Analysis
-
max time kernel
434s -
max time network
440s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/03/2025, 17:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
Resource
win11-20250313-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
Malware Config
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000f00000002ba50-5726.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x001700000002ba61-5913.dat revengerat -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe -
Executes dropped EXE 2 IoCs
pid Process 6860 dlrarhsiva.exe 696 Server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat" VanToM-Rat.bat Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" Server.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Public\desktop.ini firefox.exe File opened for modification C:\Users\Public\Documents\desktop.ini firefox.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 000.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\Y: 000.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 76 drive.google.com 78 drive.google.com 80 0.tcp.ngrok.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Control Panel\Desktop\Wallpaper 000.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5208 set thread context of 5408 5208 RevengeRAT.exe 119 PID 5408 set thread context of 1692 5408 RegSvcs.exe 120 -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1216 4760 WerFault.exe 93 3772 6912 WerFault.exe 147 2364 6912 WerFault.exe 147 -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YouAreAnIdiot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Avoid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Curfun.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 2 IoCs
pid Process 6996 taskkill.exe 6272 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1736937623-2710279395-1526620350-1000\{E257697A-3492-4991-AC2D-C3EE83833809} ChilledWindows.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon 000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1736937623-2710279395-1526620350-1000\{49185B7A-0ACC-4F5C-92ED-AC3DF3B44494} 000.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA VanToM-Rat.bat File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5792 WindowsUpdate.exe 5792 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeShutdownPrivilege 3424 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3424 ChilledWindows.exe Token: 33 4228 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4228 AUDIODG.EXE Token: SeShutdownPrivilege 3424 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3424 ChilledWindows.exe Token: SeShutdownPrivilege 3424 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3424 ChilledWindows.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 5208 RevengeRAT.exe Token: SeDebugPrivilege 5408 RegSvcs.exe Token: SeDebugPrivilege 6272 taskkill.exe Token: SeShutdownPrivilege 6912 000.exe Token: SeCreatePagefilePrivilege 6912 000.exe Token: SeShutdownPrivilege 6912 000.exe Token: SeCreatePagefilePrivilege 6912 000.exe Token: SeShutdownPrivilege 6912 000.exe Token: SeCreatePagefilePrivilege 6912 000.exe Token: SeDebugPrivilege 6996 taskkill.exe Token: SeIncreaseQuotaPrivilege 5488 WMIC.exe Token: SeSecurityPrivilege 5488 WMIC.exe Token: SeTakeOwnershipPrivilege 5488 WMIC.exe Token: SeLoadDriverPrivilege 5488 WMIC.exe Token: SeSystemProfilePrivilege 5488 WMIC.exe Token: SeSystemtimePrivilege 5488 WMIC.exe Token: SeProfSingleProcessPrivilege 5488 WMIC.exe Token: SeIncBasePriorityPrivilege 5488 WMIC.exe Token: SeCreatePagefilePrivilege 5488 WMIC.exe Token: SeBackupPrivilege 5488 WMIC.exe Token: SeRestorePrivilege 5488 WMIC.exe Token: SeShutdownPrivilege 5488 WMIC.exe Token: SeDebugPrivilege 5488 WMIC.exe Token: SeSystemEnvironmentPrivilege 5488 WMIC.exe Token: SeRemoteShutdownPrivilege 5488 WMIC.exe Token: SeUndockPrivilege 5488 WMIC.exe Token: SeManageVolumePrivilege 5488 WMIC.exe Token: 33 5488 WMIC.exe Token: 34 5488 WMIC.exe Token: 35 5488 WMIC.exe Token: 36 5488 WMIC.exe Token: SeIncreaseQuotaPrivilege 5488 WMIC.exe Token: SeSecurityPrivilege 5488 WMIC.exe Token: SeTakeOwnershipPrivilege 5488 WMIC.exe Token: SeLoadDriverPrivilege 5488 WMIC.exe Token: SeSystemProfilePrivilege 5488 WMIC.exe Token: SeSystemtimePrivilege 5488 WMIC.exe Token: SeProfSingleProcessPrivilege 5488 WMIC.exe Token: SeIncBasePriorityPrivilege 5488 WMIC.exe Token: SeCreatePagefilePrivilege 5488 WMIC.exe Token: SeBackupPrivilege 5488 WMIC.exe Token: SeRestorePrivilege 5488 WMIC.exe Token: SeShutdownPrivilege 5488 WMIC.exe Token: SeDebugPrivilege 5488 WMIC.exe Token: SeSystemEnvironmentPrivilege 5488 WMIC.exe Token: SeRemoteShutdownPrivilege 5488 WMIC.exe Token: SeUndockPrivilege 5488 WMIC.exe Token: SeManageVolumePrivilege 5488 WMIC.