vanillarat | 3ba0993bd95aa81f72ad13fa9cfb2304f715bebe4a486b688d6b1252e8f67d44

Analysis

max time kernel
83s
max time network
88s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17-07-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamViewer_Setup.exe
Size

167KB
MD5

e9b22671e6d12b6e916ba894ac226db6
SHA1

81b6798f8f3168d65a114906dc0613bbedb0a51f
SHA256

3ba0993bd95aa81f72ad13fa9cfb2304f715bebe4a486b688d6b1252e8f67d44
SHA512

7d29251d77cbe813d0d414377e8d09438e3d457b12ed9d03898f7fa5c1a3538ff4407bb962ff033a665244b182c828126c62f5f1917155ce81001f9835208b42
SSDEEP

3072:vJZKnPE2YyJzELtyTFyYeY8lNgoiJ+sX8HFvytbCNIR6kqOJTMMz+:vJZKBI0FyYeY4eoiJ+sCFvRSHbz+

Score

10^/10

vanillarat persistence rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4676-120-0x0000000000190000-0x00000000001C2000-memory.dmp	vanillarat
C:\Windows\SysWOW64\dllhоst.exe	vanillarat
C:\Windows\SysWOW64\dllhоst.exe	vanillarat
behavioral1/memory/1536-128-0x0000000000740000-0x0000000000768000-memory.dmp	vanillarat
C:\Windows\SysWOW64\сsrss.exe	vanillarat
C:\Windows\SysWOW64\сsrss.exe	vanillarat
behavioral1/memory/4832-142-0x0000000000D60000-0x0000000000D82000-memory.dmp	vanillarat

Executes dropped EXE 2 IoCs

Processes:

dllhоst.exeсsrss.exe

pid process

1536 dllhоst.exe
4832 сsrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Windows\\SysWOW64\\dllhоst.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 2 IoCs

Processes:

TeamViewer_Setup.exedllhоst.exe

description ioc process

File created C:\Windows\SysWOW64\dllhоst.exe TeamViewer_Setup.exe
File created C:\Windows\SysWOW64\сsrss.exe dllhоst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\dllhоst.exe	TeamViewer_Setup.exe
File created	C:\Windows\SysWOW64\сsrss.exe	dllhоst.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4460 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	firefox.exe

pid	process
4460	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dllhоst.exe

pid	process
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe
1536	dllhоst.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TeamViewer_Setup.exedllhоst.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4676	TeamViewer_Setup.exe
Token: SeDebugPrivilege	1536	dllhоst.exe
Token: SeDebugPrivilege	2184	firefox.exe
Token: SeDebugPrivilege	2184	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe

pid	process
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe

pid	process
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe

pid	process
2184	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TeamViewer_Setup.exedllhоst.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4676 wrote to memory of 1536	4676	TeamViewer_Setup.exe	dllhоst.exe
PID 4676 wrote to memory of 1536	4676	TeamViewer_Setup.exe	dllhоst.exe
PID 4676 wrote to memory of 1536	4676	TeamViewer_Setup.exe	dllhоst.exe
PID 1536 wrote to memory of 4460	1536	dllhоst.exe	reg.exe
PID 1536 wrote to memory of 4460	1536	dllhоst.exe	reg.exe
PID 1536 wrote to memory of 4460	1536	dllhоst.exe	reg.exe
PID 1536 wrote to memory of 4832	1536	dllhоst.exe	сsrss.exe
PID 1536 wrote to memory of 4832	1536	dllhоst.exe	сsrss.exe
PID 1536 wrote to memory of 4832	1536	dllhоst.exe	сsrss.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 4560 wrote to memory of 2184	4560	firefox.exe	firefox.exe
PID 2184 wrote to memory of 220	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 220	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3564	2184	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\dllhоst.exe
"C:\Windows\System32\dllhоst.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Windows\SysWOW64\dllhоst.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4460

