Analysis
-
max time kernel
409s -
max time network
416s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 09:39
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Signatures
-
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeeulascr.exewscript.exeMEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation eulascr.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Executes dropped EXE 8 IoCs
Processes:
MEMZ.exeeulascr.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1680 MEMZ.exe 3552 eulascr.exe 4504 MEMZ.exe 5748 MEMZ.exe 5756 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 2444 MEMZ.exe -
Loads dropped DLL 1 IoCs
Processes:
eulascr.exepid process 3552 eulascr.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe agile_net behavioral1/memory/3552-1234-0x0000000000300000-0x000000000032A000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MEMZ.exenotepad.exeInstall.exenotepad.exeMEMZ.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\windows-malware-master.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4504 MEMZ.exe 4504 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 5748 MEMZ.exe 5748 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 5748 MEMZ.exe 5756 MEMZ.exe 5748 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 5756 MEMZ.exe 5748 MEMZ.exe 5748 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 5748 MEMZ.exe 5756 MEMZ.exe 5748 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 5748 MEMZ.exe 5748 MEMZ.exe 5332 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 5332 MEMZ.exe 2172 MEMZ.exe 5748 MEMZ.exe 4504 MEMZ.exe 5748 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 4504 MEMZ.exe 5756 MEMZ.exe 5748 MEMZ.exe 5748 MEMZ.exe 2172 MEMZ.exe 2172 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
firefox.exeeulascr.exedescription pid process Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 2188 firefox.exe Token: SeDebugPrivilege 3552 eulascr.exe Token: SeDebugPrivilege 2188 firefox.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
firefox.exeeulascr.exemsedge.exepid process 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 3552 eulascr.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
firefox.exemsedge.exepid process 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe 4020 msedge.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
firefox.exeMrsMajor3.0.exeMEMZ.exepid process 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 2188 firefox.exe 5956 MrsMajor3.0.exe 2444 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2456 wrote to memory of 2188 2456 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 1036 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe PID 2188 wrote to memory of 3000 2188 firefox.exe firefox.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware"1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/TheDarkMythos/windows-malware2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {636ea9d1-9cd4-4397-9d83-a8df1484c0d2} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" gpu3⤵PID:1036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {029e9776-92fe-4144-85b5-94d2588cb343} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" socket3⤵PID:3000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3400 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f05a6f-94af-4757-9d92-f3fa5e8c30d5} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:1408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2956 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8baf124-ea09-4436-88bb-9968e9648611} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:4300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4664 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07a1537-2a43-4820-bbcf-b2526584e07e} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" utility3⤵
