agenttesla | 438f733d858508c39ae81b7238a7c98232dabc6d389b24e4471c4a16546428a5

Analysis

max time kernel
1790s
max time network
1530s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skou+Multi-Loader.exe
Size

5.4MB
MD5

5a12c9a8274bdca0b49661ca8a2d031f
SHA1

5433c508da3f3740792dab061228cfb1318d151c
SHA256

438f733d858508c39ae81b7238a7c98232dabc6d389b24e4471c4a16546428a5
SHA512

8d14a9b8e583f69cc82d04dba24bb4a3ecf0253f741cf6c3efb5c7ba5932ee160e2f3a87f43b44b1a6ff3eaac03d454703b3391ab8de294a2bc7fed203643469
SSDEEP

98304:+RHOvLqx0/O4d1f3Z53AlKAdvD7WANTprOhfEQw2uQzjU411IGUmz4k/nqoIX8NV:qHWLo2OcJr3YhdvxNTpqhMMjIGzkk/nr

Score

10^/10

agenttesla discovery evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1704-12-0x0000000006090000-0x00000000062A2000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Skou+Multi-Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	zem1evbx.5uo.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Skou+Multi-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Skou+Multi-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zem1evbx.5uo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zem1evbx.5uo.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	zem1evbx.5uo.exe
3232	Skou+Multi-Loader.dump.exe

Loads dropped DLL 2 IoCs

pid	Process
1228	ExtremeDumper.exe
856	ExtremeDumper-x86.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1704-7-0x0000000000400000-0x0000000000F62000-memory.dmp	themida
behavioral1/memory/1704-8-0x0000000000400000-0x0000000000F62000-memory.dmp	themida
behavioral1/files/0x000100000002aad8-613.dat	themida
behavioral1/memory/1800-618-0x0000000140000000-0x00000001411B1000-memory.dmp	themida
behavioral1/memory/1800-619-0x0000000140000000-0x00000001411B1000-memory.dmp	themida
behavioral1/memory/1800-620-0x0000000140000000-0x00000001411B1000-memory.dmp	themida
behavioral1/memory/1800-621-0x0000000140000000-0x00000001411B1000-memory.dmp	themida
behavioral1/memory/1800-625-0x0000000140000000-0x00000001411B1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Skou+Multi-Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zem1evbx.5uo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
7	camo.githubusercontent.com
9	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com
5	camo.githubusercontent.com
6	raw.githubusercontent.com
49	raw.githubusercontent.com
81	camo.githubusercontent.com
3	raw.githubusercontent.com
8	camo.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1704	Skou+Multi-Loader.exe
1800	zem1evbx.5uo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skou+Multi-Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtremeDumper-x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skou+Multi-Loader.dump.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Skou+Multi-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Skou+Multi-Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Skou+Multi-Loader.dump.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Skou+Multi-Loader.dump.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Skou+Multi-Loader.dump.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Skou+Multi-Loader.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0000000001000000ffffffff	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	ExtremeDumper-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper-x86.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ExtremeDumper.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	Skou+Multi-Loader.exe
1704	Skou+Multi-Loader.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe
1800	zem1evbx.5uo.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1228	ExtremeDumper.exe
856	ExtremeDumper-x86.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	1704	Skou+Multi-Loader.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	856	ExtremeDumper-x86.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3028	firefox.exe
3028	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
856	ExtremeDumper-x86.exe
856	ExtremeDumper-x86.exe
856	ExtremeDumper-x86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 2344 wrote to memory of 3028	2344	firefox.exe	85
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 3084	3028	firefox.exe	86
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87
PID 3028 wrote to memory of 4628	3028	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Skou+Multi-Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Skou+Multi-Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
- C:\Users\Admin\AppData\Local\Temp\zem1evbx.5uo.exe
  "C:\Users\Admin\AppData\Local\Temp\zem1evbx.5uo.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1955f144-fa7a-49fc-aeb9-cc3de68760a9} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" gpu
    3⤵
    PID:3084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05bbf48a-26de-4be7-a293-35c85dfc1e79} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" socket
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3224 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc8ca7b7-91f9-4c62-9d31-95cb650f102c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 2692 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {368bc8e0-0e78-4533-bfa3-48275de85a22} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:1632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4520 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af461cd7-6c45-4504-8b10-32887b69324b} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" utility
    3⤵
    - Checks processor information in registry
    PID:2652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5380 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9f034c-40b4-49bd-8ae9-06593067de02} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:2620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5436 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82eb0d5-7e63-4413-9c81-21f4a014295a} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5720 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {702ea58c-c62c-4c15-9502-2385ff9bbe13} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:1392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6204 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b050024d-5b09-49b4-ae02-0a9085b2911e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1680 -childID 7 -isForBrowser -prefsHandle 5504 -prefMapHandle 5516 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a75e840-2c62-476c-bf4a-45041eb9b47b} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:4624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 8 -isForBrowser -prefsHandle 1680 -prefMapHandle 2736 -prefsLen 27855 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e94fb80-4199-47fe-a771-1251148f383c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 9 -isForBrowser -prefsHandle 5600 -prefMapHandle 5704 -prefsLen 27895 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de198808-b0c9-45a9-95b2-db78621a381a} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:4552

