Resubmissions
23/03/2025, 19:10
250323-xvmsfa11gt 1023/03/2025, 18:49
250323-xglyzsvn17 823/03/2025, 18:23
250323-w1gb6str12 823/03/2025, 18:13
250323-wtvk8azwcy 823/03/2025, 18:01
250323-wlzvzatlz3 1023/03/2025, 17:38
250323-v722saywcy 1023/03/2025, 17:35
250323-v53kjayve1 1023/03/2025, 17:27
250323-v1pswasnw2 1023/03/2025, 15:05
250323-sf8n5sylt7 823/03/2025, 14:52
250323-r8x8faxrx9 8Analysis
-
max time kernel
540s -
max time network
437s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-de -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-delocale:de-deos:windows10-ltsc_2021-x64systemwindows -
submitted
23/03/2025, 18:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
EICAR.txt
Resource
win10ltsc2021-20250314-de
windows10-ltsc_2021-x64
52 signatures
300 seconds
General
-
Target
EICAR.txt
-
Size
68B
-
MD5
44d88612fea8a8f36de82e1278abb02f
-
SHA1
3395856ce81f2b7382dee72602f798b642f14140
-
SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
-
SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagot.a.exe -
Detects MyDoom family 1 IoCs
resource yara_rule behavioral1/memory/5936-1427-0x00000000004A0000-0x00000000004AD000-memory.dmp family_mydoom -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Modifies firewall policy service 3 TTPs 24 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\TenantRestrictions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Fagot.a.exe -
Modifies security service 2 TTPs 12 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\ACSERVICE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 Fagot.a.exe -
Mydoom family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 26 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} Fagot.a.exe -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 13 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters Fagot.a.exe -
Downloads MZ/PE file 7 IoCs
flow pid Process 191 1928 Process not Found 191 1928 Process not Found 191 1928 Process not Found 191 1928 Process not Found 191 1928 Process not Found 191 1928 Process not Found 219 1928 firefox.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 47 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllProtectPrompt Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe -
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000800000002837b-1423.dat acprotect behavioral1/memory/5936-1425-0x000000007E1A0000-0x000000007E1A7000-memory.dmp acprotect behavioral1/memory/5936-1428-0x000000007E1A0000-0x000000007E1A7000-memory.dmp acprotect -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors Fagot.a.exe -
Executes dropped EXE 18 IoCs
pid Process 2688 Amus.exe 1912 Anti_Virus.exe 1996 Anti_Virus.exe 4812 Ankara.exe 4264 Adapazari.exe 940 KdzEregli.exe 1912 Messenger.exe 4140 Meydanbasi.exe 1948 My_Pictures.exe 3364 Pide.exe 4704 Pire.exe 4520 MeltingScreen.exe 3636 NakedWife.exe 4272 Pikachu.exe 3108 Pikachu.exe 5936 MyDoom.A.exe 5768 xpajB.exe 2512 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe -
Loads dropped DLL 1 IoCs
pid Process 5936 MyDoom.A.exe -
Modifies system executable filetype association 2 TTPs 54 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon Fagot.a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe" Amus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Fagot.a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 190 raw.githubusercontent.com 191 raw.githubusercontent.com 192 raw.githubusercontent.com 193 raw.githubusercontent.com 218 raw.githubusercontent.com 219 raw.githubusercontent.com -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Fagot.a.exe -
Drops file in System32 directory 41 IoCs
description ioc Process File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\Windows\SysWOW64\shimgapi.dll MyDoom.A.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe -
resource yara_rule behavioral1/files/0x000800000002837a-1405.dat upx behavioral1/memory/5936-1420-0x00000000004A0000-0x00000000004AD000-memory.dmp upx behavioral1/files/0x000800000002837b-1423.dat upx behavioral1/memory/5936-1425-0x000000007E1A0000-0x000000007E1A7000-memory.dmp upx behavioral1/memory/5936-1428-0x000000007E1A0000-0x000000007E1A7000-memory.dmp upx behavioral1/memory/5936-1427-0x00000000004A0000-0x00000000004AD000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\eventlog_provider.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.45\msedgeupdateres_fr-CA.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_elf.dll xpajB.exe File opened for modification C:\Program Files\VideoLAN\VLC\npvlc.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_pwa_launcher.exe xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\concrt140.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_gu.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ie_to_edge_stub.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.45\msedgeupdateres_lo.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadce.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll xpajB.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.45\msedgeupdateres_sr.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll xpajB.exe File opened for modification C:\Program Files\Mozilla Firefox\gkcodecs.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\webview2_integration.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onnxruntime.dll xpajB.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_proxy.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.45\msedgeupdateres_cs.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll xpajB.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpOAV.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sq.dll xpajB.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_or.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penjpn.dll xpajB.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\WordpadFilter.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_nb.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vcruntime140_1.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_hr.