gurcu | 1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801

Analysis

max time kernel
464s
max time network
463s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rasauq SoftWorks.exe
Size

81KB
MD5

12a225de8199d2a31f049a6f300d8cfa
SHA1

24819a452cf1db15167a52b12f258d27baacbd6e
SHA256

1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801
SHA512

3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32
SSDEEP

1536:XnWk13eNqz4VP6fwWF/38MkbzG9KfwnIO6VFdOm/AqDi8:XWk13ebiIY8MkbzYXIdOm/ni8

Score

10^/10

gurcu xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

looking-brings.gl.at.ply.gg:65381

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y

Extracted

Family

gurcu

https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y/sendMessage?chat_id=1002422094535

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2612-1-0x0000000000A60000-0x0000000000A7A000-memory.dmp	family_xworm
behavioral1/files/0x000600000001e760-59.dat	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3980	powershell.exe
4776	powershell.exe
1112	powershell.exe
5008	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	Rasauq SoftWorks.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe

Executes dropped EXE 7 IoCs

pid	Process
868	Windows Host Service.scr
864	Windows Host Service.scr
1596	Windows Host Service.scr
3972	Windows Host Service.scr
2460	Windows Host Service.scr
5856	Windows Host Service.scr
5860	Windows Host Service.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1860	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
4776	powershell.exe
4776	powershell.exe
1112	powershell.exe
1112	powershell.exe
5008	powershell.exe
5008	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2612	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	868	Windows Host Service.scr
Token: SeDebugPrivilege	864	Windows Host Service.scr
Token: SeDebugPrivilege	1596	Windows Host Service.scr
Token: SeDebugPrivilege	3972	Windows Host Service.scr
Token: SeDebugPrivilege	2440	firefox.exe
Token: SeDebugPrivilege	2440	firefox.exe
Token: SeDebugPrivilege	2460	Windows Host Service.scr
Token: SeDebugPrivilege	5856	Windows Host Service.scr
Token: SeDebugPrivilege	5860	Windows Host Service.scr

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3980	2612	Rasauq SoftWorks.exe	88
PID 2612 wrote to memory of 3980	2612	Rasauq SoftWorks.exe	88
PID 2612 wrote to memory of 4776	2612	Rasauq SoftWorks.exe	90
PID 2612 wrote to memory of 4776	2612	Rasauq SoftWorks.exe	90
PID 2612 wrote to memory of 1112	2612	Rasauq SoftWorks.exe	92
PID 2612 wrote to memory of 1112	2612	Rasauq SoftWorks.exe	92
PID 2612 wrote to memory of 5008	2612	Rasauq SoftWorks.exe	94
PID 2612 wrote to memory of 5008	2612	Rasauq SoftWorks.exe	94
PID 2612 wrote to memory of 3040	2612	Rasauq SoftWorks.exe	96
PID 2612 wrote to memory of 3040	2612	Rasauq SoftWorks.exe	96
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 5864 wrote to memory of 2440	5864	firefox.exe	113
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114
PID 2440 wrote to memory of 5548	2440	firefox.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3040
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Host Service"
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp76B4.tmp.bat""
  2⤵
  PID:3836
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1860

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5864
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {2f7f3844-168d-4319-bcc1-631438f11f7c} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27135 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {f2406f5b-6d9d-463e-a5f2-f6201e66e04f} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:5680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3792 -prefsLen 27276 -prefMapHandle 3796 -prefMapSize 270279 -jsInitHandle 3800 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3808 -initialChannelId {f622c954-1ab7-4039-ad65-b357aa89d449} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3960 -prefsLen 27276 -prefMapHandle 3964 -prefMapSize 270279 -ipcHandle 4064 -initialChannelId {32f040d9-2415-41f7-9012-bd14c91bb39e} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4432 -prefsLen 34775 -prefMapHandle 4428 -prefMapSize 270279 -jsInitHandle 4436 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3764 -initialChannelId {25bd582d-9eca-4b7e-b6a3-bb6e7bb23292} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5176 -prefsLen 35012 -prefMapHandle 5180 -prefMapSize 270279 -ipcHandle 5184 -initialChannelId {a5839aa4-8dfd-4e1c-b0b4-eb76c78eee47} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5392 -prefsLen 32900 -prefMapHandle 5396 -prefMapSize 270279 -jsInitHandle 5400 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5408 -initialChannelId {0d5eb94a-4868-4ee4-8378-ce30db367b8f} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5576 -prefsLen 32900 -prefMapHandle 5580 -prefMapSize 270279 -jsInitHandle 5584 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5592 -initialChannelId {f2cd687b-a170-42d2-9322-a710382410e0} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5796 -prefsLen 32952 -prefMapHandle 5800 -prefMapSize 270279 -jsInitHandle 5804 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5620 -initialChannelId {2644c4a4-d776-4dcf-b6c9-75313d120692} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 6544 -prefsLen 35143 -prefMapHandle 6548 -prefMapSize 270279 -ipcHandle 6408 -initialChannelId {0f3c6bef-f097-456b-8457-67cb22400ca2} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 utility
    3⤵
    - Checks processor information in registry
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6480 -prefsLen 33031 -prefMapHandle 6484 -prefMapSize 270279 -jsInitHandle 6488 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2748 -initialChannelId {1bd26968-211f-467a-9213-547d3a394a7d} -parentPid 2440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:2932

