Resubmissions

14-11-2024 20:52

241114-zn37ystakn 10

14-11-2024 20:36

241114-zdndrashmd 8

Analysis

  • max time kernel
    769s
  • max time network
    781s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-11-2024 20:36

Errors

Reason
Machine shutdown

General

  • Target

    CuteVirusCollection

  • Size

    333KB

  • MD5

    bc72b3b37984e3a5206bcfa16229ac4c

  • SHA1

    f206c68165a2188cd7515dae7a7817b396a4473c

  • SHA256

    895c9cd797e4865711752484f0c0eea949e2e7bdddc01767433869fefff894c3

  • SHA512

    24c47c5ac0a2feb895d8cbe6d273a7665013425f8cf387e8222b785bb544f4b7a2d4e7ad248e85b7f54d05f92d6e09372171f515bd582065f8f1a21d88b63e85

  • SSDEEP

    6144:VTN0zpOL/saqkPV9FemLtcsDSsmwb9TvZJT3CqbMrhryf65NRPaCieMjAkvCJv1i:lN0zpOL/saqkPV9FemLtcsDSsmwb9Tvj

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 5 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\CuteVirusCollection
    1⤵
      PID:3812
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1656 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {176d1e00-646e-4452-b1a8-943636ac21c4} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" gpu
          3⤵
            PID:4660
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9017026f-faed-47ad-8178-2f281d9b8983} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" socket
            3⤵
              PID:2760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3164 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3999bd-c522-4324-9374-53727e2234fb} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
              3⤵
                PID:3624
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e3b441-8f5a-4b25-b562-301f52652930} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                3⤵
                  PID:2964
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4044 -prefMapHandle 4164 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c5db04-44f1-44ef-b740-733353642c1b} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" utility
                  3⤵
                  • Checks processor information in registry
                  PID:2360
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d8d9bfb-6bba-4754-9777-7770913fdef7} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                  3⤵
                    PID:1236
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8479d5a-3d1c-45a2-90e9-ff323d78cbed} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                    3⤵
                      PID:880
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0afeb08-9a53-4705-8dd4-f902cd234ff6} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                      3⤵
                        PID:4964
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adc4295c-adb0-46f4-aadb-c653bc916869} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                        3⤵
                          PID:2448
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 7 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee15fa4d-fae2-4f2c-b0b4-0600c8ebcbec} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                          3⤵
                            PID:3384
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 8 -isForBrowser -prefsHandle 2772 -prefMapHandle 6576 -prefsLen 27401 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8d9980c-240f-4dae-9abc-01bcf0423bf5} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab
                            3⤵
                              PID:2316
                            • C:\Users\Admin\Downloads\000.exe
                              "C:\Users\Admin\Downloads\000.exe"
                              3⤵
                              • Executes dropped EXE
                              • Enumerates connected drives
                              • Modifies WinLogon
                              • Sets desktop wallpaper using registry
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:3732
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1560
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im explorer.exe
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3600
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im taskmgr.exe
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1340
                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                  wmic useraccount where name='Admin' set FullName='UR NEXT'
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1936
                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                  wmic useraccount where name='Admin' rename 'UR NEXT'
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:988
                                • C:\Windows\SysWOW64\shutdown.exe
                                  shutdown /f /r /t 0
                                  5⤵
                                    PID:4212
                          • C:\Windows\system32\LogonUI.exe
                            "LogonUI.exe" /flags:0x4 /state0:0xa3a15855 /state1:0x41c64e6d
                            1⤵
                              PID:4812

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                              Filesize

                              896KB

                              MD5

                              fb4e0124a703cc53581a13202b084bac

                              SHA1

                              f75755e764e47ae44140522873aab69fbbbf4033

                              SHA256

                              c16861a388687906b922152e581b4f636986958b1a64f9eb5b689bb0fe9c1148

                              SHA512

                              3bdeb9378e895ca3c95b2c5ae021ba644befd3a0e16530acbda2eae584f5cd6f21216abd8b03bac67ac9d48c7177cfaaee5df9509cb5a3f8bef1c44d5a746ab3

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                              Filesize

                              9KB

                              MD5

                              7050d5ae8acfbe560fa11073fef8185d

                              SHA1

                              5bc38e77ff06785fe0aec5a345c4ccd15752560e

                              SHA256

                              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                              SHA512