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\EBWebView\x64\EmbeddedBrowserWebView.dll xpajB.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\onramp.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ur.dll xpajB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll xpajB.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\Pide.exe Amus.exe File opened for modification C:\Windows\Cekirge.exe Amus.exe File created C:\Windows\Messenger.exe Amus.exe File created C:\Windows\My_Pictures.exe Amus.exe File opened for modification C:\Windows\My_Pictures.exe Amus.exe File opened for modification C:\Windows\Pide.exe Amus.exe File opened for modification C:\Windows\Pire.exe Amus.exe File created C:\Windows\Cekirge.exe Amus.exe File opened for modification C:\Windows\Anti_Virus.exe Amus.exe File created C:\Windows\Pire.exe Amus.exe File created C:\Windows\Ankara.exe Amus.exe File opened for modification C:\Windows\Ankara.exe Amus.exe File created C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\Anti_Virus.exe Amus.exe File opened for modification C:\Windows\KdzEregli.exe Amus.exe File opened for modification C:\Windows\Messenger.exe Amus.exe File created C:\Windows\Meydanbasi.exe Amus.exe File opened for modification C:\Windows\Meydanbasi.exe Amus.exe File opened for modification C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\NOTEPAD.EXE Fagot.a.exe File created C:\Windows\KdzEregli.exe Amus.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 7 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\MyDoom.A.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\xpajB.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MeltingScreen.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NakedWife.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Pikachu.exe:Zone.Identifier firefox.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeltingScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpajB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KdzEregli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Messenger.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meydanbasi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NakedWife.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikachu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anti_Virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anti_Virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adapazari.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikachu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MyDoom.A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language My_Pictures.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties Fagot.a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe -
Checks processor information in registry 2 TTPs 36 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1f-c551-11d3-89b9-0000f81fe221} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D24D4453-1F01-11d1-8E63-006097D2DF48} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE2-3C52-11D0-9200-848C1D000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{027713F2-5FA8-11d2-875B-00A0C93C09B3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{777D0B4C-75C9-4874-ABFF-80B4BE8DC532} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\USESWRENDER Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f22-c551-11d3-89b9-0000f81fe221} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ec444cb6-3e7e-4865-b1c3-0de72ef39b3f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{939EA880-465C-4A4A-B465-B0073167902D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BF3FF9A2-AC03-40a1-BA0F-F31076325AA7} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B375275F-4705-4D2C-88C1-A891105B9ABA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8DBC7A04-B478-41D5-BE05-5545D565B59C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{687F154E-1099-11D4-91F9-005004B34F28} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4C85388F-1500-11D1-A0DF-00C04FC9E20F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6i.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0C1E01A6-7923-46D8-8E3D-0F62B4A0250B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E22710B-F799-11CF-9227-00AA00A1EB95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2BD0D2F2-52EC-11D1-8C69-0E16BC000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{267DB0B3-55E3-4902-949B-DF8F5CEC0191} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableFirstRunWizard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{1A8AC5E1-7AAC-47E9-8D8F-1D4B499F83CE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AED6483E-3304-11D2-86F1-006008B0E5D2} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\MSCompatibilityMode Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9B8E377B-7291-491A-B611-BB3E1D5F99F0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{37de7045-5056-456f-8409-c871e0f8b0e0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5p.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F399F5B6-3C63-4674-B0FF-E94328B1947D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6AD28EE1-5002-4E71-AAF7-BD077907B1A4} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6s.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0975AFE-5C7F-11D2-8B74-00104B2AFB41} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E673DCF2-C316-4C6F-AA96-4E4DC6DC291E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A9428A7-31A4-45E9-9EFB-E055BF7BB3DB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C37C480-CEE3-11D1-82C3-0060089253D0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{43F8F289-7A20-11D0-8F06-00C04FC295E1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3f8a6c33-e0fd-11d0-8a8c-00a0c90c2bc5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowInformationBar Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\EmbedExtnToClsidMappings Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E56CCB42-598C-462D-9AD8-4FD5B4498C5D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4EA7C4C5-C5C0-4F5C-A008-8293505F71CC} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\112DBD99BB88B1ADC7241D45E67F03F0096122B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PopupBlockerAllowList Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{457A23DF-6F2A-4684-91D0-317FB768D87C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDevTools Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\ascii Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32966928-6FC2-45EC-A8AC-1BC6FD428C83} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.vlc\shell\AddToPlaylistVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avifs\Shell\print\DropTarget Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1CB2BFD1-B2F8-3B5B-B1CC-2F7CE81A15E7} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Forms.CommandButton.