- Checks processor information in registry
PID:3952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5268 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0b7828-c002-4e02-ae5b-af54ba487abb} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:3244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5388 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a925573-d18b-40c8-ac0b-6ac02bf19470} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:1584
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bc317c-ad0f-48dd-a52e-fd1ffadccc31} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:1052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6112 -prefsLen 29159 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28343d21-1020-430c-8ffc-8d6852264c99} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:5396
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6792 -childID 7 -isForBrowser -prefsHandle 3612 -prefMapHandle 3080 -prefsLen 27108 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a48f6f3-0935-40b0-8d12-6a07d577a879} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab3⤵PID:6020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "1⤵PID:3744
-
C:\Windows\system32\cscript.execscript x.js2⤵PID:5908
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5748 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5756 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5332 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2444 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d0d846f8,0x7ff9d0d84708,0x7ff9d0d847185⤵PID:3508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵PID:3284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵PID:3316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:85⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵PID:4448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:15⤵PID:5512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:15⤵PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:85⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:85⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:15⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:15⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:15⤵PID:2368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:15⤵PID:3372
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5912
-
C:\Users\Admin\Desktop\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"C:\Users\Admin\Desktop\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5956 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\87A6.tmp\87A7.tmp\87A8.vbs //Nologo2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3956
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"1⤵PID:5248
-
C:\Users\Admin\Desktop\windows-malware-master\SpySheriff\Install.exe"C:\Users\Admin\Desktop\windows-malware-master\SpySheriff\Install.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5004672e2ec1c05cdfe76955a436487a4
SHA1e45d60502635f4da2d4b639799f4c9c9b2745046
SHA256295976749f8a9811c4cf4a678d9375d7824836066fab537fbc780b6fd5c78756
SHA512bec6a31c7a159e51b3e2cab77fbe403463915f9b5000a53b1acf181553b0e11864f554191dec490b8547540e0d3661a5d77b9b2cd73e71605c081a134ffe3644
-
Filesize
5KB
MD5b728e017c1df69a262a4ddc78e037697
SHA1d3456c91b162b838fc6295af63b93bcf1d485997
SHA2569b40094219860781518f0a023314efa25ed7e7fbcc3c203c183184c36b6b2a59
SHA512932be42a3f884d1d3e9ec517d9674c62177ab582ccf4c56ec22f7c477f4385933003be24c8dbb15b5b875538404bb8765b2b7c42a36831ec307cea8a8f151eb5
-
Filesize
6KB
MD5649b8dac1ebfceeb17a0f2016e43e300
SHA14725ccbf22b352c2a6b1001bf6eca426282f9882
SHA2568d204fc15dfd9999606694e40d5e31eade37646ef8c1113d5c2210195264904d
SHA512af1e663c577aec1d060fd2ef477f77af0dad96355b4316a2c201adffb1a56e0fdcde7826d1e07c330461c0a67dc27212e05c5ecff13a680ffef21770bb1ba2fa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59fd436ddf6f7ffdc89d9b1477cb7e031
