Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-06-2024 23:02

General

  • Target

    Vega X Windows_31929942.exe

  • Size

    9.5MB

  • MD5

    3d50042e3e3991be509f56a2951a2183

  • SHA1

    f027790afe9d7ce2ddf17973f0778fb9e983ded1

  • SHA256

    76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

  • SHA512

    120c6a7778bd9f65f469d3335987b780e736bd895ed944d0988372f891b48f9ba09b50ed9dcffd0bf1fa23a12e215ed1f1ffe75d11c925ff4c08d3e48259a873

  • SSDEEP

    196608:xoEToOU9+86NdnrqNnHmQ3bKfIiaNPFHNRsiK:xLTtU/QxrqNHL3bIIiEHMn

Score
6/10

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 4 IoCs
  • Modifies registry class 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe
    "C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\setup31929942.exe
      C:\Users\Admin\AppData\Local\setup31929942.exe hhwnd=786550 hreturntoinstaller hextras=id:d8d090d10951db6-AU-gr7xh
      2⤵
      • Checks for any installed AV software in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "PID eq 4452" /fo csv
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:428
          • C:\Windows\SysWOW64\find.exe
            find /I "4452"
            5⤵
              PID:324
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              5⤵
              • Delays execution with timeout.exe
              PID:2544
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "PID eq 4452" /fo csv
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4424
            • C:\Windows\SysWOW64\find.exe
              find /I "4452"
              5⤵
                PID:2212
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                5⤵
                • Delays execution with timeout.exe
                PID:2184
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "PID eq 4452" /fo csv
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4240
              • C:\Windows\SysWOW64\find.exe
                find /I "4452"
                5⤵
                  PID:4272
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 5
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4928
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4516
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "PID eq 2092" /fo csv
                4⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2136
              • C:\Windows\SysWOW64\find.exe
                find /I "2092"
                4⤵
                  PID:992
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 5
                  4⤵
                  • Delays execution with timeout.exe
                  PID:4048
            • C:\Users\Admin\AppData\Local\setup31929942.exe
              C:\Users\Admin\AppData\Local\setup31929942.exe hready
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4124
            • C:\Windows\SysWOW64\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
              2⤵
              • Opens file in notepad (likely ransom note)
              PID:5112
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              2⤵
              • Checks processor information in registry
              • Modifies registry class
              • NTFS ADS
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:2196
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.0.995220071\1936159598" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d17951b5-3ecf-4ce6-8ebb-b5092bf83f74} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 1796 1c30c8d9a58 gpu
                3⤵
                  PID:4576
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.1.1845226701\1046414856" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e5e456-bd65-4632-a952-dffea765b622} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2152 1c30156b858 socket
                  3⤵
                    PID:1428
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.2.898989352\2010817861" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 2740 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa206c80-ffec-4b7a-941a-91e34bb29ca5} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2768 1c30c85a358 tab
                    3⤵
                      PID:3404
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.3.1546994663\1897173822" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3468 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9117d78-37ea-4f10-a404-ed98eeecc509} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3484 1c30f121158 tab
                      3⤵
                        PID:4264
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.4.1879912621\390224184" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9d36eb-ab54-4bae-a467-d8b2c4670804} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3808 1c311dcb258 tab
                        3⤵
                          PID:2548
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.5.1172377067\2057117567" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de655a1a-c86f-433c-81ef-f66a1ccfda6f} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 4968 1c3109dab58 tab
                          3⤵
                            PID:824
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.6.1873200668\1538495021" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc36436-53a2-46fd-b022-1af898dd0e9e} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 5112 1c312e78258 tab
                            3⤵
                              PID:4688
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.7.1373939822\1176576150" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72061f33-5621-4490-b2e6-8443b1b1dade} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 5292 1c312e75558 tab
                              3⤵
                                PID:4276
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.8.1512390733\555791121" -childID 7 -isForBrowser -prefsHandle 3524 -prefMapHandle 4408 -prefsLen 26913 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83fb9f95-cdb1-4be9-8eed-ab7c31338b76} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2644 1c314ba0958 tab
                                3⤵
                                  PID:3808
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Vega X Windows.txt
                              1⤵
                                PID:4548