                              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

                              Filesize

                              19KB

                              MD5

                              aeef4019622757b687597d717dcbe9c8

                              SHA1

                              ec6a7d84e9d68574db37049b0d73efa013d7c087

                              SHA256

                              98c9d0f1a6b7601a48cc4f19fc789ce954f0120cea2160e6ba100d742fb32fb8

                              SHA512

                              e74380b26486a4456178795771e859d7a632c210a1b9ce34db68bc3ba55c68064b5f1db4d7b22b70189a71c60e5695f52079f2a1d5fec069d84737065ba0de7e

                            • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                              Filesize

                              6.7MB

                              MD5

                              f2b7074e1543720a9a98fda660e02688

                              SHA1

                              1029492c1a12789d8af78d54adcb921e24b9e5ca

                              SHA256

                              4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

                              SHA512

                              73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

                            • C:\Users\Admin\AppData\Local\Temp\one.rtf

                              Filesize

                              403B

                              MD5

                              6fbd6ce25307749d6e0a66ebbc0264e7

                              SHA1

                              faee71e2eac4c03b96aabecde91336a6510fff60

                              SHA256

                              e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

                              SHA512

                              35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

                            • C:\Users\Admin\AppData\Local\Temp\rniw.exe

                              Filesize

                              76KB

                              MD5

                              9232120b6ff11d48a90069b25aa30abc

                              SHA1

                              97bb45f4076083fca037eee15d001fd284e53e47

                              SHA256

                              70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

                              SHA512

                              b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                              Filesize

                              479KB

                              MD5

                              09372174e83dbbf696ee732fd2e875bb

                              SHA1

                              ba360186ba650a769f9303f48b7200fb5eaccee1

                              SHA256

                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                              SHA512

                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                              Filesize

                              13.8MB

                              MD5

                              0a8747a2ac9ac08ae9508f36c6d75692

                              SHA1

                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                              SHA256

                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                              SHA512

                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                            • C:\Users\Admin\AppData\Local\Temp\windl.bat

                              Filesize

                              771B

                              MD5

                              a9401e260d9856d1134692759d636e92

                              SHA1

                              4141d3c60173741e14f36dfe41588bb2716d2867

                              SHA256

                              b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

                              SHA512

                              5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

                              Filesize

                              6KB

                              MD5

                              c63f00986f29ec79040a1e5fc98d130f

                              SHA1

                              261bc9cf14f2eedbcc34372140d78f72f449bad7

                              SHA256

                              1e4246bae8cdab5080eb5c708a116fb8b59167fbd7aa5391dc38139ae27b4ce1

                              SHA512

                              df2f0343e911eb7c14e15ae1279f1ac03cc8c967ee2fbc43cb38234871f052fce015d24d805c6e96001193419ac4a7bd81d23117496e4bb1ffc95a4cfe6a7c65

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

                              Filesize

                              12KB

                              MD5

                              f85bc47c4e58791fef218e283290c4cb

                              SHA1

                              0fe0958cc5088cb40328fe6f1096f087101ce09e

                              SHA256

                              d732020a8333651127eaf0032beca3b66f51f7549fa903a88d889526ea56f870

                              SHA512

                              6b29636f6a4cc04eb482279b7e61cae34395efeb325769fb334825e622a1f91371a07c45a4e804844e8049557b40b9c00fb86d4405b6da9d8253434bd88a7140

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              6KB

                              MD5

                              f81d32891d00c2c86d7c497c9533f444

                              SHA1

                              05f82382560e778a5b451047aba0208f19c45aa9

                              SHA256

                              f5013ca5d0c46c4408e240810945377674feb5c3af3e8ccaf60592958b49cae7

                              SHA512

                              f17b602bc369b5ea884febc3d1342c25378a78595b213a92fde73b19c7dc6f82d5c5df374cbfd9d8aed3e00563028f865d3a13165354474802cf8bcfc33c6600

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              6KB

                              MD5

                              f18013a32e540122abca322bad127080

                              SHA1

                              ab7cb17284a896e20a8067285eb389d2a9736627

                              SHA256

                              60824381ef22049603494182f8e07f5ade7c9e45f9ac381f9ae487da0d073bd0

                              SHA512

                              19fca2b5a9d6cf6947446d9e7432a45336b4cab08700cdbc4ea1b1bafd720fdc83376781ac2a60c03a90993a95cb42b106f80ca5db6ccd89784e7c5eae4833de