SHA1bd37792f42512179a885c40d1bcedbd0f6330568
SHA256cb589c6a62d0dec617bfc01d316af5c28d4b9ce19ba9b84ad8801be75b5eb790
SHA512348981bd3e91ff28c4e771a9960d56fdd9331d51ae2af682fdafea07f632224c2b10304f653c7dd4a48bb42aa9db71132cab0bb349b14acd76cb331962baafd1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json
Filesize42KB
MD57f7425c66b00a058fa2e0f2f3882981e
SHA1370db5d115747470ef24eba4783c153c6457b338
SHA256f34622140535691018256a81b34fea7a07fe073f056b97e75a062d488dd666fc
SHA512328b089190a6a2b770f076067660079698661d11f0f561fb76626f18c3b5260c3af75dbc7b8b4d6d345a3de79a567ea33469831a4245f7dac2a4d404ed080af0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\04AF3DF2C0644295C5AA12083A3265F4C82831A0
Filesize60KB
MD56aeda9eac502a9e2a7b272791e48be64
SHA19c96d44296ae1539877f9cfb8d2f47d0d160c820
SHA256ed4bd62c3ddf875938ccca1b70301cb5938c6be6c8a42b05c014bb24c6872435
SHA512ca736c322fecb3f874c3f3c4450630f7c932f6fd90025f40a0dc78fa2827bec4faeb011e87f1b469a66686be733970c2b2b1bcc18a4970f9ba72a08adf13cd1d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\80E40493E66F98650D12C73CDEFE29BBACA89328
Filesize221KB
MD5ef8cca55b40b9d8a14e8018c50e2f7bf
SHA116847c2a515f874dd265339cca18c5052a916a94
SHA256053fc2d241d3393a72cc08df8ecdda781f4b6f84f59b49a666816e6d9fe23906
SHA512b19a51fb3e2c055eb6fb1b51bda130c51c89171011a8dd73c630b7ab3ee553ca0c0fd8990390039e5cd73ee92cc19951f2ea41dc0f92d7bde68d034075182397
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
1KB
MD50ec335d4024b8bce257fe324b2897212
SHA12065f4c48dbf38685cfb5696cd3d631c89144ec0
SHA2561d979a5e213a301d157e4b93efe520552c7112d87549e0f02f79c080d38b4189
SHA512ad9f16fb795c9d5d004639ba9c5c0d0f264232d596d1101b1182e8ef9408b05447bac27968f9bc0ebc57f9a765f45ba51bb06a0945b6b93483eef1919c7efd57
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H0WQJ3E979V8TTH418VQ.temp
Filesize12KB
MD5a98ab9185fd95389bec8397fbb8274d2
SHA14f59dbdda346d7d1c22fd975c7458461b33bf76c
SHA2568426b9f2687f2450656e4f8e0e92ac6349e2a9016a062f623a08d015a76b53da
SHA512d91b6ea4b18d31168c0a2eec2c560c66d53f0a6723c4d820fa63c02fa60d2c05d2d631bb2fec68822fc4696eae247227b6884fc359cdd1b7e2d1b12b1aa80995
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
Filesize7KB
MD5fd7fed7b9e2d45a9f9fe93e8c345700c
SHA1aab5a7fed0ce77340ac991dc0b53a6753ca3d640
SHA256611a70c73a738760ca00d07deb053c55354fc1ff4a8132a512ea2f9a8e9e7db0
SHA5120571f982573288960b495be70ea650f3effa0866e76a87337e0ff9043a3e9c4f460092457f209121ddd51297fbfc3384ce69478a31edf8bba548002b80b13167
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
Filesize12KB
MD5e38b939d60ae8ebc4e0fbaaa835c54eb
SHA10e9ffc29b879817fea60980910335fb8e056d9aa
SHA2565b774d5e7eff0d1936b933d4e9f3f8812281c892c77ee9f31b94565b3ab32c8c
SHA512f7ec750ddb937c53b0d62f3ad775ee71028d31dc99bd9569211d910ae9e2b0f36e1ed12d2d2ee5a67112d6685787e22d88a5c522fe9eb3c8974e9c98d3f2785b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5fe8c20ffea2025758a38ee83a3251f0c
SHA169f0c1259e3742ee74b1fd9c62e0564d5958adda
SHA256b667844e0da3eb8395e4182188afbc09020c191d71a624b69ef262bc2ed97c2f
SHA51224e2eb21b0422378a9eced8f3dc721eebe9f9e8e66ea7e89a3fd653a49f45ff25fef72d6a870da73595fea877a12015bb9cfd9a4425a0cd5c6bc70ec965bac39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD50b755d0cef0796ba0cb6f016f2620388
SHA1cbe11f52fe9b4d9feca5c1e264838ef84e47dd0d
SHA2567d623a09f51c8fab7d70752a82cae6a497160a4e936f3a83b34d37d937a8d7ed
SHA512154b1d86be7be363df7f87ef615d8b7cfc237204d25399a78e655a5726c78e2c87e2a9ddefd21d4fb959d363d9ba4abf7502b466643df4385cff9ee9c0b3b411
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize17KB
MD5749103d23e23565ac73d972cc72e5d4b
SHA1f4675259fb2428fec060e4ba00e8bae69cf736a3
SHA2563c7bed3dcf25f25bc59406fcb85f37ea306e1be401761b499b7db8865ebcaf35
SHA512ebf1d7ddb7df7444a6b53a5b75a523b010deca86b60d2965bbe31181f60feaf9369fbcea1b409f026ce6d709a80b07ac8116b03d34174e7021452d8ea714330e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD5cdab6a57529d3a18dacb273e82af52c9