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 3424 ChilledWindows.exe 4392 Avoid.exe 5792 WindowsUpdate.exe 5792 WindowsUpdate.exe 5792 WindowsUpdate.exe 7056 VanToM-Rat.bat 696 Server.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5792 WindowsUpdate.exe 5792 WindowsUpdate.exe 5792 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 5712 AgentTesla.exe 7056 VanToM-Rat.bat 696 Server.exe 6912 000.exe 6912 000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 812 wrote to memory of 4360 812 firefox.exe 80 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 4224 4360 firefox.exe 82 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 PID 4360 wrote to memory of 576 4360 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan2⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27097 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2064 -initialChannelId {cb43919c-6d85-4016-99ab-89ed2166e396} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:4224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2408 -prefsLen 27133 -prefMapHandle 2424 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {667f93a8-2d69-4b87-a13f-2bab6450832e} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3976 -prefsLen 25213 -prefMapHandle 3980 -prefMapSize 270279 -jsInitHandle 3984 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3992 -initialChannelId {abe5718f-1d0b-4556-ad21-daa611454f76} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:4040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4204 -prefsLen 27323 -prefMapHandle 4208 -prefMapSize 270279 -ipcHandle 4276 -initialChannelId {4bf6dda0-d41a-4508-af3e-3f246b131c17} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:4280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1660 -prefsLen 34822 -prefMapHandle 1680 -prefMapSize 270279 -jsInitHandle 1336 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2644 -initialChannelId {95c3a7a9-4840-4de8-84ce-50c6e6cef06d} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:3960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5064 -prefsLen 35010 -prefMapHandle 5068 -prefMapSize 270279 -ipcHandle 5076 -initialChannelId {becbf0d2-7b3f-46ae-8950-1349baa7ddc4} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:5396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5724 -prefsLen 32952 -prefMapHandle 5712 -prefMapSize 270279 -jsInitHandle 2848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2880 -initialChannelId {39c8f8b8-61ee-494a-9a8e-ea7308deecad} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:1836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5712 -prefsLen 32952 -prefMapHandle 5844 -prefMapSize 270279 -jsInitHandle 5860 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5868 -initialChannelId {da5d7123-43e5-4dda-845b-51995bc61f7e} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:1056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6036 -prefsLen 32952 -prefMapHandle 6040 -prefMapSize 270279 -jsInitHandle 6044 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6052 -initialChannelId {e8a0a90e-702c-4a17-8487-f7a55c643e8d} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:4960
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:812
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 14562⤵
- Program crash
PID:1216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 47601⤵PID:1672
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3424
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4392
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"1⤵PID:5260
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2896
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1008
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵PID:200
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5792
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5712
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5720
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5936
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:6604
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:6860
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:7056 -
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:696
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oe8mbkdn.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60E7E82F6B7E4017A2768DDC9EE01DDB.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3772