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              6KB

                              MD5

                              ec3da449089ba2d690ef3933ad560dcb

                              SHA1

                              f069911ec35c5479ab04eeb75bd79ab7c393091b

                              SHA256

                              0bc3a2248755077e90a2b470589f339ace3e0a48aab7c422345e1e1ff0a264ea

                              SHA512

                              f43ada4ded7105c977a19ce71646464836ca4bebcdad49afbfe8fe9da604f8ad9e445b3554c52ed14f0a524ee7d6caab96eca4ae8a28f57dcb95005a787c656f

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              5KB

                              MD5

                              7834ba671a9224a6cdd98c675f4c57ad

                              SHA1

                              19c847df051953b583d8638aa297ff6636197b9c

                              SHA256

                              2f86474b4a0eda89fdc2abc429b37f5715cd652adc1a65178fb9761339ceee91

                              SHA512

                              4a578f5b824de7da65b7b3b52dcbe427634cd3feee151726c6ccb2e0766e013c137dad09cb9a6837b1eceab8475b28a1072f4c3e23845a7ae9bf722175bf5268

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              6KB

                              MD5

                              3529f09411ceed10b216a8284ca0f336

                              SHA1

                              ab61764fc41c441dfbfdac1802bc60106358c7b3

                              SHA256

                              7fbcb05f88b18c95123bc95b1c4dbaff5bc48d9728e42cb60daf93a72e8d96cd

                              SHA512

                              3f926dddc4164fe967a21dc729c358b1bcca4918ad4dfc7cff6a36bedf26db9d623a797a4a50dc373b9ff356a4973ce0f02f6acf8923d1e1d5d08d5e235a08e7

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

                              Filesize

                              43KB

                              MD5

                              eb63c896f53d813b2c4b4e982a358732

                              SHA1

                              02938a7f1c95a03df1901bfa55d3e56219c92e38

                              SHA256

                              93708c180f7c091587a78a76b964e759977108d939a010db70b4c353a169bfe5

                              SHA512

                              22c1b3af03fa7260c60a2673dd8cd35d5a70afe0c8b879e04485d6108631c677035731a5289958ee10a8acf1e68cc18c4dc5c0152c314d2bb8702ca628a7d06c

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\450abaf6-3091-400f-ac18-f01d6093a6a9

                              Filesize

                              671B

                              MD5

                              ef351fd3d5531dc9c8faf2b8425460b6

                              SHA1

                              35df6f56af2c187bf9a29a05bd6f7ede5159ce9e

                              SHA256

                              3d7c7e390ceb2ac26888e1c009d6c58515b3529171d141f0d60e2e82a9048b4d

                              SHA512

                              9b67d461bf90dcdd4c36c11d5798e0b5d9e96fb200ee003f7f951b4ce39d187e361825e91b4bfab67fef5abb04490477edafb383e29250596e0288131a390104

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\7fad0d7a-3739-4d0a-8bec-2e83238fc3a4

                              Filesize

                              982B

                              MD5

                              d0144b08648a0c0e4e52c2660c41a351

                              SHA1

                              5dd35233e1c3e2c46c5768f54c87c860fc2bf15a

                              SHA256

                              91860300927d459186f53f763c4dd4a26fee09501f4fc01d51f5e8863aeaf699

                              SHA512

                              c90c16c47183bd551e63a12bf896f0173e3b9cc1d7798798b9aee130bcb083d3c920849801b3b8a3af48d6dbd06b835bdf9b55c88a1a759c7ce6bd057a0b2bed

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\c33ffdd2-4c79-4101-abd5-33c6362541d1

                              Filesize

                              23KB

                              MD5

                              1bcc0822b3c4ab66eac80cb9462436ed

                              SHA1

                              c6bdb4d540ea531e74cb1dde31c535d61d4a9258

                              SHA256

                              02cf68e83929ecd49a9df50b951a8930ce46a81823eadc69730601e2d7bca99a

                              SHA512

                              4f8f2a82e9beb9ab9de5ba88b8897a839a37092881e1b5227f7ed145392f4c8785990b39f960cdd1db78548796893c1cce31f9b62d9da32af578c92a23d107e0

