Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0x00250000...88.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    1586s
  • max time network
    1539s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09/01/2025, 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x0025000000046617-2188.exe

  • Size

    915.2MB

  • MD5

    a084c1b14eefc00c8adf95faba838f71

  • SHA1

    2cc59b80e92d1e5facebbd3646b0ec2972e994d0

  • SHA256

    b0154e35bd08a554b64f0ec61cb1c2fe766c96f2ad56124851fbb46a7a4d67bf

  • SHA512

    68e4c0d09fa1fb18c6726cc1f51e37584a746543bb3498fbd6775a7e3505a6a36986c7ccfe212d40cce10588ddf76e5b707181ce545dc5e17fc37728041e395c

  • SSDEEP

    24576:2UX4dOOOjXBaykZ+1X80ikrNL2dOOONUu8T2GhOOPiE3OAHwnBqk38wAyBnaAqmX:vIdKRDXlrNadfTXPR31QnBz38wAkaAk

Score
10/10
remcosgozodiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

gozo

C2

newstaticfreepoint24.ddns-ip.net:30201

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    data

  • mouse_option

    false

  • mutex

    lmajjdnchhdybagtqbsjsjdjjskshs-PPNSD0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0025000000046617-2188.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0025000000046617-2188.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
          PID:1944
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4032
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rgyjfefxqatva.vbs"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1368
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 3 && taskkill /F /PID 1536 && timeout 3 && del /a /q /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5260
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1084
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /PID 1536
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:7016
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4628
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SDRSVC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
      • C:\Users\Admin\AppData\Local\Temp\0x0025000000046617-2188.exe
        "C:\Users\Admin\AppData\Local\Temp\0x0025000000046617-2188.exe"
        1⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:712
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38411126-2a2c-40f8-8661-1b0519e5f01c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" gpu
            3⤵
              PID:3340
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86aee3c4-acca-41dd-9379-a8189f6a3a05} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" socket
              3⤵
                PID:4436
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1456 -childID 1 -isForBrowser -prefsHandle 1624 -prefMapHandle 2612 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92bf333e-eaba-4376-ad59-bba16317950d} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                3⤵
                  PID:5220
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3741d828-9fc4-42d6-91aa-5855650d399f} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                  3⤵
                    PID:5492
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5765a8e1-8726-4c2e-adf7-d422e226df8c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" utility
                    3⤵
                    • Checks processor information in registry
                    PID:6908
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9d8d46c-1465-4f52-9881-a001d8a6e362} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                    3⤵
                      PID:1008
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5460 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f54241-f209-4bc5-b3fa-b154233904c4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                      3⤵
                        PID:4316
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {923ae167-5188-4af1-bf25-1c39ab72eb54} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                        3⤵
                          PID:2692
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5976 -childID 6 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 33374 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc4926a-4cb1-4852-986a-47fdbe2a1a36} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                          3⤵
                            PID:1080
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 7 -isForBrowser -prefsHandle 6344 -prefMapHandle 6316 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cde0ea4f-1b6e-42ae-81fa-3c976787fd3b} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                            3⤵
                              PID:5096
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6468 -childID 8 -isForBrowser -prefsHandle 6528 -prefMapHandle 6524 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc78815-00a8-440f-9905-80b36086acef} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                              3⤵
                                PID:6980
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6660 -childID 9 -isForBrowser -prefsHandle 6668 -prefMapHandle 6672 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ead2da4-9837-4338-8304-ea2bd6b15f0b} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" tab
                                3⤵
                                  PID:6428

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\data\registros.dat
                              Filesize

                              160B

                              MD5

                              2c09c25065fecbfcfa272dc142659c1d

                              SHA1

                              0e6d92e2d63ce6bfeb070aec18d8ad4dbcd367ed

                              SHA256

                              18a187b32e495335fafc91c7fa08f86a5c424dec388fd175b0d014aec2e932ab

                              SHA512

                              6d645fe2e40610ac227416d7d2c8ba13f4d0bb895c396e803b4809b1faaeb7854037e94a5fc834ab4c7bf10b77f47d6dedd3614d8fdce2cc816fed355b5872df