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Host Service.scr.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3332c2f747b79a54dc9f4867423e31c3

SHA1
de8440945ab0c382b6657dd2e6f50bbc2a4b73bd

SHA256
f8ddc8eddb53247304e5463829cbf8d1a420a77781237820efa0c94ab18612cd

SHA512
96fcc7c39335ce60da1f8db2ff9b62324d60080fb1a5a81262a26c311b78117bf85b481113800f88ac6a37b7ba26a7be510f3c098b26828c751974339a1e8835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c28937317ffaecb0023533dc0069808d

SHA1
9f5175aeaf73db5ab967b57bd896a982a9c6e906

SHA256
f6cb138382b9333938304b47ca2fcab5d9fa5c3fa63665020872c49a5d7bd7a9

SHA512
2de2e86570c35021f4fecd1e9fec285d410d8e36fce3ef4d782ff8c7d43242f10de123dac7e1c0609c27f33e6b88c46d83bc47948ca0b0329ca0ba70a5105ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e70d51b7df8fa37bc73c0e70b4e82d34

SHA1
b342ac333afab91ec92ce0ab690f17e43d87d661

SHA256
1bd613817d479000e6e248c022b3521a8d64484b0e755ded0a2d043c32945730

SHA512
6cd05079ba29b479347cac367987c12e97cdb78f547ac3f95f5e84575e7df2bbe4f721fa3c9cda48fb7194f7f765cdbd3898b4c3b9fe646d90549ec726f1cff8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
a2f0b17a2e69456465cace5ff07e90c1

SHA1
302fd03f9f964e37b925b512d13d38243e4eeb46

SHA256
35e67d420a3a3004fb29907830a08fe8ab77404c5532ad35a4399ffebf53ecdd

SHA512
82271b4e453b890576757043cc2201bef845ebed6932433747f65a1835b50108a63902704c259efd6a0fb3751415179276e2215613fa689aed59c9cabbe92fb1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
861feec03d102e44e668f81900faaf50

SHA1
ed5b0c0c607c49b5a7af578e79851c7b92b750de

SHA256
d7a071b073aff4fa8c3712c472c9bd44312d82fbf0e04ce5a5d74e2e855ae3dc

SHA512
2860213d7262425d4f30f10f0319eb5c9acb665218146cc47efd92370b758b52da08a5e23b438c992f75e60c2667a23d03db31f56f865d0fb8c9cff155e7aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ee393d5-8197-4960-94ca-0112c9d2aef2.zip

Filesize
3.6MB

MD5
8f0ac7253f77aa16992f71633fd14a81

SHA1
1d52e3fbcdeb0f224cf2d3f0713803dc31486ee2

SHA256
fe3b34e1b42d481a880f114fc6abdb6bf7bf19020f3d41bf1125ae6deb69bcf6

SHA512
426a1c0c4e4a8f4c4040af099563c369230a25325383c2a62bbe5b8598e580d05d71b29684ffce954d17c93049226ac64f077b349e12372b1815ecef1bbd3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrbxkyfy.caq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76B4.tmp.bat

Filesize
168B

MD5
5442b89f5a1343a7dd559750fc3d904d

SHA1
d33de14f4ef4df840f0c93c01b972ab62aec5b77

SHA256
304becedba40d3cf44a1cd2c9a6973870bcdf7f3a46aaa8a5d3119496906a802

SHA512
b552b7bb1573f8a6363f2481e501faeb36afdaedb21aafe1b211ce565a07a0a9c496cbdc7eba51dcc4bdf8b678f447255006133a0456f3106bb87638570249b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Service.scr