SHA136c9a03039e9ae6c9f82e93ced6ee9899e583d96
SHA256a8bf3d527b8f29de9dae5c6af540fe23704e48e35f9738bcab843b8426ead1e8
SHA512e8254a9d37f6c2fdaeb6beb810e24c0517f16399c39b16c52645646b865112855282d6f5b14bfdc9f9826b21899ded7e2e9fe03a744b7d61dec4cbf5720a49a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD59e42eddbbdcd9331365e3d2fa2c8d524
SHA1ddfe82d5702ccb9650595c70f6283deed6e5976b
SHA2565fae68f16718f11b70612177f6da303aa73f40379eea245cd7256a21bae20fa3
SHA5124eae74ec867a7d630adbd7a8322ea4a59d3ee6e4453aa48ec7b0730c52f699fc62a7487eb013fcdd78257ec7db9e60daf22d84a511e8460beef51305b8ce4e61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\28820b2f-3a97-4e40-b954-2ac024f4e9e8
Filesize846B
MD57957f3a1e7d93628c1179088f91301f5
SHA116dd86f309322fee4011d3c1a3fa94eb997c288a
SHA256d384b657d283366751471efa49561bcd980e915304752c2b2f93c2823c79cb67
SHA5128fce14118259290c7ee9820693e70ab5c16d606c6741d27fcc8882f2451586dfd559464c0374534b334639a7830cf2d90541a0009e7f6c5c98dbccd3628adebd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\2ceb333c-c767-421a-a834-7468b06cfcdf
Filesize671B
MD53c4e7b4cb9a93c579ff423e96d3801f3
SHA10af47ec2d469b3ee0ae14da707989fe5d777eb09
SHA2565ae315acdd299f4e38b4d5b4fa26bc8bccdaadbb62e4e715377539ced8740334
SHA512d91caacb8f5126b7e3304210b81bf0701a7463ee1473d4af3baad469afa5c99e557c08b94af0db5b51559a0c1e4a6b609ab62988be8047fc2d7f0f741a542198
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\901c4869-1995-42ae-be2e-9bb6c165c06e
Filesize26KB
MD5c728c6da2b4d525302741750925a967e
SHA1ad97656387c7cf5337272dbff7bbcf4e31e39b75
SHA256530e05aaf09a62cdb9cd9a4f5f14aa0a6cd00b4ccfa27ced6d17ea2ff60ea34b
SHA512bb800e4119e67de53b9fe5472a2c22d1b277735a1fb7761fa266a8c784748321688c7f8df9a5a96e5ec019812e950f3d0c0c1f2119b6086ece5d36bbbc21e5da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\9b1e58d0-1894-499b-996d-5ea571cd1e6f
Filesize982B
MD5c2b912382b41bcac5c8052773d02ddc4
SHA148b880b5e288973a62c37019275596c814699195
SHA2561c07a70aaf34f33f508d8a0c4f94d082135f2471b5b91695a0a9bcfd02918f6d
SHA5129400847e038b6b1241ee7661b6313b257ae4c962e013b9dcb4489103edcb1d09e6c2f592966d770ff8cdc5b377c4a6c7f8dae56bad99f864d60f71a49fa5380a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\fcc65fd8-32f9-4a1b-a4ae-ede72ec36927
Filesize2KB
MD529892f088ebc825e200a6d5a09dd8057
SHA1b4470c1bb6c913bf1ca3bc286c7124de81bf4b55
SHA25627fefeea9425c644beb89aaa702624042199c04c8e943cda25bd3569f3377bf6
SHA5124fafe2d4a6f4bda82dcc0ce657d140fbef1fffe5f1f38f765d82576c1585d3d5e63c5d017863be7e203e7ff7166ab92ef84dc0c0361fcf948db247e4bf041b38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5731e74f1c24ead5ac4f1bfd911876594
SHA18e43e8a6d958ca9b8f70132a6d525f8eb1b7632e
SHA2563ddeeef54e19a2078a1b2f995d4b01513552c9604b23a971f1c5237710197755
SHA51276abb2f28000e75f761309714e1e836845745561da1404e3cf56c04f290c1c048f7a53f669a5b54b0add20700f88ca3e0fc572a18c2ce6f0ab8f0692b3ea8ab2
-
Filesize
11KB
MD57b51391cac7a35c95bb1fe95d36b4775
SHA1e3aac91152db6ae6b28ecbc793c9d3e4c74d9c95
SHA256a61678e8ad3513635d602b4cf3bf29e25f85464598ae745dd7c49804e6904070
SHA512559ea562a63eabca05f0c19449c06248a8a8a873bfa03c38bb87a70b60fc3a0a625de05b8c92f42bb81b007dd315f0ed64fe0aabcbd38dc19edb90df8dad528a
-
Filesize
11KB
MD50d10621b83a1c8aef7d5b5ed3da43bbb
SHA179524dec52e1c54b531a128f0f94a87b07fa26a8
SHA256cf3838d4330749f4bb967bf8abb91409290b2ceb764c0060e9283946d328a11c
SHA512040448c4006ecc3e6828ee85aa39be025bdf0d0727cfcf9595a2455dd5f24cfae41426c0cda64d760a0e45da66a212517d9621d3b957671fd3f494fb88090e13
-
Filesize
11KB
MD5ad5f865cd819b8731ed5afafcc6d51a4
SHA1378c0eefc5c5824b12d313cce0b27468eb310690
SHA256b0737a781d8acb6227da1991092d258a8d16ac97a54b9b18480e0285ebdce339
SHA512f74cd57153c60fb3de3971d2b6806740b9bcf609f7711f95380f2d1016c2111b9530dd2d9519fac7df60ee6f89168ecc9868987ee0941aa62cbd1295041f82cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD510a5e93e07683aadfb6fb9f5dfc832b3