C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1228

C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper-x86.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper-x86.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:856

C:\Users\Admin\Documents\Skou+Multi-Loader.dump.exe
"C:\Users\Admin\Documents\Skou+Multi-Loader.dump.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
de06833b7dcaec6f0d1e238a72293c52

SHA1
e332588a184ea6d35f0f8a392bb3c523a4691e43

SHA256
56f16b2080d4dc43f13076f0b7e640653b4efffafb01269c5791388d884cc6a6

SHA512
f58a7a143d9668168ec261bf8fb025db24223bcc03f0738dbc7155b79442be65b0de993c4087299f88d2ed6dfa1fdf888248bcfd961c9a3786adce97798b4eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\32\extremedumper.loaderhook.dll

Filesize
165KB

MD5
666bb02763fe5ceb4fff36db4d5cefad

SHA1
674045a63f4e7bec9312043a77e0f47b7009acb7

SHA256
8b8c972255f75488d0b562df4df6a281d52911e39ceeb43e05801b4658ff358d

SHA512
484acddf07c4e5cca74cb728da4b34cfaa8df2b68f04880dfdef70ec708bc687976702a18703a814aa812f6e1312a45e7ee7ee7ec51dc365268208afb20f9127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll

Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zem1evbx.5uo.exe

Filesize
7.2MB

MD5
f3b1ff3cf8dd2f1495a9c7b3e1990524

SHA1
4133e5f69660134d3f5cb6dce64b9b57f97c5117

SHA256
169b8c638fbaf5cbc487b3ac7556377cbaccb9bbc2a5809cff0ba276316d219f

SHA512
eda45ef97f3330eed85fd604518a08fc2a18122ae2c5438842e906001771f52a710dfbce288d94d3c87627ec719e0cc6364805482d2ee9b651403e96d20f9c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
b1e512959fe5ba65d8574e939168618a

SHA1
ad0adfa2ccd0b783a76205c3bd37c586fe9351eb

SHA256
22518fb3b83e3adc4a7e8cb3f894702bf3582336dba37f3ef575af1bc36f0091

SHA512
3bf87d935679930ef91412ae8065107401b871ae3eed487d46cf409828aa2828fb0012926b9f0a95f1932601b112d8e141e63231f88b03a7828962e3be4b0f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
2ce88abb6d321efac2226fe7f90be007

SHA1
3b51176b1a4126e30d0fec226981a095c20ddeec

SHA256
84ebceb8b4be6023f8667babac2f2cb973e2bb5a0f3d59d814bbdd2e93a7be2e

SHA512
c8d53144ba7fb1c2dd4604b7692151992361d533201015c4ad8a44c445f9d1cb2ef1fd585837a9068e446764f3c9dce244055d36602e50870fe65fc4c180995f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

Filesize
7KB

MD5
199bafad15d533929647b7d4e6f3c505

SHA1
98c73afe4b7a67a6f525bdc82e0252dbbb3988d8

SHA256
c0e5d34141238b9aa079b2e0605cb2a2764b5a206dc06492ecddff085cf5f707

SHA512
965cd04bc5e8a313c50711542b4a755036d28ad8591a03d48bc2ceedac4ff08e5d986985a4918b2dfdcf03e1cd03063062ab2ce90dc25e0121994f99d6f0dd35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

Filesize
12KB

MD5
1ea13f3f84670e291d20cc4a96c54950

SHA1
4d1c39cfe43f5518b7aa6a990bfefd565cf76656

SHA256
573d4e1b0a552ae69df30f02dc42fce76cd3406324eedc8095d62e3920714426

SHA512
c973357f3886be971040fa46e55ae08773d692fd2f2d7787b17eeb63f6ad7b08417617661254d546b1760d858da9ed1daee1c2dd40886cb9a540c9788701e3bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\bookmarkbackups\bookmarks-2024-09-08_11_AxhfEr2-OFLpTzkjd981hA==.jsonlz4