Filesize
81KB

MD5
12a225de8199d2a31f049a6f300d8cfa

SHA1
24819a452cf1db15167a52b12f258d27baacbd6e

SHA256
1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801

SHA512
3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk

Filesize
1KB

MD5
fb040f21142a7c82413d940d9e9d4327

SHA1
ef96f42edbbcef96c1ddd9d27aeb2f6f2131fd2b

SHA256
d38c47b4c8bca65399e2d612069eb66b400ea48d2a56c5d04608ffbb0a922658

SHA512
8bfdf89295a8f4a9a9bb935beedaff9cd3b090e04319e9da91cd084ea9e8e9b664fd11a2e081457dd8a2d3291d842ceda7fc106464e42a6d2bb531c745450554

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\AlternateServices.bin

Filesize
7KB

MD5
7752d7c67ddc08371263d1154359beac

SHA1
6cf5e26b257080262d65ef0842f6f11948895ffb

SHA256
fd82008595bbc4623608b0919d4723384a1ec66bdf7e1329c2b242b630fad80b

SHA512
43b26fd26004c3799dceec907f1d69d7eeef5336d976071b8d60778cbddb35be4761f9c571d9414e64d017aa15871e844f8c04498a6430e52bbd249f8ae72bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
38KB

MD5
fed168c6641e01190cd7addc160b5a10

SHA1
2c1c25ee98f0338c2605d03fe83d61e8436d66a4

SHA256
52389d5a0c6a4f4d72bff0f0b0723e7fb49e3ef5b87fcd124527ee34dc7e61d8

SHA512
d5fd5169f9661a3531e97ed54ae95f10cbaa2c14d19f457b0add1ded01f3f3ce57630bc72ad691636086d94acb69f626ecf117c9b4414dae0e2f0354310797c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
e849d75390e6e05acd3fd299efaef00c

SHA1
d647a68cf96b012746f118645e8f1ce140c6c778

SHA256
b80e54b9732cebe986960772932360f57e7d1a64bda976ba654b01d86e551f40

SHA512
1a29ff222af06d8fd0d17d659611e23d884a72a8f67bf7d3f66f524ff1a7884b123039c6068dc142889b51f8c7c1119dfbb391c421506a7fdc8b22d54be1d15e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
64fb7ee953842e6f78c1a838ffb9d99b

SHA1
af496e2f38e2ef9782df420ade4ed4373be5ef57

SHA256
72eba69ae45bb11a82874b78886bf95b26c54cf42e4a51167c361b36be314485

SHA512
4ca3c66bda99ae0bd5d27e1611bff40d9da738521d0fd8815153afa9338de74d00f738d0d1417a6922940392d88569d95bb43f5396e35c79dc244d525e51fbec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
b8ea7f2af3a203a497adf94059dd603b

SHA1
b05593da9f52d8f16634c0591ecbfa2de8cd4180

SHA256
b6097638e0033a6674c1eb0e2fe4db922530f4a3ca6c192d355691120d6e8841

SHA512
5e256761a8eb2230b313d0b7461577d5a7f5dae2c32e8cc9ecffae87136fc4bbe3f84bb1714fdc5035881ad9b0f8b4561c97aedb33eec51f97a4af8c79cab6d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7daeb268cb4e7950183bd1d17f81f831

SHA1
b27723459c39afa21506cb09115d773db3769fd2

SHA256
ca746a0257ffa771ba061e329f9b04c6454bc306b75cf71fded3b7851b8823b0

SHA512
9913e3ad839db2207e9c54630c7f0c46e8d6474c9dbd2af47724bab0b25b9e0f240bc61358efcf3b1e49277401e5c8a75dfd5f312105a21389bcb2cce543237d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
154eb9a00cda15e616d9669e50fab8a2

SHA1
7a1777cb77ec2bf1ca8e9eaf297afc64cda94808

SHA256
c949a6653a39933522d2336613a40624a5b4b841a9ac83cad3da02cf2d0051fe

SHA512
c472918542e2f4904464c13e8a2d05c5157c9529e1fde51de4cc9c69564cb04612cd089503659d0cf312eff798b4e9d297010e33aa5f116c31bc5856bf25c3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\0b0cb65e-377a-48a8-84bc-59f2c6c716c3