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xne5uxr5.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              21KB

                              MD5

                              1f1287124d38a3ecb3b0571de4370ce8

                              SHA1

                              8641a14f89c908fb56c8196ff6eb5c66f5355405

                              SHA256

                              9416159b4d57796c1771a814d9ed9e55989a8f88771406749cde39013aa77ee0

                              SHA512

                              d9fbdb91341a7cf97e73b3314ad126d4a561e023a9daa4929082d99f8a378884f7579723895019c6d31a79e6b5f992c53c68419aa23e48cb3c9d04af00601027

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xne5uxr5.default-release\cache2\entries\DBAA386F82CE562854C5581F7379CD2DA283AD50
                              Filesize

                              224KB

                              MD5

                              d1de735ea4059b3ec9a4d13ac18044a9

                              SHA1

                              cb83704ea04769f8048fc5ede1b3bb24f4419331

                              SHA256

                              9ecdf4c562c04f6fce42a90304a2cc2b0d5385d907922c7e5098cd1b1d5f05ce

                              SHA512

                              d3ee06944169bf32cac1b3e49c1087b5748cc0d75ece112b9c73196279118eec555593c4be5795fcf2ad00f26910c64f0e3d88e526c4ed600782a0722709f48b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\rgyjfefxqatva.vbs
                              Filesize

                              374B

                              MD5

                              92323d5eafdd057f2602a2a0b5f5230e

                              SHA1

                              9498775850b22af3303ce67d042c7cf3925b396b

                              SHA256

                              52512978ad3bd19b5bbc6a332b2cc7635947c9f29979f746f406161ffb3ac34a

                              SHA512

                              268d4fe79242535278a9ca3396d1e39f9be88285a4ea01304bd39415728e07e5d9b8392a778732ab3b65ab050aa6aa6aadf6f4d1443b39605763fc380637bb5c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                              Filesize

                              479KB

                              MD5

                              09372174e83dbbf696ee732fd2e875bb

                              SHA1

                              ba360186ba650a769f9303f48b7200fb5eaccee1

                              SHA256

                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                              SHA512

                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                              Filesize

                              13.8MB

                              MD5

                              0a8747a2ac9ac08ae9508f36c6d75692

                              SHA1

                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                              SHA256

                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                              SHA512

                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\816WMSISLS6R3SRG4BU9.temp
                              Filesize

                              11KB

                              MD5

                              485ae76818b90787d018a1e986af106b

                              SHA1

                              66e6f36555e2c0e60bb5be2e5128565be2f7afeb

                              SHA256

                              cf44f0c92ae2f0f44e75c2bd677c0ff19f7870093f44e25f38aa8289a53b302a

                              SHA512

                              a77f22ec986c3c7becbd8ae80e7618efa88b115bcf78d746e815a77fb2b424bd6df94f8799658954c65cdba6cbd813f63cfefa0341cc8631fd2a8a302c333dd9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\AlternateServices.bin
                              Filesize

                              7KB

                              MD5

                              230c6d80a07b69f310f554cae08a5479

                              SHA1

                              4d35384f8e68d0f0c7eba08ead1405b2a4530961

                              SHA256

                              e3c5b1a190008dce715ce83fbdbb687bd7552683b880127c189b38ae83d7feb6

                              SHA512

                              731a9a0d4c6ed6e04f6799bc97f8e77813b02229c19615275685e8775659796f4537ee6293bc9d65cab511c71a77da18d012291e89b250e202aa903ebaad1682

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\AlternateServices.bin
                              Filesize

                              21KB

                              MD5

                              812292d15f3a77e1618fd219ae727035

                              SHA1

                              8ced969b9a76b389a4b06e4d5d43ed4a4e7ca2fc

                              SHA256

                              b062c158f28a82cc8c3fc1a85e89bf829983faa1f84ad8b01054fd36b074d83d

                              SHA512

                              c53d4dbc4b647ce2611b8212134263489a9bde8e4d86ab67e0698115f3555def337c4f5bd92da2b933663edefc4e63001f369af30bbfd004ad3539f92ec9ae10