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxldtxzk.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9703.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210751CADBB34CA6958228F6ADA0F.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5832
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s7sjnlhj.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9751.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc240AB652445B45299112EC106BF793BD.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_m9wo7qw.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8857444119A94BBA87B8C8AA76C2AF46.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3952
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2xhjeet.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BEEEA9CD2C441D489D8679E4195656.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7c3ubzvk.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES985B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1D97366D264411EB12A6CE9DB2942.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azjr4sqs.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC14B7A0DE6D3498289D861C44CBEFA4.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:644
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akehvyw4.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9916.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4E2016A370D4E75912197C0228E3F8.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6240
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"1⤵
- System Location Discovery: System Language Discovery
PID:6552
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- System Location Discovery: System Language Discovery
PID:7108 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6996
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5488
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- System Location Discovery: System Language Discovery
PID:6188
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:3592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 18522⤵
- Program crash
PID:3772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 38642⤵
- Program crash
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6912 -ip 69121⤵PID:1440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6912 -ip 69121⤵PID:3608
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ec055 /state1:0x41c64e6d1⤵PID:5872
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD577508eac550eba82cdfc8fd6bf7e7880
SHA12d2a15cf7a2af768f52dafc6258d0baa351673d2
SHA256c9a05bf799435193bf4b80798a013f1c12edbfeb7e453bbf68a7085b569c13db
SHA5127d7a220d5f1d55415a1dfa6e963829af7ca50218794957fa9454b75ef655c6bb72282520b81b9c5b101ad6fe2bb15a7a0b8d454688acbb9c906fc0361b13790e
-
Filesize
8KB
MD5fd09d4c2cf0bccd4a44c2cce4d0d8eae
SHA13c755be913b11f6730b0a26a8011d75946a495c7
SHA25625563966bef6dd5fb677668f724b900199f9eaead98a32ee81175319a13887b5
SHA5125314bc317e01f6702eef2647e37fe64d1cb648de61d7595770d1a408ef3e19aefa0f80a3e622102372e1bc1ccf44125c51f6d3de42bec4e2b5de03cbf814f76b
-
Filesize
8KB
MD519e2ffe3d3e35a370fe278b35f6caadb
SHA1ed2a687261b1603d9e251c7e0469b33063ca199d
SHA256735ecf0874cc5ef7df6cf4d834e10c00199de15eb82d25c3e4390e5908b6f0fe
SHA5125a4e1a8b1e750f6006a1d25a2832b61e14866526e6e51ba6af0fe1a138d9867a5ad8b747d3057656cf1d3da08bdf35aa8b847fc1b51d67d86572e3a15de5c479
-
Filesize
8KB
MD5948c76a135ebe7bc0f7193c104501c81
SHA13838895bb9dbf8e30f1e39e710ffe941e069efca
SHA256b1025d5529ddfd9aa28e8241649883fce1280d07167e580fe225c6cef797fc85
SHA512f37bd5b21078ea6b9ea09fea04b06aa5e4197d6f19f080c699896b035b40de95d8ced6b86da839da0142e4978d427980188cff6577e33971df58c440e786f7d4
-
Filesize
7KB
MD5b7af64ea3df8364e2188129ae86f68cf
SHA17321af88dc5f3fb0c01ed41ed84588fdd54ae785
SHA2564b21ec7b7a6ffdc6caf8211b267a5725bac70ba7e2760e5b70b575e06f93c904
SHA5120840f8e5b8e799653cf05d34ec779dcae1fe30f4b2eb584d799a3e75dc582a52ee98a159d96856b20f5a4883bb734f7f44de7f68c06a5edf6710830f62306761
-
Filesize
8KB
MD58f55ef6b8395c8b14568c4805eeae2cd
SHA10880833d626aa8b55c955bb7901674bb3f2266ea
SHA256f092d8fdde4d6e39180f4d3937978ccc187efd507420ad1fca9c4000ad23634e
SHA512763b92774d61fb3e7e350b5153c8ee2d208a47f99945d1c05597af0dd30a0cc23da6cdff38d3ec5c3a963032a61d4b88aad04dd17ef4f463c8944cc90c278ad5
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD51e6c4b32205b72a32786ffcf143ffaed
SHA17a99df34d2d7d17e2e01272cd084fdae505bc8b0
SHA25684a41ba1d0f60c4097dd6921ea73781140c40c14a1872d4aa1872046203e6872
SHA51249ad851721e811be4b360819eaf55b5a1f572c536fcd86692c05533fa62e91efcf218ad60fa54ce5fc5bc476b04dae78c8ce59c22c7c1448980d430e288ab7f7
-
Filesize
7KB
MD5733889df6f781ffeac8ab55243d3bbe9
SHA1afd2c63abd2d531d41f48d63df6c3e981caf7be5