SHA1b0b38c2424b514d30b8ab3294ff488b9caf79f7d
SHA256b43c99e7d956a26162ccec65fccf6fb2d60bbd81fa23c210fe1e726d1648ed88
SHA512705821604910291b015e069056a9ce6ce6549cdd6fd7c3d9f156f737975b814d32d60bc9d601a03e0e09663236711576818391efa5c79acc8a52716ba6f82484
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD540580ea55471cda75bbcd4852ed670c5
SHA1e456ed0e84db2442c033e8d9945b577f4dc4099b
SHA2565c2d18928dc469713e7c3d8862ce3336dc510ba84a92a27313e1d4d56c9a2462
SHA512c66cfd65ae1607cffc3ce90dd13a9d0762fb69fd2c99e8f13beecd72bf333329768f9d32c8839aa6891d0e81fe6df2f49ed102b68e6ed59f3f4d714469e557d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5095587fe7a2071181ffc511cf883447a
SHA1da3f34d924ad9892c0318d858e0d45139d668ecf
SHA256822b2052688ca6485bd040ea4da3a8b8ccf1f18f756c64f0623670a8618a9acf
SHA5129bd3e7f7e9340cad25454bf499cf1f6e7319d0ef963faed3d6f09c6ae819f7210e06af6f2fcc9e57fa38fa508e28a60739deba5ab04120d57e459ec5b123d100
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5a2fe57c867223e65e770a0e56c9fe6db
SHA196734daa658d7e84e7c37d174f6ca3103410ef89
SHA2568d486b0c0203288866c40d6383a47c58fc16b9e183ccfb20e3cb48f29e5fdb5c
SHA512aafa436b5d45516913e7a39e292f79a60a412cb627387bc7b23eb45a83aa7cf2f58582a3aaab4f7fc29561260dd2b0075b643b0702580c3a16f6fe7abb422a84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5ebe6a66d79444551607cb3a499bed1e5
SHA162b6897ebc79569829ab417cd986065f6ef9172e
SHA256e702002db9f8dacb61f70b43a7f30e959aa87f3da34e097eec70287736a1e2e8
SHA51214dee0747d09af7ba977228fdbdb6bed3da76fed7f5b701bcd56df0d1b3740516319a50254db1306a2b38c062bf7fb885617325e04375660128b8c3354e492fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5500ab457a8e35cb07bfa6ef5eb387df4
SHA1a1bf6973668b762a53f664888b8af681d5bd86dd
SHA256812799769090a9e763c798678638af529ddd7fdf9b233f399b0f3d95eb665c54
SHA512fadd8e9830646e49a2ec8d1c4d082258bffd2794adb0be49c1fa867f4aeb699d8d220a37d40e8238bf14a66809690e5732532c910bc3f3fe32159dfec881770a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD548007286e668e907b0c18df6b1c2ca99
SHA1100243aa2a18e14fc2b57206cd6f6b571fcc011c
SHA25624b70e5fa2518dbd891017db886ab3392c5493ab95f57ffd56584a32c345334d
SHA512131ee5249357b507e09472a7eb58094652fe363fa05737a360c20cc1b232cbbb57013e720b4262926b8897cc71b528d6d8ccc238c75bbbcb7cd081b80a461aec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD58988c2a0b6b954067b905ed3bd2ef8d4
SHA1841a32c2bd943fa7fbc8a73cb694202eb3040aab
SHA2561d34e989d1420c6bc5ed9cc234188cabdbc27dbbf26bd56d08f8c21735a25197
SHA51209fb6ce0038c7c7b495361f78df8e744862f5b51a69fad793a48cab4a2c12986d131e0fba4cb5a4730a27d4100d0a41909106d108c7ab5e75b352fa308c06c0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5296cbd6988f5335a84d51dc203a79c6c
SHA1b973ecd66c456aa18b950ccd38aa8c00471b848a
SHA25641ca7a8b5324e4d9d937309f368afa83bb9af99c351d3afc0e0705eb76143960
SHA5125c4e82a9c92120c627326893a4825de7b147c32fa6b17322ebda7536d0766d3839856393c84635ea89eaba796b5e47a3aeb72e9d4167e5dd096cfacb35cfeec1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD55865564e77009f7bb52499ce5b175cae
SHA1f14ac419802d508d1da9605906d8134197eb3d5e
SHA256f7a1bc64070f4fc1754d50673dad3ab23ca1561e3383deefce12e7c0aea0fb6b
SHA51213fd6c3bbb00b1dedc66a143143f73c4076915581f64f81d2843f0ebae35224c2b0c5e0320d8a98ee4c916d83ff518855b99851e80b5f492261d8695c1634ac2
-
Filesize
4KB
MD51c604b4fef887029e9a3fa342fa908fa
SHA127bd3753c25ea4ea49c7c7b564a1fd641bd0eb23
SHA256d6a4b048b5f28963aeac2e56db9ceeb4607c068cbe06c041631b9c878964330e
SHA512ff804c5b76e5aeb6efbd6a7650d5614e922ab605a45873aaeec0ae898e1a7275dc4ec862cd0bef20998e1b741b2add2846e4cfa9c0fcaaf197c4c50aa934cdf8
-
Filesize
11KB
MD51882f3dd051e401349f1af58d55b0a37
SHA16b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA2563c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e