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                23KB

                                MD5

                                044da838ea63fa10d563fca03fcbc22c

                                SHA1

                                c5e51b8d3a04981678ebf0c985ceda144134c8b9

                                SHA256

                                141e9abfc419e69f5fb4b51e7ebcf79b9e0c8dfe269d421f7361fc874414a525

                                SHA512

                                2cc7aa3db412bf2d560a4a776f2d71e26f77a84e0503c5ddb71a6024e6b0dac78948fa08968d479b3f500adde8bc39c820f8f79c6c132b63642daddd7a2a3b32

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                23KB

                                MD5

                                81c48a03b269e87392a324cec9035712

                                SHA1

                                fbe397ba52babd61a52bcaa9982dccec2f68676a

                                SHA256

                                4454733f5e2db78f4ff4b703e88448f218a57a0d7bd77a077f8b732bb8f502c5

                                SHA512

                                488afb403e118120ba26d20ff467cf6486599f21636b9d794d59833d735b1e3c8b252b48615dfc46df7c10c5742d8c0e7a656db329033519336039650159918e

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\7411
                                Filesize

                                9KB

                                MD5

                                f3e87db5035b3241df62f180ed3f19a6

                                SHA1

                                fa2d7c2077cf1be7c5365040598d401d4db12c72

                                SHA256

                                b4f1e06c7393723aea1c3c700f027d86b6f69173f0838ec1b85cf69cf7e3a8a8

                                SHA512

                                48280ee5881eb1098cbcc9e6e2bb509132b49d026736336a1695e54603c7ef283c881c4cfa14bc6cb63881516b832d55ebe7c9c91106096b84d3efd970455085

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                Filesize

                                7KB

                                MD5

                                c460716b62456449360b23cf5663f275

                                SHA1

                                06573a83d88286153066bae7062cc9300e567d92

                                SHA256

                                0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                                SHA512

                                476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
                                Filesize

                                5.7MB

                                MD5

                                38cc1b5c2a4c510b8d4930a3821d7e0b

                                SHA1

                                f06d1d695012ace0aef7a45e340b70981ca023ba

                                SHA256

                                c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

                                SHA512

                                99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
                                Filesize

                                15KB

                                MD5

                                422be1a0c08185b107050fcf32f8fa40

                                SHA1

                                c8746a8dad7b4bf18380207b0c7c848362567a92

                                SHA256

                                723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

                                SHA512

                                dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
                                Filesize

                                75KB

                                MD5

                                c06ac6dcfa7780cd781fc9af269e33c0

                                SHA1

                                f6b69337b369df50427f6d5968eb75b6283c199d

                                SHA256

                                b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

                                SHA512

                                ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
                                Filesize

                                160KB

                                MD5

                                6df226bda27d26ce4523b80dbf57a9ea

                                SHA1

                                615f9aba84856026460dc54b581711dad63da469

                                SHA256

                                17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

                                SHA512

                                988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
                                Filesize

                                119KB

                                MD5

                                9d2c520bfa294a6aa0c5cbc6d87caeec

                                SHA1

                                20b390db533153e4bf84f3d17225384b924b391f

                                SHA256

                                669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

                                SHA512

                                7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
                                Filesize

                                8KB

                                MD5

                                be4c2b0862d2fc399c393fca163094df

                                SHA1

                                7c03c84b2871c27fa0f1914825e504a090c2a550

                                SHA256

                                c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

                                SHA512

                                d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
                                Filesize

                                168KB

                                MD5

                                28f1996059e79df241388bd9f89cf0b1

                                SHA1

                                6ad6f7cde374686a42d9c0fcebadaf00adf21c76

                                SHA256

                                c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

                                SHA512

                                9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html
                                Filesize

                                1KB

                                MD5

                                9ba0a91b564e22c876e58a8a5921b528

                                SHA1

                                8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

                                SHA256

                                2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

                                SHA512

                                38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis
                                Filesize

                                291B

                                MD5

                                bf5328e51e8ab1211c509b5a65ab9972

                                SHA1

                                480dfb920e926d81bce67113576781815fbd1ea4

                                SHA256

                                98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

                                SHA512

                                92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

                              • C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico
                                Filesize