SHA2563c0769191067237a7b0e445e0734c80ed52e9cbeaa0ea42caef99510a552eabe
SHA512392ff8f70ef991363540a084b465f62c31b53bf72832b1d88b7160bd5b3395287e3c26fb912bcb4819024ad07b594fd3b634be6a0b57a90b303dfceebc37880c
-
Filesize
768KB
MD5b8b889ef3eb86299648c764b1d53edbf
SHA19c3f7acf43a5a9d2ed6da27e1d25f9d111232b50
SHA25626cc4247944029e440074caa4c1aa7951359b4262fbabd2e4f612edc6de43d3b
SHA512ec1d5a6b130c6dba20405a719b61686035f15ae9a9f0e12a4f8d94357c11792a5774b8c9dea47b25302bf84ede7f1f8d24086ed1a9918728db2d4853c1660923
-
Filesize
1024KB
MD53bad1e9348b8dbd6f23e8f044d46f393
SHA15379950c591fd20dcdfa4e457a57568376eb5703
SHA25688bfa5a1c50277d841a943ea6d9c83ffe6035dcf8f5b7a2933eca2a773f86b63
SHA512564a3f2466c2a717f62b6aee65ce0322fcf325881ae0bc214d9f49689234c358f38f55d246ef39d5eea1de8933879e9b76ad78e889856f6803a8c6d10a6fd171
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\activity-stream.contile.json
Filesize4KB
MD5b71adc26a75e3eed85e3c5f2a6a92f32
SHA1b26e35878ab5cc2c8c8356febc18bf17ce39c908
SHA256ecc77abef22e602002c4efe80633dac6bd5acfd561a5cdb43e69ebd3bdb698c6
SHA512b9ca7d978a45f8ddb6b9aa32e435f97333fe4a2b5f5b19305d9f9083f4bb4250491882428ae3a8a4f8467df0a41b25cb577a467e53b96d27408c4f964110aea5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\1A2157BA1599155920C15A095C65B1B75A85E913
Filesize48KB
MD5dec997a656de115663a9f160195c761a
SHA19f0f613a0df8db774663f427852326aba8cc53e5
SHA256a874939f8ad7169d5d69ebfa84cbe6d2aae0f06854940d791ceef4c322210d6b
SHA5129289deb96cc2d6cc07b659f05591d51e617a6d678147e11e74d3f021f13453544729603f03370c0bcd80c80b216e8cd5e9931b298a33096357c108cd22c6da29
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\553BE600135F84B60BFB5F983ECDBB2F558EBEBD
Filesize32KB
MD5467a97b8c66fdde2b6493498f4bfb851
SHA1fac77a4ff1463a4efeae59cc62c66f8556f99fd0
SHA25630a2ac1b3982a0b1f3e6efa53525c81e40314ac41860d87cd7d5385180e1c3de
SHA5124588e5c60fa2961b831f812ed0d2d8a33dfd501f23fc99afa6d66b25b53b04d29c7abf6529f93913fac0afce5e695cca6477f9c0e2916594bffc302a2eed8abf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\BE955B72491F2A2CD832A3B6A41DF01F42E011C4
Filesize12KB
MD519198223456d714200208815f1634578
SHA138e34bcfd3f7550c7e11ee9aa748f7f8f2311da1
SHA256c08bf2360413e78e72f77fb0cc91fb8f188e60ebda1ae6281766740fe676a21c
SHA512e8ef6fd8a07a592281f4839f4c54dda6fcbf1e8cbd23c9103c0dd981aa8a04790f084ec4b5fed41bc5fadde09e873c11c4b3628710ab441cad4063cc848db356
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD5d34bc4c17574ece17da79011c49f69c1
SHA16e9e499793a0e8c76fdea19a447581dc0aee8117
SHA256f9293887d42582d6906dcafa5cf148068dc8dce3f68893c73ebac8b101540610
SHA51277a5a8e25e09852a6f55dc6b03da82fcb855e97587acc852b5a73eab7cafea79da35524036b3ea5fa2a3992154f3c3079d36f2b983cb85fd88ab53c23ee506b0
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d91dac51-dbbb-423d-bf24-cfcad7a34261.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
3.6MB
MD50c2056e942d8aa56e7114a5e23c093cd
SHA1a66baa86567ea453085e35bcde945937fafcdbd6
SHA256196d16674153ec9d78d103e120266e2ea2bd83c0769411e2bc5143eea8e62184
SHA5125ea2ca961e2f9e21ed93b36f8656497c044c94d95db6edb71aacde7a6d867271c27a932374b55e2cf754856455a0b3d8ec4c5e459bf853a3bef295ea76b09987
-
Filesize
349B
MD5a983e17fe05ca4e0cb4b37cd05d31792
SHA1cc91ff79215a350a6a1f2bb4f039d894198e8421
SHA25676bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef
SHA51237400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2
-
Filesize
205B
MD54ca441b1ed15b25c6f7339b6d43d9535
SHA15bf95bf4ef56d4ebe00f087091954705fb408838
SHA2560bed190ef1764cc57ec28dd898b6963166e2f261d14595dd33db5dcdccb3b5e4
SHA5124eb255ff808bbbaf8aa0a7e91ddfc11751e1d31dc182263972b7e89ded81f02187fb062be7f1204a6cef5de60abdf3edd4af5b99fb956100aafc5a3314512379
-
Filesize
2KB
MD5987df8d26653ddb1f6d3c358deebd3b7
SHA10ca5d99a1c7f958336958af0bc8f045e060cbd66
SHA25667ad53d48135351ea992124e0d963fc9839c9cd166b92733be17e452ec59ba3e
SHA5129baa145c7f8561897b3482b82e6bc24af53dbf4dd6df5008fdce48155a990c79bb78cc44f4e55c1765079e8690b54f782b2059cb220f7a297a5c7af9a68680c5
-
Filesize
2KB
MD54546cf8efd6d0e8b28cf98614c1cd32c
SHA1ae58cbb977374acd8c776d64674dca833d7003c3
SHA25612b2577aa01390243a66c371ad7ee51fd3bb92cd20f74d7992cf041db498489c
SHA5128dafe95462c8c124b86c73599358b3169f6cedae85202b9eb9221a5d21a06eaaf07e9cfa8876a9a84bbcdcb4882399a81f13b08a546492ea95e32119cb0d9e20
-
Filesize
2KB
MD59454e932a125132567f14da23d0c106c
SHA1352ddc3af488fab7f54463e86c176d8718e2075f
SHA2563780218fbbd05c96e7805090e6db9995918adc9fc7166266b030927460bf5b0d
SHA5120bc19e9991baaa7e2672e5258bc9507191900a0afe51c619eea919c3519d9f2281a79d15620e8781ae152340fce7134e7e09e45849f97a4a034e645e6679be84
-
Filesize
2KB
MD54a6e57f13a3c58593d1ece6c296320e5