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\bookmarkbackups\bookmarks-2025-01-09_11_bRvn+NVqCdIyNFj-V9yiHw==.jsonlz4
                              Filesize

                              996B

                              MD5

                              8b762e67dff5d78fb44f15fa5caa41e6

                              SHA1

                              0280b9be8ae7975b653ce03f6a9baac9df71d902

                              SHA256

                              6ffcf25035b82698601bf80ebca33cce19689cd102167d2f4280ba5d06990de2

                              SHA512

                              22d8ba3e8051e2a112e9b0759b915ce6942ca07f6bb51fe5e5019a5772e90d1d1243bb180c48ea87ccbf14ec125824f79be4c18abd297470e71f5b2e74365461

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              02248fe9e4b17ce5cc2e62af3e9a6cb2

                              SHA1

                              222cdd9a1b30060e97ce90d5e7c88bec04063583

                              SHA256

                              2b056a0225f54cd86db18c434e75014d370f1434ebf0c3867b2a0c6bd497084e

                              SHA512

                              b7549ffff6aa6d2438aebb1e1e9a9d00bf1fba54c32d658f83191926eb6e739c8d904ba257b8a61bf039077c0941decc8d379115d07f40e0a4a8a5748d68b019

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              6KB

                              MD5

                              1648e22878c23543fb19e3d299863597

                              SHA1

                              1ea60b1ab6ea32159780832f36b7570b6f5c7e9e

                              SHA256

                              d1b0fea3cf24f44bd5ab44d5a86fbd7c3d44db4ccc7a3878bfadddb748db681e

                              SHA512

                              be71f6a68fe144e7c42d2746f1b06fd6173e7b4566716d962f9c64bee5d6b162b25a87b15f9b8afd5579beec3674a53e47047e2410bb1968a3e3d31be61228e2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              6KB

                              MD5

                              43449f5fcec8d9309b94e1b8678cda5a

                              SHA1

                              c6bf1b361b172fdf458b358fe7a0cba677a3520c

                              SHA256

                              d960d48af128f54b7efa4e326c6ad1d24c6ff430f00d41dbd24a835ea54dddcc

                              SHA512

                              df0aeeb18ae4dc565b22ad28a17fc4714c5016dd98d3b45cdb5219c9aa45e58d0f0dd2e672b6dd7b30ce27415fb26190c272e30a56371a6da49ad06a678f55f6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\8227783f-8ab0-4869-bf55-41abfe29af6e
                              Filesize

                              27KB

                              MD5

                              de9c22782d27f59c2883b9807d525001

                              SHA1

                              9df9eb729d093bd622314068f7b4b1885ed1323b

                              SHA256

                              fb503aee5c5284735e2f969fea15ec428b4666df82408e53f59bbd3cc6ef5f45

                              SHA512

                              5e5936f4c280df9eedebc2aad990e88e46ad184acbdedd3512af0369f8e9ca0b13ce7109522d54072abfc2fac82b388a36f69acb7f1f0824dee6bb0535d2a772

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\a8b7069e-2d4b-487d-af2a-64e83bc4a60e
                              Filesize

                              982B

                              MD5

                              13fe81b3f2fa78ebfa6e29d223a4c3c4

                              SHA1

                              c2916c97b294ad4f0c06d8bf5ad0e2318c3936da

                              SHA256

                              be96067e0df7552624422cadbd18a25493f8f8eb7362a730004599168f20187d

                              SHA512

                              4d7a9cd0d7976709526a9cff897342e3482d591521ffcff562bb2bc96ad9e062fdd85577b091d3d6fe98ccaa0e71b8390cadeb29647670d633a6313b17176611

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\d5b0e801-db4a-4ecb-b968-4bb54624cf21
                              Filesize