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{162E354B-486D-4488-B052-81CE8B34FF5D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71A90727-588A-35A8-A30C-1675E488016D}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{206DAF34-5BA5-3504-8A19-D57699561886}\2.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ExcelMacrosheet\Protocol\StdFileEditing\Server Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\AddToPlaylistVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64C95285-358E-47C5-8249-695F383B2BDB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\System.Security.VerificationException Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-cxh-wam Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\IMEAPI.CImeRequestSenderJK Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B6AA13DE-1380-40E3-8618-73CBCA48138C}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E187-0000-0000-C000-000000000046}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ts\shell\PlayWithVLC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\c:|Program Files (x86)|Common Files|Microsoft Shared|MSEnv|PublicAssemblies|extensibility.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wpl\OpenWithProgIds Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aif Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mod\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLAC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\System.Runtime.Remoting.Services.TrackingServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{38B309AF-090C-47bb-8CFA-8CF758ECA76F}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OrgPlusWOPX.4\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mef\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC827C5E-99AE-4AC8-83AD-2EA5C2034333}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.snd\shell\Open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.vstm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{c415ff7a-aa4e-5258-9e6d-101de46e0097} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C11ADCA6-65F5-391B-8CDD-B0DF708B7AA8}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\unicode-1-1-utf-7 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f3ed4299-de36-5d82-993f-35fc677d8b72} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FCCB82A4-40EF-3DE0-B972-4A14EBDC2B08}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C00FC1FE-FA95-4D94-B79C-0C13F0A03C78}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VersionIndependentProgID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wmv\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B4DDD66F-48BF-33C4-B074-F0D61992E186}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectSoundWave\CurVer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC24CDB5-15F5-5A1D-A60B-AE12F9F42F06}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0379-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Visio.Drawing.11\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4v\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EBFB6414-51CD-374A-9A96-5C2B0BB128CC}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PBrush\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.spx Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D0761B5-A36D-41E0-98CF-BBB8E6253B21}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wmv\shell\Open Fagot.a.exe -
Modifies system certificate store 2 TTPs 60 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\CE97FCF4ABACBFC662AF418EA1D4862F951D3D5D Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\9E78FB9F9527D859700D303DFA589B3073951DCB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates Fagot.a.exe -
NTFS ADS 9 IoCs
description ioc Process File created C:\Users\Admin\Downloads\ILOVEYOU.vbs:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Local\Temp\NakedWife.exe\:Zone.Identifier:$DATA NakedWife.exe File created C:\Users\Admin\Downloads\xpajB.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MeltingScreen.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NakedWife.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Pikachu.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MyDoom.A.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6108 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5768 xpajB.