SHA17cb996b990723c52e8d4e4d994def9b25b039dd8
SHA2564a12cb642890fb79d1d03900bd50adb962f7ca824a4937cb76f1d4cde070deed
SHA512299efaad8236cc4474991a9ce8fb3ee4d39e693a7f193c20b911920a8f6a2cad595516dcd49de03f9cbb0521fce7d21f14c1dbf96b886c19825903a4bf108717
-
Filesize
2KB
MD5ce2bf4a3c5a6c7baca8810c2f6444d1e
SHA111b4e82f58af3a331565c3fc72ecc9ec7e363cfd
SHA2563329cdd9d9252b91bf2a28b1059e5148484cdf5a82c9a7faa2b0fc5fad044932
SHA51256338b4163d80beb0a084a09b6b3d050b4a7470cadcf0f94039219e648424cfacdcda405dc78cf7e9423766811de1f7489928424d3dc794c2d51bfa4d76e1d03
-
Filesize
2KB
MD565ea34e4bb140973b80c449f63b97bef
SHA18007bddd43d66fdb17c17f577e0b452229c08705
SHA25676ba35053bb29fac26f5b29b8693849eb149e5fdde3e5ccec2109b9603c1a693
SHA512b660fba783dac755cd75144816cdef5f3d049d8828ba57466586d6ee75b36289c4ea30c27c582893aed618b7d333d196f0838992de1bdc8fb46a737ba86b0404
-
Filesize
2KB
MD51dbc50fcc095bcc8dc0187f0f3fecf1a
SHA13f4916f0dd1bff7d6ee42466f595765a5ba45fca
SHA2569c6eb95f7369ed00ea506f720110c59a5ab78b60338f6037e5bddb4cf17981ad
SHA5122479158011ff007741e542d80f90b96ae50419aa48e1820ea7281d1da6e125ed938811674e3e79f96ecf2e2eb84709983bb5704f7f41e4d96ec470ac90a09d3e
-
Filesize
2KB
MD5958bac6d1113369aeba5f9ecd3904c6b
SHA11723cb336058cfcb1b71aeceeff4848e0d7b42ab
SHA25605a878f8ffa9cca81ddbdad1b104ced9bcbd1db51bc7303dddf104e7e3c930b4
SHA512b3e74a06b5c8c2978aa91b5949c3a84aee3b0b2dae031bb2fdb973b0cafc4c476cc8d67f6134ef000dbc80ef8a6c9febd1aa20db6e4670ca400648d8dec27b5b
-
Filesize
352B
MD51830e137566529844ec4176432dbbabd
SHA134e0949bb3b0258f4b70cf50a1d78e124e0c62d9
SHA25657f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf
SHA51263080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468
-
Filesize
208B
MD558cbb63afa8f1c9e0efc9c44a5e8f9a0
SHA1973d9333ad68fe4d1c2e631d43cfd1d1f32c20da
SHA25657851ae42cfd2ca63b9bcb9d15a94068b24d516811d0eef887969610bd03ccec
SHA512a6d4284651e9d4f17f4edeb787fb1a91eaf965ab05d55ea495d95df41c8b060c6ac5d6bb14689304aaac59e276993ab788ff1e327c65dd0e159e1f1fa8e73480
-
Filesize
342B
MD5b8566f5519856f80dec85a1a2729e372
SHA1ae442bcd0c97fed28f38b2ae224a93bfdf14dd13
SHA256ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde
SHA5123da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67
-
Filesize
198B
MD5552a82bb8c7d089028c2c3b301a7216c
SHA120a06f89855d245b31765f6a717bfcac327e35f6
SHA256a497f1fef69e5e627d6cd02d8969820750391633dde05272c757921ed9964f9c
SHA5120af1ee6643d3593f59922a99d1c3508017534a879ab16a4a577126cb0ae25a74ec065a25d293053e59e23389c242cb03ee8c42416f6492bd7ac87c87889ddcc0
-
Filesize
338B
MD52de37b6c25304214817c88f9ec6e9847
SHA174f77a317b1f9822d11094eb3fe1c71797bb878a
SHA256a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a
SHA512a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954
-
Filesize
194B
MD5ccd8a28e6adec55913a7ec6837d03663
SHA19c6edeaefd7e2bd7d6741a746131383de8dd0d14
SHA256d93a54027d8c1939e0bd90d6641d86a122e50d2489713247f747410879bd868e
SHA512c731abb926b04d7b82b6e95fd48c61a916c2695298227f05ca917d9cd9d243bb67858d598cd48b63e92d790860834cdc32ea743ba0c9e4fd44ab67afa1aab614
-
Filesize
338B
MD57a354b496b9b397ebb14057eafede32f
SHA18970ca3895ca9472366e4fecc1f1d79ac1da78b8
SHA256c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8
SHA512ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6
-
Filesize
194B
MD5fe982d5d1e929cc5fb4b6d35890369dc
SHA13742ac842ed9b17ea27aa4cca83ed7074069df02
SHA256470bb61f7e33acd09bae8f6372c63f8ea05332bc67a203057507e4b829dfbad8
SHA512353e9d343d2028d68077f64bb4b9423638f2a7d70c840a161b7e9b9b6a6169eb8ae249a2a91d0b8ef69dcf6f822ba4db7788347265e6532fe7848d058b2594d4
-
Filesize
91B
MD5f169d4314eac558c126347c9c306a220
SHA103ac751a07b7347541dac5e0f254769aadbde0e4
SHA256ccfec9a3c2f862abed746e5c40f37985053b1ebed048ad0452eaab6143b93969
SHA5122ff8ce927e41fea9de98f7fc91e2d641f6342ffe3f154258c8d9b005fa09d094cff6587def01bee1cbb43b9191db067c3174c23c5916cb422c478c9ba537fecb
-
Filesize
342B
MD5eb057b2b26beedef7d931bf659fb6f18
SHA13136c99b96686db9ded50aa19b55155c752551d5
SHA2563066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414
SHA5126d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32
-
Filesize
198B
MD552ece5b68cb4eb07be489a0f7462220c
SHA1302bdc44d89c73a27915f317d6d552409186365d
SHA256d3f4d7ff47b1bef9d86ee1661cb54e0be1c29a6a887f1cf806da44067aa319e4
SHA5126ac13d830a67bfd8a2b1d402059303a465b072a8b7bcedee3f3da594a662a670367d89f22e67f391a095663152b4b32fdc1ed97dd1e6745244a54049b0e40cd0
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
348B
MD50b018b95256d4516ab1ca957c1a1710a
SHA151f98465328a99a0e19bea4fe4d379c1efeacbea
SHA256b687935d3a29cdcc7466dc507f8630ec0234f5ebb8bf31dbcf906f31fcbc8671