                                766B

                                MD5

                                4003efa6e7d44e2cbd3d7486e2e0451a

                                SHA1

                                a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

                                SHA256

                                effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

                                SHA512

                                86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

                              • C:\Users\Admin\AppData\Local\setup31929942.exe
                                Filesize

                                3.8MB

                                MD5

                                29d3a70cec060614e1691e64162a6c1e

                                SHA1

                                ce4daf2b1d39a1a881635b393450e435bfb7f7d1

                                SHA256

                                cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

                                SHA512

                                69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
                                Filesize

                                2KB

                                MD5

                                b4465c24a48c093f50e17b011a8ff5e6

                                SHA1

                                6871cde78ba283c74161259a87c9e0be12735730

                                SHA256

                                f4e985e2e50bfdb41d8be6d378c7f26f00e0b8a01959110b9699ddc49a2011e0

                                SHA512

                                782dca434334d1aa0b58f34b8494bbcd3792b23b980e14762ef45946e253c16183d09b364adb66d8b97985f4bc16117b461cb5ae9123bbd87e6ab7e01eb98a8a

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\ca53487b-e95c-4db3-9422-bdd0f54de90d
                                Filesize

                                10KB

                                MD5

                                c7fdf22980600b5072152892fc12092c

                                SHA1

                                e6fc1ecae2648bf0370811c45a5df14e2424cc7b

                                SHA256

                                df7cd416a39e5c1e3e7032aaca54786529a327b209a62d7e850206787588ae3d

                                SHA512

                                b757b5377b6f52f06f258f42e64a68f07f6c3761e508e1c4893f9f9ded9ffae0711f9e12acde1564353dbd8dbd170df0fed57268f272bc0263f1bdea07bd5cef

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\f1ff019a-161c-4336-a90f-2caa8cc9ab47
                                Filesize

                                746B

                                MD5

                                d7094ab8e0df392efe373f1b143b1fd6

                                SHA1

                                cea9e494e4c89cd2524821b41777db2f12686062

                                SHA256

                                e5478679724354c99a82b3c0e492e22df4cb49736ac45a39ceadd4457cfce043

                                SHA512

                                9b62880b2e814158a110f3c21fdb6d85a51d707e40f71153c0c87c22dacf47ee6d250719b8537f782e563602a80afea850afd5c2261a489bef6838f2437b279a

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                ae3ea18265b14c56164a364c5c711746

                                SHA1

                                a837414cd82563b65ff3aed1f72b1f60261111bd

                                SHA256

                                1c2404d899870a6e966de0211e356d20bbda45955ad2e054a2e546bc0b856875

                                SHA512

                                cb80f4a0b10e348d20e856c486fc04c72ebeb5b3d60b251d4cc7d2b3b33e0219ebe341d5cefcceb7aaf2f8a4f6b79e130a7a30a221873547078b5a495ae8334d

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                e77a7fbc489fbee48af42f060213fe7b

                                SHA1

                                d1189b2ef8da10ed4afe728631b97b232f0dfeb5

                                SHA256

                                b06e9b4a536d65da8db0cbff9d51859fd44bb43e55b7c50f5b26bb1716fad9d0

                                SHA512

                                cdcb7c15b2173a9b85cf27ee0f7a416a8b598bfaa455a471a456763ac0108286372ae55319f744ae428b5c1a20d43cf3b74b3c5fb0793c607592204a15e13f12

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                cef0b048f96867afc99fbd9260c7ed79

                                SHA1

                                64584c5cb88c3a56c993b41dc074c058cfb11887

                                SHA256

                                73f12f9d38ae77b05c0927ea6819e750714486e34e40934ed749d835accd4112

                                SHA512

                                6bc39ec0b1e57c90a1d9b9ec55be86b8e389b37604c6b8e08383ab1c86eb1dee5d0a2bb4f680beaa643191c0240e6899a2a7797d523007a4248f9499b37e3329

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                1KB

                                MD5

                                6465124d63d494c68110a82bd932d874

                                SHA1

                                1e0604c001cc65834dde2797dcf46d8bfdbb06e8

                                SHA256

                                125fb4cb4995570c6ab94a23c7b79afc6b75034480aefe0b699125525739bc2b

                                SHA512

                                bfd9914c9ab7576e58b5373ae27869081df23cf9916040bcc991e5ae14bc68bbecfea2ec2df808966a592955112db7e95ffb5b8c0455cac89fb6fcf25afdd8d1

