbc474cab3c50c7f16b280659ec432668e2913e9

SHA512
9f34447c397f1388fec850c67ec76e1936a1f27682eb20c8705f58fb4de594278384b3f2ea83bf075611f59ecc1ea87261c001c5c5f681bc45d3186fc5ee375b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\b58d4408-fc40-46cc-9cd8-e8c85a846dd6

Filesize
883B

MD5
80a37ed2921ff5a71430913a4e799118

SHA1
e1f583d3199edea25a042a3b30fd3bbdfa1d8f80

SHA256
aa6079b9611ae85131a899389546dc50c8cd16b41f94bd2166e0956765ef0911

SHA512
8fe2e4a232aab14e4544f7a3a3e297c43698c8252a98cf29cc7886e0a073e84ab61ca8e4f7b8b8d039088d79d2946e0cb49da7e4f8890ae7b5dc2e398eb2f0b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\b7f6b5d0-8ff7-4b60-822f-257ff3737723

Filesize
235B

MD5
3c635ee43c1a3caef54f78832710d0ae

SHA1
1e173e77478f70a4f7169b480ab84a3dbaaee941

SHA256
127cde681de5c507c6003515e0f62c24d091a007e751ec7427c1abfdbe436f5b

SHA512
7cbe0fd0e9cc516d0bd6b22a7899d81a5941511df1959ec02367e7390ffd8b76327ecc84edb08da80883a70c63791f59ea9f3dc449d1fb90dab2e1df4d460179

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\prefs-1.js

Filesize
8KB

MD5
29a31b61890e2b161eb45586ad2162a9

SHA1
bcbcdbd191de1a99d3c8c40f7e8a5b89282193a6

SHA256
877dc10efa5fbbaffe688cfafc2b1420859f444450d06e58337875c892f8907e

SHA512
9f9ae9636ec0d03112ca93a2b3621d6dc075ebcebb3e876e3fed5a9d6c3e52875780c9e89b450c9326ed8e445f7dcfcef70ce97cca5db3be8232b11fe21f3496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\prefs-1.js

Filesize
11KB

MD5
558df10f24e81f8c135be91c54d4c583

SHA1
9b44b5d691cc6e52e2f2fb0d94bb35574d1a992e

SHA256
a0488abca8f5661229e1b22239d953b87f4c308cc7eae83bb6477c4f5be9b424

SHA512
246a7cba331708a24d33aa7efa83e3bd5562b1625a5196e5a999254d88e80fd2fac58ed83dadd403a1967f472a836be39073d7df9fd6aefbadb8c5fc490056a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\prefs-1.js

Filesize
6KB

MD5
bf35c3c7fd8cbf594c004e465d259c43

SHA1
5bad5f32031c6fa132463a80b174aa34affaf2f8

SHA256
eb5b05beda6de531bed789451ed6934369e108c1afafa9fb7a384bd352449dbd

SHA512
a07d59de0aecbee7448fb3280cab6f6772bd34f8a32963888a1f8eb6c71eeccc5266d0ff61f7c6fa4dcaeee2b2df393c99543f2f62de17e19d391cfce7dcbc20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\prefs.js

Filesize
6KB

MD5
135112ebf199098ed1dd4c98b65bfc1a

SHA1
1c3e409bfd28e0f3fb33944cc2110ea7910b5648

SHA256
5d1e1e4ca93773876a32c0082c872f81e707ebcbbfebea21b24c86605e1c3046

SHA512
3b731368dea4747e4a8612aada6b9de5fd7c3d6b2f9bed4f592f1ed523447387b6c5b63e4d9135b65bdc753d746d14aa69942ae96c7ff7f0940509667180657a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
22f459e0d46eb8ce5692b700489c4681

SHA1
6029d1922e9ff52f8ef284eb6b1bd663333d66f3

SHA256
2acfae9145ad444fe058f5af53d485c0a7495b53034013a8155e2eda37e5b8bc

SHA512
712fa943840657af86ee67c3fe98d4a9be8abc861c1391c6b2838527dd14ca25d531bd2192fe477b566f456b23b52506a80d8b844347fe9d8162f9399cb23b20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
494098201f3c0b3eeca3f812a6aba3d3

SHA1
531992907e735ffe4eeaf57634eedb878803486f

SHA256
f0999fc13752c23da8496b725cafd412d5523257ab0e947db2ee37cd8ec5208b

SHA512
60ca5c641bff191753663829ac1c789b5bba9ed9866d0c1bf3e4d84da29090cfa800b57a6a7b14b57ce94d037c49aff0a264e58fd03bd6c7fd427dd74122c925

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
a849c72ecef0978b91d5de8340d3c966

SHA1
192ce3ce2035b3f264854f84a9191d066b1423ed

SHA256
dbbee46824ca879a74b320ae70ead8ef246b69fef6ef051b48b21d6f4d6b5103

SHA512
13dab1fdf109cefeca1e8734a08364e085d7d861585980df79a9fad7fcb784ff53cbc7b31f6889e1fdaa582957ce49b1f1bccd63b44508d3847d042f51cb9d51

Download Submit
C:\Users\Admin\Downloads\Fagot.a.exe

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
memory/5868-1008-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5868-986-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/5868-1030-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5868-1009-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/6040-1002-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-1004-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-1003-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-1001-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-1000-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-999-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-1005-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-993-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-994-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download
memory/6040-995-0x0000026964150000-0x0000026964151000-memory.dmp

Filesize
4KB

Download