SHA512d7a2f499ac6c4962bb6a30ff83e7230bdf11c3dd80612b7ab949132e4d5797a0c21bb6734b5b1750def36f95e817da183706a207d63264fe4e0b5c2c85f6e362
-
Filesize
204B
MD57dc0b5fb1de6c13bf4b63f0dc0453f2e
SHA13aa730959a1a85fbec2d65dcb570f364821368f1
SHA256ccd09e783c0e8e93a48777523b911355dae603203ba5b39a10600db395731978
SHA5120a2d12358217bd422f8d47a49ccaeea986c005d47b5e6ad961218cc319ba40657841b190454f8afc141e972efd3a3107eb3215923ed6e6a8c67de30dd249736a
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
350B
MD5fc8262c9544e892d1e9c08330412a2be
SHA15af2cb9816fa06e50a6a0705e86955ef943a8095
SHA2564f4ef7658c9838625574f0538346b582e71a570d5b33ee74b3bfff0836f9d396
SHA51224d6e3393ad25b00321a7a9dff4749f9067fd529ab498b5114b9b02e15b24f5cb206dede607e2324aa15620018ac3bf353f3eebdb1073dd3b29a991d3a260a8b
-
Filesize
206B
MD5b50429edfa3ee688fbf9855df6acd33e
SHA1799177e5ef851c60756b3471af323e6ce6bba6f1
SHA25665bd3cbae025aa0a78a9ff82bf29c41479138312fb1dcad057a2d22cb2f49ce2
SHA512b7776ef35722fc65f1e189cd3c43a4b2eeb9ac1ff29b0b665b15ad102a96003610ebaf4ae2ce1777fbfe3ef073165f5bc1109e5996eb9c9c2a8502f83ac94bd3
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD53db950b4014a955d2142621aaeecd826
SHA1c2b728b05bc34b43d82379ac4ce6bdae77d27c51
SHA256567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632
SHA51203105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3
-
Filesize
91B
MD5de97f8c7f4f066b79ad91c4883cc6716
SHA192cc8bf74888ea1151d9fd219eb8caee02978556
SHA256a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9
SHA512cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3
-
Filesize
1KB
MD5a47873e1bb0e84b9841fe8e1b9e1f3ed
SHA10df553af93575f993eea932a38b116f358e8e6c5
SHA256d32d9bb554209e27adfed73e0f36441f0764c9e02fbadd457923ae44c5c880ac
SHA512207c8739e26ac6a24dfb637ef235b12092903b223491a1e6e1157f8b38a4434c681d3477690ccb75aa23ce38469dccdd748fb92522de6d061e6c4801ac941931
-
Filesize
1KB
MD55e546d1201881afe82bfd3df17a20eff
SHA1471999886af652ba8859cadf3f42c8d28129d37b
SHA2566f8e8ad67781e81256ef3185f5e88822fb9c1de7f4259f18a7e29d108be934d3
SHA512b65a3b65e8f31bdfdeee63ac006c0645f950883c8821fb1467a67892d4d196fbbc31a3baa2babc1ce11613788aa7b9b4c632686fdc3c3d0af71f41e9d5354034
-
Filesize
1KB
MD54a2eacccdb01b01b117216dcde15c8fc
SHA1b72d017bfd2f6123889b336a4f8c9009efe8dd76
SHA25654f012b070c3cdf483219dc21fd51fe898a47b23d1fd4a708a071f7eba3d6584
SHA512520941eafb92ec62ccfb3d1b87222bbaae2b044fb6f89732b2735175f6d12ecbfad111ccf1ad9cbf639925716553129617bebce772c678d70a94dee5ef23acc9
-
Filesize
1KB
MD56afd9b01508c9c69a0de03535ad5f530
SHA1d727f0baf6278a5bfff339fc5b8a8ea9511f42b5
SHA2566a3c72a45799088fb441484696436b87e6b923ec1a403cbbc2d6cf0273cc9c23
SHA5120308b417648e44b59bbf1de84c36368d11490faa87f64557dd26189217427e4c73254f96d88ec30430112f70a8e2f3dd346ffe36fcb2d34c529e839d9264fc2c
-
Filesize
1KB
MD512056ad3066679f5dbd325572fbe2a99
SHA153cecfb6b3b612284b4d8b8a9395280d385e6f99
SHA256a2ceb54f07787150f648d3601443b878113c917b30de88206823c2b1ca36652b
SHA512f8fbf63c5646ebe7329e33138468fb2459d96cdd8415ed136870c84d6a3ac03e0f2353f359788748b6310b36d097bd4e5bdf4a0843336bce34fb3c2428cfb88a
-
Filesize
1KB
MD594452bd6f8ec255ee5d68bbdcc877e3a
SHA1a68eb46669df01936ec5b031c8c08f2afa86b91e
SHA256011c2444d4b8696252fc3f26234ae1d3550324d1edc810f555c05b2997f37544
SHA5121639308f3ccdd3f70834b451d09cc62257618ee4ae3c92ad9c992a06280880360b4b7e6ba4069e72e4847f3b6d26db97272a30236bba0be99770dadca4f8d2d8
-
Filesize
1KB
MD547ff0e089fa27d610e0b6d32697d66f7
SHA1aa8f8566d7180d52cabd7dc37437b9a5f093e75c
SHA256fc0f73bfdc1e71a2f4fba2090d060068333eb23f9fa70fa91591dc688d3b2a26
SHA51274ceb9114158289ee1ad6fa31f16ebfacf24909976b5750c653446427cdf1d8cc3d88643c39b8b4082e354f86e721f6130e3d675c3cf2f69a57c5725736b22d7
-
Filesize
1KB
MD57916feed8bc0e43442862a106b433455
SHA17db8350ae1f95109c9ff8facb238fa8cb38e7401
SHA256e8ed1405f1038ad617655fb2b09b418fe425aa2a3592e8335afabdcad567f6ee
SHA512b77715558077c168c6208eb608ccaaa8755e5446e406a0032dc3ec5378fa9a067ffeaa99ab80a3d315a9699d323579b411d788044823611517db5c46f2594bb0
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize11KB
MD5fd1f61f3109c24fb8aee20ce28803d72
SHA1d1b130429f6cee1f88ed3009bf3d2cc0e09af5d0
SHA2561bd5683558fb9accef9fad8e8293299fd6fad7dad585cb90477e965fee48cfdd
SHA512e36394de4e3ddb6b12a95cac985594f06f344ced1e30938f6ff332655e41374dce257335d146c43df1f0128b676f8e350b7e1dcb5edee4582bbef89a7cc848ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IO43JABDHS8A4MBPOL44.temp
Filesize11KB
MD5a186783a326a96d44ac92852e4129246
SHA1f70269d21ae20d2572887575886c25be3617958e
SHA256bc77699dbbf0a1aa4492c728a0c79decfacde0a07d6b3d9dbee6b84a945f4c09
SHA5121d36e955d91619e86262752a3c638ce68c1d174d06bb19b0a79f4b2ff77ac89eb9f5f102979042e0e3c732a9ad971a51cb94fb632ba8218ace78784ea8d1350a