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                4KB

                                MD5

                                ace219a58ea2a0169b0f43df80f7c493

                                SHA1

                                5fbb1cb30650e83d28372be4c705e2cea2159ead

                                SHA256

                                56757c4b3f8264346827666adf6ad1387c2fd3a826fd0bc6e99d2581e589ebdd

                                SHA512

                                7edb857c86be58c9b74b8f3bc66418536a7069ab88c2630ac5680d0014ee2065d68b8b0aef018356853e11e46c489615ddd61c8073e5d199ffae87ccd9db9ff7

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                4KB

                                MD5

                                736d36f7180e2cf9b4e9e6f0cd62766f

                                SHA1

                                ed2d5da45157aabffe406d5c483e8de9bc81a8cb

                                SHA256

                                fbc64c41dcf6d2e1b3c256b4e4977c4bb788eb6aa9af864f5c1c9de0084ac962

                                SHA512

                                3938ae5b063da1267028df1ac9000eb834163bb65f9f2bb6dc9189ed72699c19a240b5ce7d6569bc7b552774dd1be27cdc170006716fe3c1db1117b3ea8fcc7a

                              • C:\Users\Admin\Downloads\bwVOoMj1.txt.part
                                Filesize

                                986B

                                MD5

                                9942d886ee589cada7de535150367f8c

                                SHA1

                                ea27feaf844d6af9a85891aff1cfa0a6ba1c4ceb

                                SHA256

                                82dc56b42658cb082d489d758447d17df53796cbcfea7ba0578ac575fa69f102

                                SHA512

                                d7e6cd017e648ccda2bb0d52216333b11d1a54c624c9d4d61131fd46fb469e0907b382260921846af4fb4f436febab62f579b1a381e42bdbdd5a3feb89a2a598

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
                                Filesize

                                57KB

                                MD5

                                6e001f8d0ee4f09a6673a9e8168836b6

                                SHA1

                                334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

                                SHA256

                                6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

                                SHA512

                                0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
                                Filesize

                                117KB

                                MD5

                                08112f27dcd8f1d779231a7a3e944cb1

                                SHA1

                                39a98a95feb1b6295ad762e22aa47854f57c226f

                                SHA256

                                11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

                                SHA512

                                afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
                                Filesize

                                19KB

                                MD5

                                554c3e1d68c8b5d04ca7a2264ca44e71

                                SHA1

                                ef749e325f52179e6875e9b2dd397bee2ca41bb4

                                SHA256

                                1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

                                SHA512

                                58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
                                Filesize

                                154KB

                                MD5

                                17220f65bd242b6a491423d5bb7940c1

                                SHA1

                                a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

                                SHA256

                                23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

                                SHA512

                                bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
                                Filesize

                                56KB

                                MD5

                                f931e960cc4ed0d2f392376525ff44db

                                SHA1

                                1895aaa8f5b8314d8a4c5938d1405775d3837109

                                SHA256

                                1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

                                SHA512

                                7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
                                Filesize

                                541KB

                                MD5

                                9de86cdf74a30602d6baa7affc8c4a0f

                                SHA1

                                9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

                                SHA256

                                56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

                                SHA512

                                dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
                                Filesize

                                133KB

                                MD5

                                8db691813a26e7d0f1db5e2f4d0d05e3

                                SHA1

                                7c7a33553dd0b50b78bf0ca6974c77088da253eb

                                SHA256

                                3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

                                SHA512

                                d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
                                Filesize

                                172KB

                                MD5

                                b199dcd6824a02522a4d29a69ab65058

                                SHA1

                                f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

                                SHA256

                                9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

                                SHA512

                                1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
                                Filesize

                                134KB

                                MD5

                                105a9e404f7ac841c46380063cc27f50

                                SHA1

                                ec27d9e1c3b546848324096283797a8644516ee3

                                SHA256

                                69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

                                SHA512

                                6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
                                Filesize

                                101KB

                                MD5

                                83d37fb4f754c7f4e41605ec3c8608ea

                                SHA1

                                70401de8ce89f809c6e601834d48768c0d65159f

                                SHA256

                                56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

                                SHA512

                                f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
                                Filesize