                              671B

                              MD5

                              10f57ad4099d27b09a216c6785a7d9e6

                              SHA1

                              1be5f9e2bff2528ce2d1f6e38463af1a5fb790e4

                              SHA256

                              b865fb284689b15a6095648a4937583c14a4a4c44f196457a9bc026e01720f0a

                              SHA512

                              3fb84a24523b45dadefc77601af5c9066eac41f671da2ff14914e6ceaa2852f419f850b625ffda30682ca5bb91785c8ea81f73fa1ddc99e471ba14226fc7a82b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                              Filesize

                              1.1MB

                              MD5

                              842039753bf41fa5e11b3a1383061a87

                              SHA1

                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                              SHA256

                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                              SHA512

                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                              Filesize

                              116B

                              MD5

                              2a461e9eb87fd1955cea740a3444ee7a

                              SHA1

                              b10755914c713f5a4677494dbe8a686ed458c3c5

                              SHA256

                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                              SHA512

                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                              Filesize

                              372B

                              MD5

                              bf957ad58b55f64219ab3f793e374316

                              SHA1

                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                              SHA256

                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                              SHA512

                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                              Filesize

                              17.8MB

                              MD5

                              daf7ef3acccab478aaa7d6dc1c60f865

                              SHA1

                              f8246162b97ce4a945feced27b6ea114366ff2ad

                              SHA256

                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                              SHA512

                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs-1.js
                              Filesize

                              12KB

                              MD5

                              e2a6ad9a4bd8b44b44d6f24b39da7193

                              SHA1

                              427b6b17062923ca06793862d52afeb32f750329

                              SHA256

                              02178ef8288c44aa64d2110c24c2d7f7c9250506da0da1bf8ae9045f8f5f4452

                              SHA512

                              a0f4c33f0be77ef7bca5d47be0bad9361507009ea3860c9e7d7a3715dae6381dae4c623bb249b4488921880437e54c9366e958ef9af6e482c7a63d97faa5c5b6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs-1.js
                              Filesize

                              11KB

                              MD5

                              090af1b15f1a08c084858949b01a53c3

                              SHA1

                              aa80ece456e02353a8488b6e44749cbfa5cf8d7f

                              SHA256

                              7094d5d7ecff1fd876d29c894b6a9b7c9af76f4ca4d52e38a768765eaaefbbb0

                              SHA512

                              99eb7a8590e9902c2bf1f3f11f2b236dc4796b65937f50de8f04551a47ed519ebe653eb650063cf6c41c1bfa01109ddbdd00ec6e7218d07b207f17b43add249c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs-1.js
                              Filesize

                              10KB

                              MD5

                              59e402dfc576042d242c8b94b87ff7a1

                              SHA1

                              e66e8421eca5047cb52ab20166956be6d163683e

                              SHA256

                              afde163c036c62ae67d3a691487e1446fd2a9223544ff34eee5421fa5ff5cdd7

                              SHA512

                              d0107d7bd6e91cbd608220b7e58966661c9346a2ebeed33b907b8afb10076b6e744fac941c6fa21a2ba7a71d3ea9c87388a55a39c9d8ec43c27e9d5b5d91b691

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs.js
                              Filesize

                              10KB

                              MD5

                              0e81e03595961b0296c550f41b7ef4dc

                              SHA1

                              127acc21f66455b8e623ec049e0eb7094a5c458f

                              SHA256

                              8085589164741a4b191452dff8d6105a113ba578e5c378e21ca8bc5e39ecba66

                              SHA512

                              44459a8685b2aac01ec309e26e8e81b330c27ad4bf1739bbab10d609f8266da8afd9b02b0e20f5c1574b8aa7ebb03e66ca20d2ee65df4b7e7a5b29e6d8fbc34e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              b71ee9791d91d249e5f8ae2d71221aea

                              SHA1

                              e856e9ae3e8524d149f68bb9296a2d75219a48c2

                              SHA256

                              4dd9cecf28be3a2bbb748024216734a0910d429968d5e1f72cbda168ff156111

                              SHA512

                              711f8b382d7418af35b7071ca9ae5c81d5e61e3e68c9103d0045c3b75ef4a9b5f30b9517627dfca17e0c6838a61ae2a2ba1f7d3310ebaad8bcc6680a64b732d6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              1KB