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                              Filesize

                              1.1MB

                              MD5

                              842039753bf41fa5e11b3a1383061a87

                              SHA1

                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                              SHA256

                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                              SHA512

                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                              Filesize

                              116B

                              MD5

                              2a461e9eb87fd1955cea740a3444ee7a

                              SHA1

                              b10755914c713f5a4677494dbe8a686ed458c3c5

                              SHA256

                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                              SHA512

                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                              Filesize

                              372B

                              MD5

                              bf957ad58b55f64219ab3f793e374316

                              SHA1

                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                              SHA256

                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                              SHA512

                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                              Filesize

                              17.8MB

                              MD5

                              daf7ef3acccab478aaa7d6dc1c60f865

                              SHA1

                              f8246162b97ce4a945feced27b6ea114366ff2ad

                              SHA256

                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                              SHA512

                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

                              Filesize

                              11KB

                              MD5

                              af46171c7a325e24b3abea517068155f

                              SHA1

                              7188f2c982dff650737129f3177c409187058ea8

                              SHA256

                              603534cc030af5df68f156cfca981a907d13cfef77e1aea3e4edc3732851152f

                              SHA512

                              c9c8c48e034b02f5088b39e2152617c9b6b9acbda502f99c60c445803f86d8808c3c6cb7b11b208f56bc6ab1827a55795f6c30d6f97fb8d6a01339b8ce59eb6f

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

                              Filesize

                              12KB

                              MD5

                              bc423f273ca1c1ceb5d79a75fd2b0a17

                              SHA1

                              ca81e0ac1c3995d1ea540addda3fdb30827e48ec

                              SHA256

                              bb46ebb57d7588008b6b86029d3e5ee44c800d512677d15f7aed307d42ca05e4

                              SHA512

                              d1c45bfcc4e54eb70b14a0f91a0a51f77efc2d1692fa518ba0c6e91ee41ad4c22af4668f9192c435109cd644e517891e3c099f2d1aa63478c28440a6bc546cbb

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

                              Filesize

                              11KB

                              MD5

                              65a861302df66dce85f5928338022217

                              SHA1

                              63178393f02e08dbbdd848932781105bdcc8b173

                              SHA256

                              c28db7dfcd34297b191f8d339c84aaa63540d9677809a7c6ceb66e5745a93b1c

                              SHA512

                              37f10a57ede3367c9bf0abea7f44252938d2b7b0a197c1ab91d8bd5f139afbae7f6b842c680d1aa71ec828ba060ba422a9c8adf1f11883f2164477f3eeecaebb

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

                              Filesize

                              10KB

                              MD5

                              d2bd82cf817f3ecb1fb9feb1c841f1d8

                              SHA1

                              d133aa4065838e93d4a412408604a20fc1aec6b3

                              SHA256

                              3f319327547f38354710cd8fb73dcdda652db9b65e7fd81a90f56c1334c2e859

                              SHA512

                              0da539d5d79bd95be52686a83c3b063316414df7cfb95fdb5d1293a99632c8aa8301111dce264fcd43f7560c0a4b2674e425b7ca8abd3c1193ab68c980a5e461

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

                              Filesize

                              12KB

                              MD5

                              1f3442406f13184ed6747c805893659a

                              SHA1

                              6423f2b4ff54bb29fce254ae75a3ebace5b62867

                              SHA256

                              c462d2f565ea917335a292c1e961860bce951e8d0623f9f43b6fbe68d2014613

                              SHA512

                              3d8f36e5a0b28df8745862c383a4905f74c00f642b88a8ef5ef4c8161334f99404f0c9bb5a77bff6277d76512b532896211d23c296729079dc5b0bf7ef65272d

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json.tmp

                              Filesize

                              259B

                              MD5

                              c8dc58eff0c029d381a67f5dca34a913

                              SHA1

                              3576807e793473bcbd3cf7d664b83948e3ec8f2d

                              SHA256

                              4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                              SHA512

                              b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

                              Filesize

                              9KB

                              MD5

                              aaa03a8a33e957eabdb5d14f4958650c

                              SHA1

                              18d73122c69e6e97ac36958b2e437a1b23d1c85b

                              SHA256

                              88a1673b3044ebc6865f89e6c52c764fdfc0a2cf091085fd901f635b8be0d423

                              SHA512

                              63a3e06c98c0afac7231f27146937fd5f003e127138a38287926bd04932a2a352311de5586ce0f48ed4a8ffc9479aa3b89d11dd4539c237ddf41de3aa9b7a78c