                                151KB

                                MD5

                                72990c7e32ee6c811ea3d2ea64523234

                                SHA1

                                a7fcbf83ec6eefb2235d40f51d0d6172d364b822

                                SHA256

                                e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

                                SHA512

                                2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
                                Filesize

                                426KB

                                MD5

                                8ff1898897f3f4391803c7253366a87b

                                SHA1

                                9bdbeed8f75a892b6b630ef9e634667f4c620fa0

                                SHA256

                                51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

                                SHA512

                                cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

                              • \Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
                                Filesize

                                74KB

                                MD5

                                1a84957b6e681fca057160cd04e26b27

                                SHA1

                                8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

                                SHA256

                                9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

                                SHA512

                                5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

                              • memory/2092-86-0x0000000005420000-0x000000000543A000-memory.dmp
                                Filesize

                                104KB

                              • memory/2092-118-0x0000000005550000-0x000000000557C000-memory.dmp
                                Filesize

                                176KB

                              • memory/2092-196-0x00000000070A0000-0x000000000759E000-memory.dmp
                                Filesize

                                5.0MB

                              • memory/2092-110-0x0000000005500000-0x0000000005508000-memory.dmp
                                Filesize

                                32KB

                              • memory/2092-232-0x0000000006DC0000-0x0000000006E52000-memory.dmp
                                Filesize

                                584KB

                              • memory/2092-221-0x0000000007B60000-0x0000000008114000-memory.dmp
                                Filesize

                                5.7MB

                              • memory/2092-246-0x00000000092D0000-0x00000000092FE000-memory.dmp
                                Filesize

                                184KB

                              • memory/2092-102-0x00000000053E0000-0x00000000053EA000-memory.dmp
                                Filesize

                                40KB

                              • memory/2092-94-0x00000000054D0000-0x00000000054F4000-memory.dmp
                                Filesize

                                144KB

                              • memory/2092-147-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
                                Filesize

                                72KB

                              • memory/2092-78-0x0000000005460000-0x0000000005492000-memory.dmp
                                Filesize

                                200KB

                              • memory/2092-17-0x0000000071ACE000-0x0000000071ACF000-memory.dmp
                                Filesize

                                4KB

                              • memory/2092-288-0x0000000071AC0000-0x00000000721AE000-memory.dmp
                                Filesize

                                6.9MB

                              • memory/2092-187-0x0000000006B80000-0x0000000006B8C000-memory.dmp
                                Filesize

                                48KB

                              • memory/2092-70-0x00000000053F0000-0x0000000005418000-memory.dmp
                                Filesize

                                160KB

                              • memory/2092-180-0x00000000064B0000-0x0000000006800000-memory.dmp
                                Filesize

                                3.3MB

                              • memory/2092-62-0x0000000005390000-0x00000000053BE000-memory.dmp
                                Filesize

                                184KB

                              • memory/2092-54-0x0000000005360000-0x0000000005388000-memory.dmp
                                Filesize

                                160KB

                              • memory/2092-179-0x0000000006480000-0x00000000064A2000-memory.dmp
                                Filesize

                                136KB

                              • memory/2092-46-0x0000000005210000-0x0000000005234000-memory.dmp
                                Filesize

                                144KB

                              • memory/2092-40-0x0000000071AC0000-0x00000000721AE000-memory.dmp
                                Filesize

                                6.9MB

                              • memory/2092-37-0x00000000051C0000-0x00000000051D4000-memory.dmp
                                Filesize

                                80KB

                              • memory/2092-178-0x0000000006370000-0x000000000637A000-memory.dmp
                                Filesize

                                40KB

                              • memory/2092-173-0x00000000063F0000-0x000000000647C000-memory.dmp
                                Filesize

                                560KB

                              • memory/2092-128-0x00000000054B0000-0x00000000054CD000-memory.dmp
                                Filesize

                                116KB

                              • memory/2092-18-0x00000000005E0000-0x00000000009B8000-memory.dmp
                                Filesize

                                3.8MB

                              • memory/4452-285-0x0000000000650000-0x000000000065C000-memory.dmp
                                Filesize

                                48KB