                              MD5

                              9f059904a732d42b657dded6cfd06625

                              SHA1

                              3571e23538738653cecbdeea32b7e62d178d2ba3

                              SHA256

                              726215936f5cb711ecd5d6f36af5a6d17fbee84ec1e364f8b480c357559cd0a1

                              SHA512

                              20d2eebaaf2fb0db3b67989608d72aa11f88a387ea7e15778a25bb65351406862db5b435a767daf8be4ff5df3749f5bf6b22bff687d89446f82e06481743efd7

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              e424193fff7eaf39dcdf782f62873cfc

                              SHA1

                              b11fd5729241f1393d9c2b39d0faf4e8528ae9ef

                              SHA256

                              3a56869f2cde7f33ba38507ea22ef73a804f9d848f0245799da8c4e07be34168

                              SHA512

                              2be60c143fe7727f7f880a0a11ce2f110aa9fd96d0de19f4385aa8c82a1478436dcbf76e3e5d7599e1a4b3493c0e6f9e55072bcedcc979409795010c51898a34

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              46553e84a8c99b176a872909355377f7

                              SHA1

                              da70b54bed9d7646dd3257c2097b24d5ecddddc8

                              SHA256

                              8d2cecb619a81679f903964ed26c87edbfa5e6ef6d6bc4b0b934b19ff6deb1f8

                              SHA512

                              35f19dc0ce02ba94468180048c44db2409cafb74314b9664652bd65a0503e18cb8bd4c0e605841f28f2840f0801e9876ed8318c36e9f6bba8d511afeb23df1de

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              856c1f5c27cf1a6b832e250a622b0652

                              SHA1

                              9778e587111b2dd5fe99168130b7803ddd8a24b8

                              SHA256

                              2929313abefec6992329f95500de2a613de4b95326e389869a77b64ecacfc644

                              SHA512

                              19bbd17d04706b48eb7fcc6ccc914c6e7f9070a0f644107fcadc32bea9be7ad5c2cd6a6628fbfa3c8c6c9c03f2f1bda0ef22109a342387f4997d56556733f844

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              d6115cac8f671c3173af7d492f1edd68

                              SHA1

                              b1f9c18b78b3956b33536fe4465e27af075d9f66

                              SHA256

                              ca604ae7abe0695fb4622faa9cb7ec3b44dcde567eca533ee81de1d9fc6c6294

                              SHA512

                              f970c8ecdc956a0eef673c09ea302dee254c5845a9f2f69cc4efda63abd725299cbe38f5b0e30bd33365583808e481e7169a2ad04346d995256c8ff113aa94ad

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              b4ac98a06495f105f32ecbe4f9ceaddf

                              SHA1

                              ec95df376e4e48e23acb6fb11a57e35b6a0246ed

                              SHA256

                              a3704aa63a2b3e78113117fc5e856874846560094ec77b72dae1358e0b26b6c7

                              SHA512

                              ada92ab719dac9a87d9964db6ee36af1ceb9b1f2a63267b528f33daaca1496abc2b8c337c9d695cfea3e1ae84a66f373a733e9cd0447a63dadaafc9fa9c0864d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              66cf2781fe8e956e4a6a0d6a3c4c25a2

                              SHA1

                              7a470bb7f6fec4d2c1318cc694c6469ff1c1c8d9

                              SHA256

                              d54fb46d0e1775782fa0a3d033089b2b780775b7683a42b3dafa9ccede9ba809

                              SHA512

                              edbef539088044e968e82e74b3bfa33628e49e67431b76caef4e421980762504a4b92617e503795ccec9774224095e55478f6f60e95cf5218a7717450bed3113

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              c04d8cd5d7a1532fc233b3919f5ea94c

                              SHA1

                              72379bb28894d7ec87f3fb71becfe51c8b108235

                              SHA256

                              617648052575a392ffeb0b3a33c24b0d80093812797606b2c7b84020aa269c1e

                              SHA512

                              7ebd6f9740e8cb0120a66f54487e258c2318d684369e99840641f7c75e9b4d09546309403f53d658e9db490914bd6cdeeb32d16591d0217036228cb920703f0e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              15KB