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4732 Process not Found 3272 Process not Found 5448 Process not Found 1608 Process not Found 3372 Process not Found 4020 Process not Found 900 Process not Found 1272 Process not Found 3504 Process not Found 3964 Process not Found 5848 Process not Found 5936 Process not Found 4444 Process not Found 3644 Process not Found 4276 Process not Found 5196 Process not Found 1964 Process not Found 64 Process not Found 5376 Process not Found 5352 Process not Found 2256 Process not Found 4708 Process not Found 320 Process not Found 1276 Process not Found 3228 Process not Found 4904 Process not Found 2860 Process not Found 2416 Process not Found 812 Process not Found 2880 Process not Found 2452 Process not Found 2476 Process not Found 4024 Process not Found 3600 Process not Found 3180 Process not Found 5624 Process not Found 3636 Process not Found 4448 Process not Found 5320 Process not Found 2784 Process not Found 5328 Process not Found 1588 Process not Found 5988 Process not Found 3388 Process not Found 3800 Process not Found 4860 Process not Found 6084 Process not Found 2900 Process not Found 1864 Process not Found 3676 Process not Found 5996 Process not Found 560 Process not Found 1420 Process not Found 5856 Process not Found 5716 Process not Found 888 Process not Found 1544 Process not Found 2624 Process not Found 5384 Process not Found 1548 Process not Found 4952 Process not Found 2772 Process not Found 2480 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 1928 firefox.exe Token: 33 2784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2784 AUDIODG.EXE Token: SeDebugPrivilege 504 taskmgr.exe Token: SeSystemProfilePrivilege 504 taskmgr.exe Token: SeCreateGlobalPrivilege 504 taskmgr.exe Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 1928 firefox.exe Token: 33 504 taskmgr.exe Token: SeIncBasePriorityPrivilege 504 taskmgr.exe Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 6100 taskmgr.exe Token: SeSystemProfilePrivilege 6100 taskmgr.exe Token: SeCreateGlobalPrivilege 6100 taskmgr.exe Token: 33 6100 taskmgr.exe Token: SeIncBasePriorityPrivilege 6100 taskmgr.exe Token: SeDebugPrivilege 4620 taskmgr.exe Token: SeSystemProfilePrivilege 4620 taskmgr.exe Token: SeCreateGlobalPrivilege 4620 taskmgr.exe Token: 33 4620 taskmgr.exe Token: SeIncBasePriorityPrivilege 4620 taskmgr.exe Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 1068 taskmgr.exe Token: SeSystemProfilePrivilege 1068 taskmgr.exe Token: SeCreateGlobalPrivilege 1068 taskmgr.exe Token: 33 1068 taskmgr.exe Token: SeIncBasePriorityPrivilege 1068 taskmgr.exe Token: SeDebugPrivilege 5128 taskmgr.exe Token: SeSystemProfilePrivilege 5128 taskmgr.exe Token: SeCreateGlobalPrivilege 5128 taskmgr.exe Token: 33 5128 taskmgr.exe Token: SeIncBasePriorityPrivilege 5128 taskmgr.exe Token: SeDebugPrivilege 1928 firefox.exe Token: SeDebugPrivilege 2956 taskmgr.exe Token: SeSystemProfilePrivilege 2956 taskmgr.exe Token: SeCreateGlobalPrivilege 2956 taskmgr.exe Token: 33 2956 taskmgr.exe Token: SeIncBasePriorityPrivilege 2956 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe 504 taskmgr.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 2688 Amus.exe 1912 Anti_Virus.exe 5052 SecHealthUI.exe 1996 Anti_Virus.exe 4812 Ankara.exe 4264 Adapazari.exe 940 KdzEregli.exe 1912 Messenger.exe 4140 Meydanbasi.exe 1948 My_Pictures.exe 3364 Pide.exe 4704 Pire.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 3636 NakedWife.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 4272 Pikachu.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 3108 Pikachu.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe 1928 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 6012 wrote to memory of 1928 6012 firefox.exe 86 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 6096 1928 firefox.exe 87 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 PID 1928 wrote to memory of 4728 1928 firefox.exe 90 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI Fagot.a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:6012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2016 -prefsLen 27101 -prefMapHandle 2020 -prefMapSize 270279 -ipcHandle 2108 -initialChannelId {82810cea-2d99-4b57-b9ff-d10a3cfa2d86} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:6096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2480 -prefsLen 27137 -prefMapHandle 2484 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {a0b69670-59e3-473d-a27b-d9c61827f692} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:4728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 27277 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {5135c337-cf3a-46ac-8758-95b00210b9a1} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:5000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4000 -prefsLen 27277 -prefMapHandle 4004 -prefMapSize 270279 -ipcHandle 4100 -initialChannelId {6ffd4dbe-df7a-40fb-a354-e60c87acecc6} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:4548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2736 -prefsLen 34776 -prefMapHandle 2864 -prefMapSize 270279 -jsInitHandle 2804 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2744 -initialChannelId {5ca26dd5-181d-4013-b94a-9f9a1bcc8ddd} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:5072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5144 -prefsLen 35013 -prefMapHandle 5140 -prefMapSize 270279 -ipcHandle 5104 -initialChannelId {68c73b75-45f8-4e6b-8699-bf83f9f224c7} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:1708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5320 -prefsLen 32900 -prefMapHandle 5324 -prefMapSize 270279 -jsInitHandle 5328 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {ba607fbf-db4f-4aa2-9688-df2bfdbc1462} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:2576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5548 -prefsLen 32900 -prefMapHandle 5552 -prefMapSize 270279 -jsInitHandle 5556 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5376 -initialChannelId {322f4101-6e54-4622-93c4-7753aecd78f6} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5724 -prefsLen 32900 -prefMapHandle 5728 -prefMapSize 270279 -jsInitHandle 5732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5740 -initialChannelId {8e6cd4f4-76cf-4fdf-8dcc-1e90d27c4b7e} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:5940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6748 -prefsLen 33071 -prefMapHandle 6752 -prefMapSize 270279 -jsInitHandle 6756 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6232 -initialChannelId {af616040-cadb-4618-9d5c-44f09a46459d} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:3680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5768 -prefsLen 36502 -prefMapHandle 7132 -prefMapSize 270279 -jsInitHandle 7156 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7152 -initialChannelId {ecc9e6a9-258c-4e6d-b82a-3f93b890af72} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:3144