Filesize
235B

MD5
b72eebada2b4191435e237585a9373ec

SHA1
65ea5816f5d5d05c477c9a447e7b3a5cabb61550

SHA256
8a12686cd0d0a1e8896aa9ed615e07691ebd15c6fd87cc8cb661677109bcd866

SHA512
aa979c446fa094600f8af5db89bbd8295b96cc5dd5d241e1ced99969585eace19d524daebf448f94092c6873dd972051df48fac012bb09a39eb6f290201694c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\14f2900a-63b5-4df7-8626-b759c317ff81

Filesize
883B

MD5
6cb8e8f9b7d02cc5b27a6fdb30dcfad7

SHA1
990671eccd860f3164cb021914af786904e3d87c

SHA256
119b585bf58c279cf732701b5521064b4fa9f895b966ab74ded8dba9ec6ce0d8

SHA512
66241f0d9d58a0f89d41ef422762b2b05d4f9d7a183e2882d85d11868ae4a8cd9f90afbd15a310cc8fef1646f12f515ab5323091bed830986cfcb2bb43cffca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\1ae30d66-a3f8-4123-b087-59016fbffe5e

Filesize
16KB

MD5
504fce01335dd74f38e814927b185a39

SHA1
fe19f7038a130e9c700ec1c759146a18816885a3

SHA256
1113e283d360e82b2197ed343d559b89e291c58fc2e9880ae5ebdebb162e8960

SHA512
654f6cc052db3eccbfd7f99424643636e4f82f491195cdef3256179596ad18ae983fe5b04039ec8d6831ace5f36a53027907058aed9eeecfb3ff885104fb0e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\8a524c3b-aea8-457d-96a5-8b27ffb48029

Filesize
886B

MD5
27697ec022e4c8b110044b084dfbbbfe

SHA1
620a145a1815fc17cacda40b8a612bef818d6093

SHA256
8d9a4fd37fd6da54412fef76ed21d44ef24adf9859f485e13789ea3d56d12aaf

SHA512
a72d7d5d62b915fde1169684ef043d7c5995157baa5b52940fb8d7e88c4d72c3d11e680cad62c7106e12cb29bba952f680a086a2b3e07ca3b1c1646f0a9d792f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\916729f4-4f8d-4126-886f-02de60e45cb0

Filesize
2KB

MD5
08f12754359e30654417d8bc473c8d62

SHA1
e2aa2502b903890f5fec4332b6ea92cfbae6b397

SHA256
10687ccda61bd622d96efc2c8993edf468533bbc6c3c6f308f96475ce0c70d69

SHA512
9e1c72a83c4a5a0135032457ea8a8bc628f542f1c0a721f2d45756243e0e0d0629602e4ec0e7471b761f12d638f13f11e5e1013cf01fc287e1415eddcc5bae45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\a76ed572-f955-4fe3-86d4-dbfbb42ae027

Filesize
235B

MD5
7980d6f9b82c4907a8582d421a43020c

SHA1
030eb725a5d7328d1ec0b9a8c061d9c2d894622c

SHA256
28ed3e404b77be6291ece99ff960bbc67fa5737a328b0e8b276f3f8d19246767

SHA512
2d59960910609628a9f2b0e3ba9144d0fccf7f151fa094e0df06aba4e73bfa67745d8b89cb26ae1fc0d945c94768ce91abc64591d91a08e0c36477ea2cadc9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\fb08cd80-7817-463b-bac1-42a19eda2f50

Filesize
1KB

MD5
71092d18f0c5743e2eb6e8ec40ac3529

SHA1
7b9c41ed9b76db803e4459fad498b330907c21f9

SHA256
c677025c7179bcf5dc9e3741e04b2277f9bf13b85982f72f7752e26f99980ae7

SHA512
3c6933255aa32b9a31e93e1cb5a8c5d997aea98577b6d7257e4ffcf9c4fee45e0d6234aa04e0ed1c35ce1de1ccf9e6bbc7d5929b6d6e6ffaafc8b692283dcbd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs-1.js

Filesize
8KB

MD5
ce4968035024c6d57f808c405ab5ecbb

SHA1
156e0ba6acc65eef7c39d70a23d7e262a6467c5e

SHA256
a45a0a0f1b0c17f9e8762dd97868b89aaf7f58930e3c39b49d8917b89f811c24

SHA512
5c1d6c4159e74454a69bce367fb16db54f558f6fce2b2d94d298ea62a9ec3afd221a54eec6044912833e0ce16a6d3ad6ec3fbd82bed7a02e6a786aef1f9cf5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs-1.js