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD56a9a906d357fa815baeec01343bae2bb
SHA1fe7c17c769a5aa8718dac5d751e6838186fbfc78
SHA256c39e0c249ed30e20d5da3fab37eab0ebba63dc613800725abd3362cdcd1622d1
SHA51294a054dae8945e21db0f1191f316572c2923df52e0d5e695aa6789c0d5819d3bcecb2aa6615de3d1201a403245b04e1723813882dbc6b47e91cb2d2a5bfb3244
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp
Filesize53KB
MD5c9185c513dae7afd114a09d71d04b87c
SHA1947aa222b083e3d713a4940192377f7fb83f76cd
SHA2569d194e4f1ffe4efda6373be5bb00257bfc1305c1dcd67e3c0d8566fa8b2fdbd7
SHA512408890e9bf67e9a0fd29cdc3e17dd4ff0fc06cb1a823ec10d45c43de7b9288b57a3d7ac217a540a82767d04d2ad17ce6303faa1fc22281924e8ebea24e59a3ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD554fb79a0cc5f5db04ac7acd7e6aa3e34
SHA15f5cf7b1ed5e74333e102a3dac30dd3d2d41931e
SHA256a2b8b73e23ecf7e857b40979d1da3efdea949c338ebd6ae30e15ff3e71c42c63
SHA512c72c55321b494c62dfa9437e781c5dc57536c019eddbd321aa4e232899bfed3a0ca91cda6594b94351c272868d8483bd8e65d1f97bf6dc4a4cb44fb6db749742
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp
Filesize53KB
MD5f1875534826190bc917a64a8511f0be4
SHA1cc8729f7a2db8b35d14c82f7f8d3d72e8c4ad7c6
SHA2564c478b69810b4691bc57687c364e16feb08a8ab527e0488b811cd51a575acec3
SHA512f3b34dbb0d6a275673075767aba34e69775db6298a763b7fb2465b5cb3854bc62a47e9d0db1609547e1e44c5d86be9f51eaefa943a8ef3fe61520dd4772aa46b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp
Filesize53KB
MD5d08e5d740458b825a74f208b998f8b18
SHA15cb2711bc1ee65178358303b15a21b6e0ec94926
SHA2561a3565486e416fa69028d25a4280d9bdf074ece8feec74d937ae29ff2909aed2
SHA5124473e08937b806970888fe3b95be8fae03e6a56c2c6e222d54faa4743571457d8593722d8925c90db87e9626725c39b6c5d8f0ce665354a1f5551eb78b5e3716
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\events\events
Filesize1KB
MD52d928bf925ab141d575ff87b1380ae0e
SHA1691540a85984259adfcaba1b865e760b56b37c73
SHA25683a120c5abddd47c5c074025c561a5e21cbacedc9d83e83b7001f5325a0a321e
SHA51277de375bcce34dd3bb2f8b70b79beace2b93b2520604fdd63a21ce11ae845bf29095e2269a40f9b0d13674f761d5b196c94d28c7b7de8f62f659a81e4020877c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\42be7c84-ff20-4ce2-95d6-2d75ee729580
Filesize16KB
MD5d179d6122cb255f871f0f734fb9a1689
SHA1b8a46351a62d0c1b98d911dc631b68dd651d64a4
SHA256ab7198f5caf6eefce0eb401ef5040a3a1df0c798ac0c2dbabb73ac39e26e9f80
SHA512dcfaffc6d69c807e017960b6e6b45830de0a5e74e754f3f253b9d96d3bbd71370ae4068de5e244b5b55918245c770f15f4415262b33a3ecaf9b7f89d329bc19d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\5e02a044-f57f-4caf-b114-54b7a4020168
Filesize2KB
MD530ad8d4507f446e0774b03f1ab198c26
SHA145771c075c7cc4ffcdfce08cfe41bc28361ec0da
SHA2565e4908a24b23728bca5ad57d7eb0f76fbc2abc9455a02900017645b173e9c0e9
SHA5124493337ff307b24f8c181e05f32900b0020eb1ae1b67655c63214e3597f395d95b636e3fc0ccda7e22cf2f85564d904a3e8791db67220ef55c52e52b8708e231
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\84aa1fbb-2a03-43d2-99c1-39d7449d2902
Filesize235B
MD54c7272a8fe4b5678075917cc449fe8cd
SHA1aaee8561f001c8514d392ff6ca610d1eb825b686
SHA256431c94d8f903fb9911628ec464a4b1b5047b2dad5757be80695cf96b6daad3a5
SHA51298ce2d7ce6e393595e79149b377c8274bcedba72b318a239ba6f36971948c0a7b38999a545a0ff96ec52c925c2224347e54042a9f8c232abcbd15a577a5c1dc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\96d2dcae-0b9a-49fc-9ca1-692f514dcb1f
Filesize235B
MD549f367dabb7f45e42733f60175e0d5a9
SHA1d980efbd5003b10c79eee4d65c63ee06adb1fc75
SHA256d353e5916c96173c23764226322fff3564e91559bd567c27673415044ed0bc6b
SHA5122d9e3a4e3e6333066df67e9c988ea903de75c85457552d9ed4dc56b1cd25629745c1ace7560ab8905446d9adecd446c909e3e8a95fee5c09852b4f1491f9a1ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\ae357df9-071b-4ae8-89d6-5dff61ea6eaf
Filesize883B
MD5de85c96ff590ac281a7eee79c31ad998
SHA1c9769c6a988cf52382b86406b5f425799c43ef8a
SHA25606008147c76be65fd1901a002a8ee07f85d71dd3286f680df968e195a26dc6c0
SHA51236046239872346c50063788e1af33767c671e91da7d070d79effa28072d3fa11589e1c326775d7d8f9730b8a5403103861da3cd17f2b0e3e99144979c3f1204c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\f0158580-e197-4979-97b1-dd58fe4f0e10
Filesize886B
MD5a70e7c28cf0b4c85280dda87cdda9a44
SHA11e09bd3642fb6c76ea1247dd09b94d767f526f19
SHA256220c2d23c03ee77bc25f104d6174bcd5f24e6f4611321d10c3242208dbb0646c
SHA5125189e1fb031397a41fa633dab4fbde7a157a6cfb2276e00defa51a667a8598e45e5ad87d0ab68c87606afaa9c4c17579f00344c8340a4afe0e32af38e2ebf295
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json
Filesize1001B
MD52ff237adbc218a4934a8b361bcd3428e