Filesize
1001B

MD5
8693afadf4cc3bd876dc74648e6e4ace

SHA1
13fddc31ddf842e6c086e7e6bfb202c01ef713b2

SHA256
8050fc7748ef7604f657392e788aee4d49a112b62672d11c24ea301c7f2a30a7

SHA512
cacc0defdea88678dba4e329ca0088d027bec4c97fc763f9a6831fa5a5e5654397fe578aa59bfcb8592887b95f004a7b758569281142ab5c230824bf2fb39918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
714eaa5a1d071fc68acdd3bed3820b81

SHA1
8f6949ea62f8bab02b4767fb0ce77a8c6705ccc3

SHA256
be959f1759580dea0709d05a0f8fcec1684dda4b1ef665450de8433a219e4c41

SHA512
7b1358e3f4b88a27950b2899a4833303244514b45b7e91fa288bcaea0d364e70a7ed0662612d9270aa4bc4669dae1e622039d4eb536b27dfdf68fcb08d543ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
99KB

MD5
5de89ac79f73cb541b2a3137734b3740

SHA1
35ac5fb69c9fdb6ba7345866da261b6e2ea702a0

SHA256
a2ba1ae94269284ef3886f83c7f77d2ba9cdba876c1d6931d7654577af1f9375

SHA512
9a4f669bbaa98deb41056f81d11ec83bbc617de0e202faeb773ea8f0c79e9f3d09612d2ed440e5e6eec29157614f533c413b9550baa6f818705a0f66277b101c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
f252e27a4e31306a21f73fa67e6c487b

SHA1
3c8efbc8e8bd946a0ab06ca4f881531569b18049

SHA256
4a961fa1207e0a6e30c82f898b867236828eb71c521e802c0cc9c61ae3355a44

SHA512
31f4b092b35f1bb2e6c84a6ebd7ed87fc7adea5ef5df3ae4fcbd53d9dc07a34c0544dce3649b9b670c1834b01b8ea5fbebd919c55c23615dc72cbcf4b0c7d688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
99KB

MD5
b7fe9108ac4cc63bb5ea24ffeade57b8

SHA1
b6d6daacd55765a018610ffb0caa209787883f53

SHA256
39d90620463b92187d6f0c5a7f24a5be0dd22187eec797456c4de8b4d106eb6e

SHA512
69ac4f68371fc40f3796a8616b206a15307c0f7b972e48feef4a86f7b29e40e0d3ac2dc92b6c7c2c292e5b9ccd01a1823080297a2f95c9322cfafef2ce7f1ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\7b86f7a7-c6f1-480d-b996-653ef7cb5837

Filesize
982B

MD5
feccde00a5149d5f90508fe5e9c197a0

SHA1
4a61a269eac04671e9e116157cd61ec15f710a10

SHA256
f4b539fe5588e3e7ca4c04527abd4a41e574c65781eb27bac2cc5529d3c13898

SHA512
ae0911b6e6c3946dee8715092ca8a728985a9bff42e1cf144dec2932ea7a45c9f388cd175af6587c8f4b4da1b43ea54e1ca3c23516a3ef3a96d3f7c6aa8c6d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\d7a5ec5b-fbe8-49fa-a922-b5f6e520cae4

Filesize
659B

MD5
21cccc961c03153c9b316fec97106cac

SHA1
535455ff942b7d80e24ef957ab5806cc94df3e7e

SHA256
bea2fdbac91733d9e1bb570f6acfc2f7160c3a1b867701e483c2f74316a43a5c

SHA512
63f5b9a019f9282f47fb9907888639c85bff79aa0764194374363285514f1c4f46a450b258416da980ded2419aa90e199ee8032f0c5258b9fd79f6d17205c236

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
12KB

MD5
cbaac17e40d5471691534e612d895ddd

SHA1
3b78f7aa6b69baff403b6fa4799a937663d769d6

SHA256
2763687d721815ed781485faed09ebc48e3354a42ccc9b467705016d2c2e8b9e

SHA512
71cd2857f0e79d8081752ae51892772cf02acc7f210e48f41dbe2365d98450dcb8c313dceb2355e03c3bfadcc6a5b4fdcfa38e67b746184e4455660a0521291e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
10KB