Filesize
6KB

MD5
913bcc7a6637104cb4ae9941b448e305

SHA1
8968149f64af9a68005f1f48ec455cd71a33f2e0

SHA256
89d1e3de70762700136ef3a22a0f81903b9e624812e021e02cf12ba513155d69

SHA512
17a1768acb038748b4bb93220b9241526509d163a7f8847ebe0fbdc2cbfc24f4f68cdc3242f90cea77d8742e121b80d68fda082a52af7a71592b60eccf80be08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js

Filesize
6KB

MD5
1b378b2fe1149ea7534406f47f0b78a4

SHA1
67a59bb744c093c0d530301d30dff65333f459a0

SHA256
67684f969a3e84d12ba791f4f95dec11fca12b04285672b4a74228633a1fd4bc

SHA512
ff3538f17b65375199343d1008f8441150802c3e6fa5b4baab3ca75ca0a3adfd6f672251fe01d964145d012979be95828875ec2e84a5b94aa7bd9d48131073ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js

Filesize
7KB

MD5
b29fe3125f33e75f55a638946ef713fc

SHA1
2643fcc39ef2bed2f423fe84d6f8f33706e89926

SHA256
713509c52b504de574e03ef8fb4151ccac97619b9d7284b64f0f8520a153984f

SHA512
c789dd955be93a0581309be2df07a32a411eff8c1652ec0d318448a53df6011ad84d2f8778c687305840f427269cf326fa1e1690bc3846a51abddfd0745fb709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js

Filesize
11KB

MD5
ed4ed0516a20bbfdf58ac3ad13c2a337

SHA1
ecac767d92a8399ae5263f36b3cd2f2b169ef677

SHA256
cebfbd3bf0004ba4b998e1caa89c34df8347eac890df4d3be4864207ab036879

SHA512
b5482a229dd3befeec5585c94afb9b464a2adbc5086f73cb11a8e8e406ae39263b42cba0380736fcdebd3d43f932e31bc606e14d04f362983d3147e07aea5f9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3362610a51dae95bbc1be1d9021a13a9

SHA1
5dac843150185072a77e2111545eee5eb52ff842

SHA256
45f269897bbc90db08fff4b1e95dec2aef1216729c01de4e44f7fa1abd20284b

SHA512
ccf6a165f6170f994b525fddfecde0a346fb2280543b1b282ffae0597e1d3ca56c772650b309b3142f631806adaaf469486efb00a02c77cd0f40c66b46ffd12c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3ff11a200c53b638d4150472b84ff90d

SHA1
a68365e22f9c25045967640415796cc3ce05b1ef

SHA256
bd425d4257d457a26a5cf38a8ff490e6f3ecf0cfc268bfcdc50c765f3e8f1668

SHA512
45e44f5c4c3aad8414a472d81b1e6176890295c7d970a6534cdcbc0dc60a8814879f07a7ea2d2c6c0b0b550f7419d4149a6f81719a21ed8a0265b55e257e955b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
5903307d5aa28195518b4e77b60746ac

SHA1
754108217711b4bde17d3b508a04dc49c8caa7fa

SHA256
8248973622a251309452b803cc60b2c284db3b80b87ce1f81bf5774f35bc628e

SHA512
4893f4e847f3fc33d130d7a24bfec9cc0d8508f7839c7231268c8ef3b8bac55820a7d627addc1c4d1f77382d11c01d3a3e5d654d5f07cb04b444f81772c5e4ba

Download Submit
memory/2612-58-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/2612-68-0x0000000001420000-0x000000000142C000-memory.dmp

Filesize
48KB

Download
memory/2612-1-0x0000000000A60000-0x0000000000A7A000-memory.dmp

Filesize
104KB

Download
memory/2612-4412-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/2612-57-0x00007FFE58D83000-0x00007FFE58D85000-memory.dmp

Filesize
8KB

Download
memory/2612-56-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/2612-67-0x000000001E330000-0x000000001E680000-memory.dmp

Filesize
3.3MB

Download
memory/2612-0-0x00007FFE58D83000-0x00007FFE58D85000-memory.dmp

Filesize
8KB

Download
memory/3980-18-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/3980-12-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/3980-2-0x00000196EC560000-0x00000196EC582000-memory.dmp

Filesize
136KB

Download
memory/3980-17-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/3980-13-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/3980-14-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download