-
-
C:\Users\Admin\Downloads\Amus.exe"C:\Users\Admin\Downloads\Amus.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4824 -prefsLen 36598 -prefMapHandle 6972 -prefMapSize 270279 -jsInitHandle 5304 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6304 -initialChannelId {3a3ee8dd-a4b1-4029-bd39-37750d487c8c} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab3⤵
- Checks processor information in registry
PID:4232
-
-
C:\Users\Admin\Downloads\MeltingScreen.exe"C:\Users\Admin\Downloads\MeltingScreen.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Users\Admin\Downloads\NakedWife.exe"C:\Users\Admin\Downloads\NakedWife.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3636
-
-
C:\Users\Admin\Downloads\Pikachu.exe"C:\Users\Admin\Downloads\Pikachu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4272
-
-
C:\Users\Admin\Downloads\Pikachu.exe"C:\Users\Admin\Downloads\Pikachu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3108
-
-
C:\Users\Admin\Downloads\MyDoom.A.exe"C:\Users\Admin\Downloads\MyDoom.A.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\Message4⤵PID:1960
-
-
-
C:\Users\Admin\Downloads\xpajB.exe"C:\Users\Admin\Downloads\xpajB.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5768
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Boot or Logon Autostart Execution: Active Setup
- Boot or Logon Autostart Execution: Port Monitors
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- System policy modification
PID:2512
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:504
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4884
-
C:\Windows\Anti_Virus.exe"C:\Windows\Anti_Virus.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1912
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5052
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:1652
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:4336
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:808
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:3080
-
C:\Windows\Anti_Virus.exe"C:\Windows\Anti_Virus.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
C:\Windows\Ankara.exe"C:\Windows\Ankara.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4812
-
C:\Windows\Adapazari.exe"C:\Windows\Adapazari.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4264
-
C:\Windows\KdzEregli.exe"C:\Windows\KdzEregli.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:940
-
C:\Windows\Messenger.exe"C:\Windows\Messenger.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1912
-
C:\Windows\Meydanbasi.exe"C:\Windows\Meydanbasi.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4140
-
C:\Windows\My_Pictures.exe"C:\Windows\My_Pictures.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948
-
C:\Windows\Pide.exe"C:\Windows\Pide.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3364
-
C:\Windows\Pire.exe"C:\Windows\Pire.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4704
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ILOVEYOU.vbs"1⤵PID:4928
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5128
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
13Subvert Trust Controls
3Install Root Certificate
1SIP and Trust Provider Hijacking
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\activity-stream.contile.json
Filesize4KB
MD5fd83cec12358cca410ecc5e014b2d53b
SHA16b799ba6842fc8e3e609a7cd795372bb0d097d85
SHA256d4241e494363931c3dc9ffbdd23e5257fd9ecdb3e20d5e06f07c79e9e038284e
SHA51215e162d18522a3db23af4c2f83cfae935bb84694dfb5b70da794f42f0861f262d4761a0452322ce4f3d21f24ff6cb874c7cb1f4380a6e0adafc6c9798254c0ac
-
Filesize
56KB
MD5efbf300d55fa5a5eefab41e1eb391eda
SHA17940761f654262abb958ad09e56a6f9339f2c8d9
SHA2567034266a9abb98b652f22d6da5c10a239207675cf607768994f8df7bbc1c5107
SHA512c8fc1aba05078644505d54a0d1d971917d6c5f1c23bc58eacd85a0f54164472aa56d93adf076266bf1c9a4ecb7ab0c448baf8d606bdafb8c498359bbcbe71c80
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\1A5996C16946393FC0B184220943714409DE2FE0
Filesize43KB
MD5094a5780ad793e9dd76e7a9315a3ca8e
SHA143725bd382fe5fff011acd27542ca405ddee14e6
SHA256c758c43ba91c100b2102f235b78c181dfff2920fadd286a8bf67500d0df02020
SHA512c8091f9d6d3542569970e1c346b5035eb7f191979957ed449e03ea17dc097de97032fca53f509197b9ab21f4ab7b6de5a296bf40b504fa6944616eebb2c371e5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\2F879E430745EC79E1888DA9C3EA593AA94D739F
Filesize25KB
MD58f3d9a1368bfcf5a400d7e1422a04c4c
SHA169e85dfc9ac74a88d5305bd2bb6fb182129d25e7
SHA256bf45b4f32901d3d17cbc6245b027b800102bee2293cb084c6612936fe881293c
SHA512da7091a5521af23f77ae5146ce1cb885bd9aa7ddf6af5041ce2fed76d409457173c09bf9d705c8da5df53f68ef8c020f34098158f5700c0699bb5ec0c39ffc3d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9
Filesize16KB
MD5c1ffc99034a4ccd9c0a6e897b828ef7f
SHA17caae9d271e64be0fca7fb238f19d562291b31f4
SHA2569ea763638eb0719c306f5b6617c19b3228ed1c25986588052fbc4b9b2ec9c611
SHA512a15f8aad3a1e74f1beb8d7aae669475b48bebc43f32433a3dfd1c3fe4e15589ad8a15fa51ad46cd8829b5a8fdfdc6bb7a036d7f43ad1bd1a68efb12bb6d8db78
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C
Filesize60KB
MD545fe4e00a251bd105775f211f6638742
SHA13b61c38ccf6e3329df834e433849183683f0fc3e
SHA256593550482b78ebab051b429aa5eba6142d589c43cfb06f625f07fc5ae94d4f53
SHA51255302e7017344f90dac1328fa20b270e7f94506a9a77756339142f38058a0b67c1cb12681ae22f95dd1c4c9cae9d864a50e3a97d0dd1035fe2795ae0d696ed9d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\35547F305B43F28C7F3664D49C1AD32A7112A1A4
Filesize34KB
MD5c68d24fd73fa3e077be69e33a0e1cfbf
SHA128c3cbfbde7c4a8f3a3bfb0aaf5acba261a8a458
SHA25676ce473f18fbc77a6440e46cda5f733b5af1eda762228b1630f76961ffbf1934
SHA512bf735348f93d2187f594fb3fbf30df1ed7285b86acf0585538699f874a59953991e451c2031f5f7960b2ee2b611ca90af519a377965aa3cd4c4a6f9785ac9af8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\3A1FDC6B34A57BABDC117F984BC456C512AF3C8A
Filesize95KB
MD5282068460e481be01beb97b83742989b
SHA1a17510cc5c139a3b04677dcc2bcdb04c01dfc647
SHA256d3713059be420cfbe0d09a977d7eed505f085f0dce42c51e874e05b305a7f27b