SHA1efad279269d9372dcf9c65b8527792e2e9e6ca7d
SHA25625a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827
SHA512bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll
Filesize18.3MB
MD59d76604a452d6fdad3cdad64dbdd68a1
SHA1dc7e98ad3cf8d7be84f6b3074158b7196356675b
SHA256eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02
SHA512edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137
-
Filesize
12KB
MD5d71099e6bdcdab38e0ad469ed518b40b
SHA196520bafb33a1bf99ba98dcde738bb93616e3167
SHA25662681eb75ae68fdecc980577ba83ec8fef60bf172e2fdc0581974ba1cf77e4fb
SHA512ae0111688dc10a4c5833ef13bafa9d541b4953e19b3c9a1036ccd69e069d6966ebc764859e22806adb06bfe6df3bd7d8cfb43170192ba37e0605094a1642e4cc
-
Filesize
6KB
MD5986ccea083ec71ff00c3d84442483ca3
SHA135e628e503efa66741e0a2a1e70aeae79b77c19d
SHA256acb75f5e573eea05c07d4bcdea5062fec37627086270aaea89c7b92196fd6eaf
SHA5121cf8f2c4bb81fd299c8340fce295fce04fc347881a3944169ff786957ec0d6d53a125a144cb43d46e8245a210add6e7cfd9a53000ec166d737f0cfec31f6a138
-
Filesize
11KB
MD5c4cf766ddf09f66fdfcf63549499cc73
SHA1ab9b6a8d0e63bcd001679d66cbeaf17f71858ddd
SHA256f0da923d320920c8d74607b4c8d40c2cff5a06590ee91c6c43f048bc6735e969
SHA5121ec3c4d22cab7ebf60008a65a46b1318d694d34c74481eb87ec5df05a05beaa2873b3eefb674674fa7c73991316ebb7a3dcd15fd4c78d66c94d22f1c69108d58
-
Filesize
6KB
MD537d347fdc9d266cab72afaa888df0bab
SHA144491a961fde4e66031b0f6f8f28527094a6b41d
SHA2563b84800a7ca0f55897fb083ddec89767fe84eb2fb423ebd799c4762d13c00f16
SHA5127158221fefdcac67ea1f68f68662ef2dbf1ba3f3dbf7fdb777fe50e8f7af72320fee45b3f6b3dd4f77c7360e00b11f6ab1eec38f782395fb23b023df1562495d
-
Filesize
7KB
MD58739d618fb3eb9d332e106245876d11f
SHA14349f9e9f4f6131e233dd5bd2154e5a34ccedd0f
SHA256d94fd945e3cb6821b248c8f338e159828c2fd7a64ee6f13f73ff391ab18b4f5a
SHA512e73790ce0d364b7d73f59ad322a20c0c18d7eac1615dce70c3a9d294af085e8a56d48ce8e6b0ea16e9a282066613b9846df36b9f41b0084b2d7c80b95fc642e3
-
Filesize
12KB
MD520c9373c68e523b7445af40ee6468915
SHA1e75e2597677db7441883cfbe26c9152d85cf476d
SHA256b221cba3e1d1fbd5e21b06064a57e45167e2e94be054283ebdc45aab9e6fdc96
SHA512577a1ee460c22ca6153b13ee00d823aa2efe19496ea014d7c17485fc1c826d2bbd25b84b641da4f74ee1c212cb3a8683b39ed35cd82fe7e2898c4d4c83ea321c
-
Filesize
7KB
MD54a5c852c9c3bd11b1f150c2b42f99b73
SHA17679cdffb77b0dbecda9454ca9d83cedfd54f2b4
SHA256f347f753e06f1bc447e6b3d621cb9681f94ef29ff1ec906419b8dd6ba7be3f15
SHA512fab7d2549414bb098e2668255dfd3159ff9ebc0cbe4acba1d5f80fa9b48a1d50ae0d69cf6bfa716ef5b984610c420e2012a61f7f4395ecfd18b637c1bbff03db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5632c61b827653fd616b8ce5292df5048
SHA1e644317048c3c9ea5e99ad31181346fb6f8bf3bd
SHA2564dc759f0eb560466d76a6d89f32f102f7a4d2b73de8150cd4969095bef016daf
SHA512a8cb0a2f0b2403c4ab60a2a57d105e4876489c3863cc87dab9e6184c2e8a494cbb4f6b2411b8750ec76174146292fd14f62413a541d2738ca449fe2d42dcf16a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD56fa08cfa48a588aa3b2a91ecc24501fc
SHA17c0d1af78ee8de0152d4050fcf7a7453805e870a
SHA2560bb1dff87d6a2bd4e64e5107da76c4de59fdbd13cc402f1149cb006e0934b7fe
SHA512f1531d7da27ea7be1413aabb22e61b83631244b98846e34f0082c37b009baf545b1033fab726816a092fac897bf714cfd7247d7440e1008793d7e1ad834c967e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.3MB
MD50c595ecb3e5c8045da09b7cd07b7120a
SHA1a959b68d33dc11885a91d0f8b51cbc3756d3c7a1
SHA256fbeb51fd0fe3d67225727c82fd25fc508e6f15b056f07c9bc8a157a4f3e90696
SHA5123fc4fa7af057a39063b989521f7d73904faaaffd196b179c12666e451a348e4f422d31b1a8fec79086d3cf497842345cbd0e0edc7914a2bb1596f711defbdb0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.5MB
MD59510e03e99c7ab0977e973ea8ac7081f
SHA12113ab863b200fe576683e9b9b90b718a89ac865
SHA2566ecb9815241e08c1f88150d29f7111d31f0ad138f076959e976b0a748340c1e6
SHA512f545e3a802100826f4fe4956b71b599b822c3ef9ae0df9e5d9ad4c3af113f0445892796b6cd8f792ca2195fb3bdd1ece0ac18aa87cdd0926fc48028aecaec1d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\indexeddb+++fx-devtools\idb\478967115deegvatroootlss--cans.sqlite
Filesize48KB
MD532a2f09b3b1c86c0dc255a3a6c8f9e9b
SHA1b82df608cf22642c2c8594aa674c80813534d4ec
SHA256140313318a44162e63056fc4b316a4be3dc4923b826ec7b794889b9bf57ff052
SHA51202be71def9c639b1d5936f2422ccb3221548ca4108ee6519cc209c79d6004eff71fbb1f46a1dee11a617fc8bbd18fc68fafdd544cc852a3e922f8bbf48b9783c
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
Filesize
7KB
MD553e2d8e0b4580e41b11fe0cd015348b1
SHA14692bf70f1183ef5d5a80477a4c59e4c26a7ffb0
SHA25693c926c4849fa0ba477b2c668378990d35c63f255f171ac52f971d6698320f27
SHA51204e8509569e4092e4b8d92d1c40a36f117a57e35e588387cace886b76cc35f3158b68cd220a747e0183674ecce6b3e2b6cf4b7d667e023719c6c09899f143b8e