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

                              Filesize

                              3KB

                              MD5

                              c3bd600a39d6453fc6d20a3ed6724c19

                              SHA1

                              1ba0dd3dc516b32ef61b322832594440b8f793a2

                              SHA256

                              48da59051986dcb632692f15fdbeb353ba9b5f61423fdd00748a4a47bd443e9d

                              SHA512

                              85d909ad691dccf12e13d27ffa5575e060c56839c3232db9dbc811fbb7faacbf6e84486ea4da53a97a04c2757b7905f874e6444afd2086d4e86023bc1c3673a6

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

                              Filesize

                              9KB

                              MD5

                              4748b53c4827632c4664acd7e23b9c76

                              SHA1

                              8e2a8bd20101118e25c4d086323abf835db179c1

                              SHA256

                              f07b58c3b04362f55e7a5729aa1354c84c63ff769cd6cb2622c6cfbb217e13ab

                              SHA512

                              628d98e1131b91cae1b62bb20f563623327b883d43b8d5e87d8757af434179a9f0743ede1177b6f6fdd330de20d938a19e24c4b61ac0165cadbd1e69e1b5a0ca

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

                              Filesize

                              9KB

                              MD5

                              ff55497a356f7d9116028524a8e62211

                              SHA1

                              1078e4221006ab24b78ef23bf40cdf708949221a

                              SHA256

                              57112fdb17989629ae51389b5aa3ef18d03314ec78321f319edc127494e205c2

                              SHA512

                              f2d06c8a4c771cad9efe536dde0cbd6b50958dcecfa1f93819cbe2a3862a7f7a3663adc3473f0a1bdcbab52c64f4b24e6179d305b78d1fe515eceb8864ed500c

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

                              Filesize

                              7KB

                              MD5

                              1a0a89fd1e02efb6196ef0713217f19c

                              SHA1

                              22836cd935d469f52a29365a0d4c0258fcad5f51

                              SHA256

                              ffd477b9ca80838ffde90c75c461c697cbd3f63e59809ae956f6355d069202f2

                              SHA512

                              d74b5ca90dd32a2e98017ddb67e0d2f6e33c3c53a4be80d7fa47acf37af11029c23e49cd89c994726dbdf6eab9fd537d1e9b1b286b933f54e4fd25c3bf8a99f9

                            • C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

                              Filesize

                              396B

                              MD5

                              9037ebf0a18a1c17537832bc73739109

                              SHA1

                              1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

                              SHA256

                              38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

                              SHA512

                              4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

                            • C:\Users\Admin\Downloads\000.exe:Zone.Identifier

                              Filesize

                              50B

                              MD5

                              dce5191790621b5e424478ca69c47f55

                              SHA1

                              ae356a67d337afa5933e3e679e84854deeace048

                              SHA256

                              86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

                              SHA512

                              a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

                            • memory/3732-811-0x0000000000530000-0x0000000000BDE000-memory.dmp

                              Filesize

                              6.7MB

                            • memory/3732-839-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-838-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-836-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-843-0x000000000BB70000-0x000000000BB80000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-844-0x000000000BB70000-0x000000000BB80000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-846-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-847-0x000000000BB70000-0x000000000BB80000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-845-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-837-0x000000000BBB0000-0x000000000BBC0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3732-832-0x000000000B960000-0x000000000B998000-memory.dmp

                              Filesize

                              224KB

                            • memory/3732-833-0x000000000B920000-0x000000000B92E000-memory.dmp

                              Filesize

                              56KB

                            • memory/3732-1666-0x00000000746EE000-0x00000000746EF000-memory.dmp

                              Filesize

                              4KB

                            • memory/3732-1667-0x00000000746E0000-0x0000000074E91000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3732-821-0x00000000746E0000-0x0000000074E91000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3732-813-0x0000000005E10000-0x00000000063B6000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/3732-1705-0x00000000746E0000-0x0000000074E91000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3732-812-0x00000000746E0000-0x0000000074E91000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3732-810-0x00000000746EE000-0x00000000746EF000-memory.dmp

                              Filesize

                              4KB