SHA512d7cacbf09ecc5fee67dae0057ef0a350661ca214430453585c027b13463e8b135bc9b3672545de517d2dce8de7c2407aa7e3f890d482b14f53dd94a7a2ed5ed2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\5ACB46A5A72DCA2C675A19F9DCC5C68E4EEE16B7
Filesize34KB
MD55f7cfbf275f436fc447b77e7484220b3
SHA1c091543a737b57bbbdd0d236e23ad78d07244c62
SHA256f0ddd9e97d65a3eeb2dd977d7b3304a0e8d7ae2d9e3688012eb23bbda017319b
SHA51202894c609dde24a7bca9e1325ef8bcfbc92b86905bc567241eb5d1ad9b2e91efa0e15b2d9b056feadc1f43017fa55ea4550c9eca00096e869b475b4307968594
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize13KB
MD56e7691411606700a82f24a0992195eb9
SHA17ae084918f2de77d277e086bf5196b36d5b74a78
SHA2568e5c9482aa10836002fd43dfa8390ad56c05c07c3623ba796ad8e35ebaca991e
SHA512d324b1f1bcde9aa33630c3d207076f63b4429b9a73900d25e6ce6edc91fa5c07feade5b2530a9c5f79ab1988a48423b24c2173e4d17b5625ecab83f9702e39c0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\8D11864F69B6D9276086D87F1C72386DC26A1DF7
Filesize17KB
MD52452594c82b75b7b2b816046718581a4
SHA16ce76183a4f84b0c347aa3399b57843b41071f7d
SHA256125d9eb73ce5ed59a39a10b8161e3357eb23d0a9339123b84b7af140b064c51c
SHA5126e7702c63c1bb4186079d53e75c38455d974f971c04e977caf5b2721587f49dd36dd95fffc3f4db5f4b70eceab4c0cbd0e60fd9a0bafc5a86400bbe4a491aa86
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\956C138E7E189A8F1B675B499ED2D87604EE6E73
Filesize16KB
MD5dd5e4d8a70ce53f1256c0e72c0ea8cf5
SHA11f48038cd28e8ff9eb33fbed8e7cf41d77dea1a3
SHA256fc75843b48d923fe79fe64b35e16c6191337f412e14c6c83515cf9f15574a13f
SHA51231f214211041e5df9119ac742c68749d073fd6e5af92336a681ff979799189980036490724f1240b7deb29edd8f69a1eddeff8c7b19eb3f6c283c56cc8b7ae88
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\97AFFA25C9ED84269BA5F8059413E057B9831B3A
Filesize41KB
MD589f81a0ab06e4a68693024532206ebe8
SHA10807c340f453817ee89f6c5cb8e49a2059d80933
SHA256d8ca0c581c9386fffbb892d2422cb9392fbe1ae6a5a33ebe4f5cdfe6c3a254d3
SHA512f6d49cadb0cb42be280151afc357adbe5a2a729c187b3d0803b0ed8a8d3274d614b899d14a38f322c3ae00bfb02bb157111dc6bbc2cbea4e23f4e304fb340fc1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
Filesize39KB
MD5fa3376ced554f66cbb19af1c08a46fd6
SHA1aa7543debf8eb45a47c6f53438038de69b0ce5e9
SHA25608a47db6dd089936a812982aa5fb77230b2c788f1a4559b98674b94f02589df1
SHA512428f07a68e40eac6596ab6dcd30d62a773c5210683c92249099f73b5244d0f82bb9103bf80c79573d3387ac89d61fe312390221b7040b3633b20462021e72042
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\BC02779E4549B742F87E407101403B7CA65078CE
Filesize45KB
MD553317437523498525ed306c89d34688f
SHA1af1cc1da0460c7624138220f2a14947caba17623
SHA256ccae5fc12ebef77be559c2e88496173ccfcd8db078ac679f360d13904c7b6fc0
SHA512c6341bedf21b62bd3ca6bf75ef6971081a47b1bbc268448927bbcedc46d72cad587d724fe7507d3b5eca4bd8f542fe19a4491c6ed7ac4b567885da08ebe8e2ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD5385a2b5199c8cea260cf1a73d4b377ff
SHA166c0bb339cc83c1e88ccd50da7c43f9ebd8b4221
SHA256b670350c0f3fd3ce3372a13f71ba299a3e4210000a7b7723b44f49007ba58d1a
SHA512cb34932bf11b7eb350588cf4636754bf4dbac6b7348d1dd54e0cdd4276cdae9133c78473be787e81675130bf52a2d1360b5617190cbd97e2b0663eedeadd94ce
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize18KB
MD529f3e5f986302e5526a5ea6648917817
SHA11626afb283b560e3e2494b3ab6ea10fc1124156e
SHA256c82bbda2473ddef47fb32781291d5b09251be969d780a7e0e6f11a2600a13f14
SHA512630ba39cef45586c0367b8a65824760b6177d50d7ad5c6f7966ddf72eb79cc29db00dbfb2cc1dcf252c3b606705c36f2ba188d43b6a2799c652babad4fedbc90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD5b7825792e9244c662560a076b41d72bd
SHA1a46c938ca6501e7c8061cbb1e78f0e281ae61548
SHA256eae574c8e2360a40ccfe7889d7801fcf1bc286bf4b513fa12525064d4757bcac
SHA512f5479060b50c26cf761d42aa7f7658d7a3bf3478498f6f6b93d311e10209383ba230e237f0059308e3771b4f660cd13ab0db519826ddec2a63f34562ea4ad7dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD53cc63c22ea75abca352e2a41536e03ee
SHA1c9f1ec3e26b8f947f8a35daa5fe6d7028b3172be
SHA2561e95e9fcb5c04933948734408f684ab798d0b1ddea0799b91d5e8c217bc8fe90
SHA5122c423a131f5b77f71d0f467aeaed4976e969c0c7d42f75bfdff25289cf40a9efbbdc96a7c12b824890d5044a94e91d32c90b477e0d05bd5b4d112a37ce5a0805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\AlternateServices.bin
Filesize7KB
MD56a0427affe6aabdc34413334b4361348
SHA104e9a6bf382f4cca7cb8cf9d3c9ccd9f1dc4ff39
SHA25622e972ccafc3c0824325eeb6a266ddfa2915700823c0d57fb226df7a2faff764
SHA5123be3d72a5dd8d453dceb4d813f7ebac84575e10425fcad44043869c09559769487ae7fcfd724250e79ee817a9a1decf0a18febe6e5a109bdb0dcd5db17597323
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\AlternateServices.bin
Filesize11KB
MD5d4817cf49fc670aa15cedb6df0a1fe58
SHA163493b0b20f68299fe1c8a15a49d5249bf2e700c
SHA2562461001cef5e3490f0ef147dc0988672882ad6bd3b43461f19cdc111b39c0812
SHA512db30211f057373eacf081bdaf09c18fc37d77c67d002bfdd854f1a48bd628e888e4f8077523b865412c3430262013f192b770b7675dd7850289bc4a2cc24fc1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5d6963270c1abf5e3e3ec80a4b3ce5629
SHA1fdd9e62eb83fdb7883f022887227d25d98000193
SHA2568bc11fa2c0f300b779736d1c800ebe75dd696287e02374d949d066b70632dc43
SHA5120406a228f55c2593f452b380c6a677124492218275cc0b06a29fef1686a9cd393f6a4434578cac331ec914d7fcc364b8b8388953f8dad2238b518c892139c2ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57a2e89761234f7336b411fea7b3f178c
SHA14eeee45d3e17eead28fbfe0a5d21ce45b2dd19ed
SHA256c705fb711aa8a16cc8f8a07e19a26f5bb1e7ab03717d65a9a2d2ae27355dbb7c
SHA51244dee199632a6da44fdec245f160db5923d08573e1a2ebf7e8d773b3435a404afc67d1027d962e1872af31d2b93b078c353c953cc8c79a6187e7775507b10215
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5efd0af4488eee89e43fa07309b377b6c
SHA1c45c8025cdb98a6ed7854cf28034ad04daf33223
SHA256d258e04bf9a76944a4604c5d6ec7ffd10110deb6fe753edabf18cdacb7724f5e
SHA512322929d947456a64bed84bc80454d6d6b8e933940a9f890e03e8c26a53ba9fd1d3727d02cb86e5086b97fd8f0388491457fe6c0293d5ee6528744ea8c6d18e49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5ca56f787a8611b4ddc465472ec9e169e