                              MD5

                              793bf78573adb15c06b457dec2446193

                              SHA1

                              40aacd4a833429d81409f0f6d8971d118a974c63

                              SHA256

                              6fb40540dbaf6143420a3780ec8ea23fffee1bcc24c09049148cf0e25605cb58

                              SHA512

                              c71449bf44478f92ec12d043a655c02d35bc5f832ea7ce4c289c7ec3e7535af38b2d2ff2dff99ef1b52e8ff24e4be77d723551793ab41b02b9016d5a4597e0bc

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\storage\default\https+++www.virustotal.com\cache\morgue\67\{07968269-a816-48c5-a6b0-ffe84cf0f643}.final
                              Filesize

                              50KB

                              MD5

                              3d9810708b3fcf94fbbb6596bcb715ca

                              SHA1

                              4ee140b7743bbd3647eb465fa7a0dc1c4bc5a7a6

                              SHA256

                              4cea4a312009e813fce48af9f87d0863245c929ce316eae0ea6251d61eaba5e3

                              SHA512

                              d635bd3dc9a7256ee475ca954a06251550cbd1c29f74f67be3c2d12d9a04e3215bc68f77a7c3c40d52fbf51e8cee04f3728ab1227939518986fe1da13c839060

                              Download Submit

                            • C:\Users\Admin\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe
                              Filesize

                              915.2MB

                              MD5

                              a084c1b14eefc00c8adf95faba838f71

                              SHA1

                              2cc59b80e92d1e5facebbd3646b0ec2972e994d0

                              SHA256

                              b0154e35bd08a554b64f0ec61cb1c2fe766c96f2ad56124851fbb46a7a4d67bf

                              SHA512

                              68e4c0d09fa1fb18c6726cc1f51e37584a746543bb3498fbd6775a7e3505a6a36986c7ccfe212d40cce10588ddf76e5b707181ce545dc5e17fc37728041e395c

                              Download Submit

                            • memory/712-1946-0x0000000001110000-0x000000000119E000-memory.dmp

                              Filesize

                              568KB

                              Download

                            • memory/1536-46-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-40-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-1888-0x00000000060F0000-0x000000000613C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/1536-1889-0x00000000061C0000-0x0000000006226000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/1536-1890-0x0000000006880000-0x00000000068D4000-memory.dmp

                              Filesize

                              336KB

                              Download

                            • memory/1536-1891-0x000000007491E000-0x000000007491F000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1536-2-0x000000007491E000-0x000000007491F000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1536-3-0x0000000001600000-0x000000000168E000-memory.dmp

                              Filesize

                              568KB

                              Download

                            • memory/1536-7-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-8-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-5-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1536-10-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-13-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-14-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-20-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-22-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-24-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-26-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-28-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-30-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-34-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-36-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-38-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-1887-0x0000000006090000-0x00000000060E6000-memory.dmp

                              Filesize

                              344KB

                              Download

                            • memory/1536-42-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-44-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-6-0x0000000005FC0000-0x0000000006088000-memory.dmp

                              Filesize

                              800KB

                              Download

                            • memory/1536-48-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-50-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-56-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-58-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-60-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-62-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-64-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-66-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-68-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-52-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-54-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-32-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-18-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/1536-16-0x0000000005FC0000-0x0000000006082000-memory.dmp

                              Filesize

                              776KB

                              Download

                            • memory/3444-1-0x0000000000750000-0x0000000000779000-memory.dmp

                              Filesize

                              164KB

                              Download

                            • memory/3444-4-0x0000000002680000-0x00000000026D8000-memory.dmp

                              Filesize

                              352KB

                              Download

                            • memory/4032-1943-0x0000000000400000-0x000000000047F000-memory.dmp

                              Filesize

                              508KB

                              Download

                            • memory/4032-1910-0x0000000000400000-0x000000000047F000-memory.dmp

                              Filesize

                              508KB

                              Download

                            • memory/4032-1898-0x0000000000400000-0x000000000047F000-memory.dmp

                              Filesize

                              508KB

                              Download