MD5
8085c2fa1bf5ddfcdd270103f3398777

SHA1
f9e8eae70d478d58845316fa848efa277bf149dc

SHA256
52c53c90f8acb0f060f7b9b344d54bb7301be67920c5a8cb43eaf600a3b9e54d

SHA512
f93b467613f2a08ccb2f45bc4bcf2d7915e05add8bafcf312a59de854493256920c065bb5f47af659daecb8d63069f8815ee64a8b8af65a997d455fcf2b4faae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
11KB

MD5
913c8094fcbc331c51eb4491cd9b1fbd

SHA1
a258ccb032f536acd39a7e2aa9edfcd01023d120

SHA256
7d131897164570293b5ee6b1417f59800b1f0eefe807362409ece1b3e9e5c195

SHA512
aebd5d56cc4fbf9a71d740bed4f9b7cb090afa2397c0858970eabd3b7ef17cab126862a3e21882d8f822310368f4d921743e6d4e18b4ebdd457be56ca5b74fa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

Filesize
12KB

MD5
90ca8f1035a8330572b9fef66ab57c7e

SHA1
6aa10c1d2c405f77190807bdb654fd5f42fdd65c

SHA256
6f6cb876888d18fac824a85b5fa5cf574489f03a5c0bfc1e3fe2818278364662

SHA512
0bc8b17676a353266e9ef3b3f4bfd3bbc5606e3f68103ca6cd20dd67bb44664f7418aed8fd0216b0255dffe3d176fbf066fd1162e64a95a6a6391b7e563d03e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
41eadc42e1d98d841aac75dbb8808489

SHA1
db119a02943af2b9e4f7aa1b7ba0ed7624310d74

SHA256
b2f23dffe5aeded1b6345e5310175a3fa1ebcff2ac2bb811bdd60b3f133f5e0f

SHA512
bca01bbf00b17c9e58ed82214d4a7f277edc88d0b4116a0f540bc697e8f0c7b4c92108044f327b15c4bef2d9cad7b6caa7b16c3996bf13cfe4a300c869e15ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
51b7edfac3eb865f5f4ca1e867d8a60c

SHA1
a28b4922fb2c6f25eb36e425fcdfa49cfd75c077

SHA256
c57bed1e3898a675161f869293b82f9e111cb5ae190297a00e528a3e87d98e3b

SHA512
f97b56f61aa2f6a564e8591a93f83ddd813e127c2b3a42a2f3c48ed349788330a7283b36aeb41a9a0e3ee33e1f30e1da369cd37985b8536581a7d739c690b4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
4412f1e9802645a678b6412dfbb48e12

SHA1
7ecaa56837d90f84ae73799f3cf6947a90a9a733

SHA256
7bd40ea966b40d9e61442e0c8e842616246376cf869f5142094a82703bf7578e

SHA512
552ed18ca94e8d80672f25f932a3a72a89876254a78779bef409fa685e89cb78a2f6ba8ebd1ab67c66cb1a05f2acc3a74e66f77ccd75153ef1e058d6fbd27dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
df315b90787a2f36e755323be95b1999

SHA1
7b12f5379741b2eb2b14ceaba0104548f83386aa

SHA256
1d728965e4626e2bca40ef7dddf922f67fcaae242a38851351e770354423d8ea

SHA512
1e6cccd8d78fd0d7c611e8e1b7a32bf30e3fc74fbcffda67a35effec1558a050ffc982852a2ccd72d4edd54da641075f7758b63355b9ec16b467d028659809c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
1486458d3af423761d961502b009143d

SHA1
6ea930a6d969650c6fae3e3486c62ae863f39af8

SHA256
d8a7cded1d03c79b62dbf616f536b891388758bb734f0d7c9c38e44b7162f663

SHA512
b7f1ddd536de4a28f439736bcfddcb22f194baec6741283dbbd98aca06f4833f80918f4b153ce8f1bb3bed2cc91a1e98490605e76711f1844b76205e27fa9236

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
c6f534d2f4ef42e7f9cbdb5cc466ddc3

SHA1
27a0cf9b6a4d098d33ce962e5fe5a9057ed0cc10

SHA256
270d748504dfff659787f734344530c48bc8c65fd1d0f45fe3a821cac3a7e4bf

SHA512
3bab67c87eab0c7ebc20ceef59735fe8b7682502924b7b9dc17287647899cb429d0da383756e1091de7d29cf55d09835393e3e5f78bd8159c3ba3ac624e2cb7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
568KB