SHA1238a748190b08e63deed8b5011f92098ce953d1a
SHA256448c32f8fae48053cf21a0d1aefbbee176389241bcb5518d1d04b3218dbf1f45
SHA512ce3577f9ce78e68439f6db42241937ada233d1933ed1f9df2cc6763d6556e896591b0cb8d2637ff2ef71bd258d2ee119affd3c14cf5f67e5eb9da04347309299
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\events\events
Filesize4KB
MD559999ae9af46660f862df7ee62200fe9
SHA1e7699f2a0d0edf3089abf81903c841165b94de34
SHA256c220818cfa8c39b25ef5add5af7cfba40b3a51b42811d52e61a6cc98e2f93efd
SHA51257c692050bbdd2777e9f31b271e646a8287e5b7207384b8299d697d7087030dbdbb1672680b98763019ece5bef1e6028ee3b25322443c0d222fedeffe08fda6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\events\events
Filesize1KB
MD502592a453b0c3706831111bf9e755620
SHA1fcdbc90f411b4a78f93089b89651adc1620fd5cc
SHA256d9a71f122b4d971e54c2eb08429a44bf6350cb47ab35cb729468f3cd2d38e47b
SHA51282a29d705dd3f48f94193bb0bcb0bfb9e26b7f6b079aa681c04c5a16ed457d541ba9c2cc50c653dc3080c61787a721701343a31ab1a31822dd1705abf432e619
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\003430b2-0b0e-4f3d-9557-b8b27a91dee4
Filesize883B
MD57974c8f0217bd55bdfcb3f8753d22996
SHA1e3a8b0a99e02a1c2647f7b6586039e42f873dcd2
SHA2562496f11d8cbde828c3e83be65f3945d60d3098890412b39c8eec0c0dd4868fb6
SHA51282b8cc9be25d395269ddec2d0167e746117a016d9071e2aaf1963b127f5c7908d59c88019d741548e1b4c2d244c7aead3c9f436735c753c5a59ae14fac4de0b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\2cbcfe21-634c-435b-a3a1-e6c201d293b6
Filesize2KB
MD5b68f6356a637bc99d612bcd31058d8e9
SHA14322fdf6aa34fa8ecd2624d016d96a184c714aad
SHA256d053638adfdcccbe9d16b9b5b6808ed313510245b6301a5b10ae685558e9d149
SHA512584c14df7b1287b647b40294293c24431ee0a6a429dbfdb4e46b68f0df91999417ebf3feeb4c98761f24af1221c2edaa22e11f3999c47f7c4374b6b75b61bf6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\36d3a202-ecdb-4d22-a8fe-e18675e3ce7d
Filesize235B
MD53814fceed00242c501ecc41e07f42aad
SHA1fad7bc074c923b68ba5504f9686403eda41a6a64
SHA25601a139f96d83ade10e254fe30692c94c12e61ecf7c19c915c442f386e246efa7
SHA512525543d85a5e01ab80afc712e823f090d2a6e56a32a99733fd154e5f6058fb67bc787398028ffb79d74d740d7c4c2ae4ea68e06456e551e44451d473a040837c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\64c30c6c-eda5-4410-8fc9-43f8f254b799
Filesize235B
MD5c47c720a8995e2c6ad2ef0a87a926191
SHA13e6c06dfd9188ab0ff315cd693372fc0d818de61
SHA256e131dba63db2a8993940d5083d1426d05cac17dca7e75899dedf4059affb86fb
SHA51264ff40484e149d0a533efd65c12ae2879260c712dd212962621a5e26b55e49869443be60e2faeb8491edb11a29f303a16f90c4e9a9e2f6467089ff008f9c571b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\a22694af-461f-47ac-9c26-769d06f1a4be
Filesize15KB
MD58e4c0979fc57f34abb0316d3efa927d7
SHA19e2c85dff243cd4aad9d34cdfc19050738f2e784
SHA2561ae2b3354277e677e756a5017b5fe0efc54a32746419999854dc8ea4671b4f74
SHA512242f79b4476388f0571956bbf4ca84400e88b2f83206752ca1b3aa42ef321cf5578520b70a277817411de2e684fdc2ef4935c693a4f9fe3a3898e0a4ac3c4d0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\b4bcbb58-e4d5-4947-86d8-cf3bd6f7f333
Filesize886B
MD52df7140f5cccb5c3c2ff058beea8e08a
SHA10cf9196b6fd72e4bd4976e5c9f7da3f1eb645555
SHA256acf0e621c7c4d9fa466f80a8c40a2a1e8ea513f57e71e160fd4448671a5d2d1a
SHA512a126ca7946dee585e05618887391966331f0ed82c6b8b54559c359b931a6bfe53f92ba239362d40fb835754eaebfcbca8fe1e35b84ea5a18568d862f17cb3806
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD524247863b0825f3de9d7351c475dce00
SHA12df56b5532c66a4a86c96ac0f27ed84a02bc78b1
SHA2566735ded5b02b514fbd95cf6f69caf8082f859e2c6c100ddf6438b91a1071f33c
SHA512398ac1f13f27d0955ae983b1aed287892310a27df6e626af663e2c19f033b5a11bafa8d4a93cc041def8faee6a7fd2535fcf183b553d8652aecab6afc5833b32
-
Filesize
6KB
MD55137cd7011378a5c3246d494e47c93e1
SHA18dd0f611c121a9899f0767591433f65e4fdcff3c
SHA256999a0e8aa74844db4ae8fb622606a985b7f57d496fd21ae307607d8aa52716e9
SHA512a0241d2e0b72a01eea5e5358201f845ebcde474b9d23262559db8b0ce2274e411d437324206dac2bf3e29dca4c32f4a08c7cfa3bf5b799b433a8f792827da22b
-
Filesize
7KB
MD540a1c684886f2decd1d5784b84ac0091
SHA1063bca84dabff8fdd888dd6cda8b7d3019473105
SHA25689f8c54856725b400c4f8b69f090bd6ed67014f3aa7bc5c7419d6c27e4660b76
SHA51233951a0856571ffd7d24fabfed6ab3b90232f58cb026f655ac558cdfe80f7f6b86ece16b4f7ac489f56b6c074a20453639198e989f28d9959907015296ccfaa1
-
Filesize
6KB
MD56675375ded2cc208f8e6f592aed8fd2f
SHA119a97b58e0f1f380363df17667fa74eab203c5ba
SHA256f08172928b9dc70a5ea8b085d6ae4b58c4e663a0482ec037bbd51c8c1a9030c8
SHA512447746c85b662de8abed0de65a715498a833a31f7bd6ee33632fb90726c29a135e2d1bcd6822c4f0acd1afb680ae6369621745d2324e6fc090250a56899389a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD572cae5ffbcbb804c39ad7fd9db047ffb
SHA12e3d57ac85efa7be360e95900b9d81165036c85b
SHA25695e0046c5b2f0b445a7ef0124f7140fd96981cfc758562bf059db6a2c43c1980
SHA512d355c95be7e243ee7dd5446216de4863ba439c3605cf1fa06db8c664b4e71f9b012e34068a7e66ba62e56a1158766ee33d2b227656080ff0e5b8057e2bd38ddb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5a323a81b16adb95441a575c54150ec67
SHA1d72aec1566c38763afdf907837e70383baf91c3d
SHA2560d82d91791cc3bc0859716d1f6a1d631c8813f4ba449899b4ae1934d39d6717e
SHA512b500fbd6cdde1bbdc44e74df9522a158306715368385cca7604319fee74d5ae1e328f2f22653d28d8a41517c3ffb9b951d19736895b084cccb97060c5686db7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD574258d76c82d73da95c763b229d86c07
SHA132d5c2e599c9395919dc6b92534870e3019eb682
SHA2566f1a13ec84cbae14c8180208b999fcbc697b0425d737abc981ab4b2f8fa62b7b
SHA512536eb39501529bece2d37a85a6b3347a2cf3e7db7577a77eb0fb9147f4422cdd15322768144883652e13d297d568ec8cc2e97bef08cc66878c6f0a70e463a559
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD53da4da399f0ec43470509426522e9a9a
SHA122737469b0be27a89a0339fa47bb4bd727781ed2
SHA256a70818d6f9ebaad4fa2acb1c2f01c480f27f3786fa70384029ccaa14cf30f83c
SHA51224469a2481c31f67b235d1204f016420a7d9df39309b9ed7eeafba88b6ac593caa54636257dab5e745352b01d4fd79473fca248a52be097924709b4f92e60ea8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD519d471eec5e708ac6fe582f0c5e2e327
SHA1263c5f08f0b6a7e2023b067b87478316d91648f5
SHA256e74eb23b285aafabfc4b2486983571ae1400baedeec42b1b60dc92eefc1ec3de
SHA512eefb979b88eebe3eaf4f3365d6f1d151aca58ea1ee72840616d3641822e9dabecb303a0cb7ee6c19d79214fc5f2b709b7abf7b344db9bb854cf7a65cb16f1ecd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD57d950b55c1476cabfb37a92e43f9a917
SHA17d4bdf1b2f30c9081cb06ff7f1c0ea3e3520ff5b
SHA2566dc28d9b7ea2e609ffcc590b8c4bb4d5c560a5efb7b81648533d39fa82eabc38
SHA512620f52ad10a5b629225991616ec705a2b4d39810e9f1405c4abc715589759fd0412179fbcc6f8c9765804c75d14e0903ecbd9c7c058a87b3d638dcfcaf3060dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD54761f2fa4212e517cf1e9774246984d2
SHA1e98c48dded29f6cb802ba2631779e0e7fbbf85e9
SHA2568789e8e5fc76c06cd15e161aa14f2941b5390657cee32cebd38010ce7aa72da8
SHA51254cf51d042427c8401d91c0592708b0323e4b32e191a1cb3fdb03c443bb96366f9e40122cb99c40ad883afe55ea4370eca4ed6cea5d7e8644969fd20ec8ecdfe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5533cbacaaecf593078f765504c9845fa
SHA14f140ac4288adce72e78a0726a707f1546487a62
SHA2562e8a20d9bad07ec5052dbddc0ae26404fff8b06dd7e0b520f9467584ec2c1596
SHA5120a3126bf115874e75b5bc073be2b4360571480eac138cb700dfb08006dc9c23f45dd5a6f8f223aa8867664e951b251180c39a80d24dcb5722e5bb3cf5d488676
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5d897dad8bee688a9aa06af160d8fb876
SHA1618ff0fa8a76cd2a56b87fc49d217643e211f3d2
SHA256f3ec51c849c7b7afc37bcb223bc65f5c2774c9fc0032b3369cbd5c964c40803a
SHA5129720ff06784c4caf54d66efa1bfdaede6f7ffc81acda4b496b7beaf3a079f9d9329800e2d1f7a6a8f99e440119983bd7be704cb593c7e1a372ffa42372223b01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD58344d824a18bbdc9f55ba9591e72e8ac
SHA16cbeaca65a8765a01b60d4e4dcfd909312ca2f57
SHA2563d8205350335cd716d61c9faeb35972fb4278eb280330952d25f27ef5cd7448d
SHA512c16f9698fb4c2c89eaa4f2b9f197fcd958e7a56c28a529ac30dce763dc3534224f0e8e67d32dac54a53dd2a997d02b076b6fd3b6f25492fb5cb1e4360a8153a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD515224eb597bc16afc8c20ea69a9ac05a
SHA1e4f2a74a3884d6c7680d0b40ef7488affb5f1616
SHA256f30d0b1e68f63af83e04b5189014bca842d88fea3fe901de09a72439505abb67
SHA5123711acac4f396b06eb60638a52789a76ea101493aa9acdbd8d4768bc6d6cb1671573da0208199c3a6e9c958e5a348c2a1d47bb2111be242e23747cee8363c773
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD531803227634c1947517e8a32a00f1b83
SHA12017e66895d991e9b30ebe9b128728db16d50597
SHA2569c9d9746cbedadbc51b78993d19bcf07632ef3633f7161028e81de5e086ce40a
SHA5129c21255b4aa795ac3864a58a921db6bde532b1b29b001f5d51997dda238685e0699a21164e7338360b4350154a4f041dc635420e3286f00fd95301e7fa275329
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD525a49acf3063822c3a532ea366b6ec48
SHA1e751d9c920f12636d6408a8d013249a7d570d4d0
SHA25649cd725ec292f917f6e86261140f46f85d6f0cf8758afc5df92fab28e2253f12
SHA5126480b7eecc6b783ebdd337708e08cb014f9230cbdd0da5f1c31fcb0e0882332596f7860798b8f521be755c5bcea1c0aac65a1b1b5ae53c0f4c34d04ffe449dc5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5f9daac4dd2d49e0f981e21a21c016b96
SHA187bef88cda355f61e26b7d75b68fd59fb089641f
SHA25680d336ca122e75e9bbea1d8f44af9fc535651fe73613e99742ae3f8dc1bbf69d
SHA5127f8d9ea1773a33949d1a5a8029350f65f91541ff00569c27b4805cd0ffe89215459cc4f250b5594e099c8be74235fc13e6129643a1cb54e6569ee52a94aed6e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD59cd8f228724c64843337b6badbf0ab1e
SHA1045c966f9bc47742bad720efe5d4356f28b946c2
SHA256f2e410e5c9b8180c1df3115ebb041db196d1ba990dd4094e66f3cf1fd2a30741
SHA51230e92e53c95f3d98f362f0e681b5a249d0c702c26aa876abdbb8b89e03dfa0cb2a8de8753908a95560ef0faaeb8c6967c949c17213d63d83957694458fe6c1f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\storage\default\https+++github.com\ls\usage
Filesize12B
MD52702cf2c596653e7f819ef8043199bb4
SHA1b618a3a9dc7ca128c3758fb6679268aa2544ffb6
SHA2569bc44582e16d35b2afa3d21dc832f961f8de3a0507f4c3039df5053abd56fae6
SHA512948b978f1025ed8e5494ee708a31fad9ba2c3c186c7f64f0a29c0fbe502ae9536bbb3c731cbc50b95992c8045dc8a8f3d65a90012bf7d75bb323dfe950758fd9
-
Filesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
10KB
MD58e2c097ca623ca32723d57968b9d2525
SHA1dccfb092fa979fb51c8c8ca64368a6f43349e41d
SHA256556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1
SHA512a468476a8463c36c2db914e3fe4dc7aee67ac35e5e39292107431d68ab1553ca3c74255a741432ba71e8a650cf19eb55d43983363bfc9710e65b212fba37bbde
-
Filesize
17KB
MD54784e42c3b15d1a141a5e0c8abc1205c
SHA148c958deba25a4763ef244ac87e87983c6534179
SHA2569d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c
SHA512d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97
-
Filesize
22KB
MD553df39092394741514bc050f3d6a06a9
SHA1f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5
SHA256fff0ccf5feaf5d46b295f770ad398b6d572909b00e2b8bcd1b1c286c70cd9151
SHA5129792017109cf6ffc783e67be2a4361aa2c0792a359718434fec53e83feed6a9a2f0f331e9951f798e7fb89421fdc1ac0e083527c3d3b6dd71b7fdd90836023a0
-
Filesize
72KB
MD5da9dba70de70dc43d6535f2975cec68d
SHA1f8deb4673dff2a825932d24451cc0a385328b7a4
SHA25629ceeb3d763d307a0dd7068fa1b2009f2b0d85ca6d2aa5867b12c595ba96762a
SHA51248bbacb953f0ffbe498767593599285ea27205a21f6ec810437952b0e8d4007a71693d34c8fc803950a5454738bea3b0bafa9ff08cd752bf57e14fedf4efb518
-
Filesize
32KB
MD5715614e09261b39dfa439fa1326c0cec
SHA152d118a34da7f5037cde04c31ff491eb25933b18
SHA256e1dfc005d5403fb2f356276f0abe19df68249ce10e5035450926d56c2f8d3652
SHA512fe905c388b0711f54941076a29b11f2b605655b4a3f409d9f0f077f2fe91f241401035310daa490afb6df50a6deff5456be5ee86984e7b9069506efa07af51ae
-
Filesize
520KB
MD5bd76fc01deed43cd6e368a1f860d44ed
SHA1a2e241e9af346714e93c0600f160d05c95839768
SHA256e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf
SHA512d0ebe108f5baf156ecd9e1bf41e23a76b043fcaac78ff5761fdca2740b71241bd827e861ada957891fbc426b3d7baa87d10724765c45e25f25aa7bd6d31ab4ec
-
Filesize
4KB
MD58750df7c3d110ebc870f7afe319426e6
SHA1a770fff05a829f666517a5f42e44785d6f0b4ae7
SHA256fa3f934083746a702de18b927284f0145d4b82a92f2111693e93a4f762b50c00
SHA512dfcbc2ba358ec40143e842d5242781a59943e646f50c41010a8cc4e2c5a15d5b19dcd2ee9556a0317ca73283e84d1f9d1b0b8b7470b493fe38e4e027336b8a2a