MD5
6c04cc2f4697e666610b66d38d03204f

SHA1
341e03ba6960f60171bcd0aa1946019347b5021f

SHA256
8aa22a0ddd51c9984c4e235409f4dfe1039b1bf0cb7c432bd64b0951d0fda7be

SHA512
d5c252a13671a106e7eea42751376067236dc8616bd4603a122025b48ec0f1809417d5462d5c58200938a402088d93021ccfd30e1f1ab72381aaaf640a860ccb

Download Submit
C:\Users\Admin\Documents\Skou+Multi-Loader.dump.exe

Filesize
2.1MB

MD5
73c2aa24dfad6ac31f097aefd1cc0893

SHA1
36b57aa4a6141bbb1528dc9c054fc7f56dcff2d3

SHA256
ed6a99567429e17eb80b4d1a7d598bc9911830419a99847674235953890a3fcd

SHA512
16955af58cceb3d28f24e13a2bc84e03c39efb1b77091f2565c9deb3851e94a254d3f76ade059987fa1809dc07863a1edcab3928288574ae99c0525b65301fba

Download Submit
C:\Users\Admin\Downloads\ExtremeDumper.s-7RhqHZ.zip.part

Filesize
2.3MB

MD5
5a175dbbdd3ef221fc1cc8cda9988c33

SHA1
5cc3f21a81438d8d24a82e3218541a00e51c6978

SHA256
fbffedf2a9420be03538f04bd80a69e35503f8d8395da76a9ac2518a65e1facc

SHA512
b6cf84830ff72a84d333850b88e981d4e7f7a68334546978169aec992ea7fa13f4a1839039aea2d18a7c8ff9164bf174719184a92ad5567cff048c2fbf2f8367

Download Submit
memory/856-1009-0x0000000005D30000-0x0000000005EDE000-memory.dmp

Filesize
1.7MB

Download
memory/856-1008-0x0000000000FA0000-0x00000000010E6000-memory.dmp

Filesize
1.3MB

Download
memory/1228-1001-0x0000027FE86D0000-0x0000027FE86E0000-memory.dmp

Filesize
64KB

Download
memory/1228-1000-0x0000027FCFDF0000-0x0000027FCFE16000-memory.dmp

Filesize
152KB

Download
memory/1228-1003-0x0000027FED240000-0x0000027FED256000-memory.dmp

Filesize
88KB

Download
memory/1228-994-0x0000027FCDFE0000-0x0000027FCE18E000-memory.dmp

Filesize
1.7MB

Download
memory/1228-1004-0x0000027FED250000-0x0000027FED318000-memory.dmp

Filesize
800KB

Download
memory/1228-1002-0x0000027FED120000-0x0000027FED242000-memory.dmp

Filesize
1.1MB

Download
memory/1704-19-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-14-0x0000000000400000-0x0000000000F62000-memory.dmp

Filesize
11.4MB

Download
memory/1704-1-0x0000000076136000-0x0000000076137000-memory.dmp

Filesize
4KB

Download
memory/1704-2-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-3-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-4-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-20-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-0-0x0000000000400000-0x0000000000F62000-memory.dmp

Filesize
11.4MB

Download
memory/1704-17-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-16-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-15-0x0000000076136000-0x0000000076137000-memory.dmp

Filesize
4KB

Download
memory/1704-7-0x0000000000400000-0x0000000000F62000-memory.dmp

Filesize
11.4MB

Download
memory/1704-13-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/1704-8-0x0000000000400000-0x0000000000F62000-memory.dmp

Filesize
11.4MB

Download
memory/1704-12-0x0000000006090000-0x00000000062A2000-memory.dmp

Filesize
2.1MB

Download
memory/1704-11-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/1704-10-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/1704-9-0x00000000059E0000-0x0000000005F86000-memory.dmp

Filesize
5.6MB

Download
memory/1800-625-0x0000000140000000-0x00000001411B1000-memory.dmp

Filesize
17.7MB

Download
memory/1800-618-0x0000000140000000-0x00000001411B1000-memory.dmp

Filesize
17.7MB

Download
memory/1800-619-0x0000000140000000-0x00000001411B1000-memory.dmp

Filesize
17.7MB

Download
memory/1800-620-0x0000000140000000-0x00000001411B1000-memory.dmp

Filesize
17.7MB

Download
memory/1800-621-0x0000000140000000-0x00000001411B1000-memory.dmp

Filesize
17.7MB

Download
memory/3232-1029-0x0000000000920000-0x0000000001482000-memory.dmp

Filesize
11.4MB

Download