C:\Windows\SysWOW64\сsrss.exe
"C:\Windows\SysWOW64\сsrss.exe"
3⤵
- Executes dropped EXE
PID:4832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.0.240845610\696378912" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eca94cb-232e-4958-b060-a9f28cad04ea} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 1776 17b6f8d8458 gpu
3⤵
PID:220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.1.958827678\1657086103" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {076552ca-f217-493f-9277-f7f922c89fc7} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 2132 17b64772e58 socket
3⤵
- Checks processor information in registry
PID:3564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.2.1006300361\1475607004" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 1576 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40c2282a-d724-4607-8743-1139239361dc} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3020 17b73960b58 tab
3⤵
PID:336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.3.719610185\386984673" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3552 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05e2ff00-f19a-428c-bdd8-4a2bf1263e11} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3576 17b64767858 tab
3⤵
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.4.413992324\222753296" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57002e6f-57f3-463c-aa4c-067c75cd6af6} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 4208 17b750e5f58 tab
3⤵
PID:2836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.6.100732072\319318919" -childID 5 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c768f18e-1a6b-4010-b149-15695b959db0} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 4924 17b75d89458 tab
3⤵
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.7.869622646\1949736756" -childID 6 -isForBrowser -prefsHandle 4812 -prefMapHandle 4780 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0914f6d9-a25b-4034-8b6b-2049f175e568} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5108 17b75d89a58 tab
3⤵
PID:3172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.5.2028589097\1631743069" -childID 4 -isForBrowser -prefsHandle 4716 -prefMapHandle 4820 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9f168ac-377c-4064-882e-fb180b7cdbd3} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 4812 17b75d88b58 tab
3⤵
PID:2296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.8.1125968521\482890440" -childID 7 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc2b851-8c08-482a-a7b2-35f8d8d110b3} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5484 17b7732e958 tab
3⤵
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
147KB

MD5
142d2514a6bd810d7f892e7c388e075e

SHA1
eff7fcb5b9e8bc13f9892981d39006cdafbeb909

SHA256
d1d3d7e2cce7540fd7621a4aab2a858eabb850f0c882760f25aaab1590e23dd1

SHA512
40a4b3851abe4940e3acbb04717f933a78883135dfb1eaf58744db683f8327d88ca4434394d1cb5249afc161ad10ba8033df17e0c4f73d3b44646dd8f5cca755

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\prefs-1.js
Filesize
6KB

MD5
b96198ab6c61a1da5dcb232174313d61

SHA1
33aadb9b832f64f4effe1de9451267535e9a0c58

SHA256
e0dfd5ea0370108a3b1e0affd232f3631ea6465e9bf3881e83ff238a03fd081d

SHA512
33a4ffb7fbac48ad7793e5a093baa03e20ea00d67e4e371c9c066a12afa4c05e31b49ee4f70d72755f25998214e0e298ae7235c9f22019092be4485e7063a6bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\prefs-1.js
Filesize
7KB

MD5
e09393248e436b5a85faff09c8c52c73

SHA1
7f1d157aead15615c8d14bd4ee748292eac9984b

SHA256
e4ce50692f75ffb5a47abc3b0b100a0f4522ff12a30bb7053bb7fde15a27320f

SHA512
516e4add695548f2dedcd180f64bcbd6a521c008e69a1d32f7e89eddc90156221316fcea2f071b29a468c17367821e73c1f1be98bcc483234058e1a4845d1de6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
ad1d29e8a28aa376c96e79c3cacc864c

SHA1
d250ffe9ac6a353893ed5e103aa4608570c92d49

SHA256
12d56d8ea85bff54852f934207f09bc2c22144cf844ff7c9befafa44e8611d8e

SHA512
671d2dd61154e36b85146de97a259320bc0eb0640f2440e9c09ccf02691c9ec342bef58be5f36cd33969f9621b2523684defa35232a3909633352bf088eb1b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
1219c3023ff236da574be3bed60a5953

SHA1
7ef48f1da47734efd21d156ae78d82bab7e31112

SHA256
9e3d2952e85a193f5aac10b3212caecefcf7309accea766523e43751cf9d880f

SHA512
3686a193e9eb3bee9f0dbb1af064220b6919d4c7506995ff3669aa257cec87a7557e7b595bad14599f6b2fbff60e81b3e8a28cc09b3ee239b338fc6d95302293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
ae28f11a7b430ea26eb5850e8aae0fdd

SHA1
7daf0645d9375b504ff9ede37c65b17e9be57711

SHA256
10840a3e6e61a76679f0fb28f4a009f12be7614121f099422a2b94f56995b135

SHA512
ee71a67e4f99c6c475a657b4f409357711993445094bf8c99971fe23e1b374009a80060a64e2a3d9b31e3a2c45026ddcdb804fbfe7316ede25e816adf0d8ccea

Download Submit
C:\Windows\SysWOW64\dllhоst.exe
Filesize
130KB

MD5
d422f36032337b8996926d750b38fb15

SHA1
3c469472c5eadd2af6d93d9498e62934149f104d

SHA256
9c7708aa2255ef6df7faa3eb2821687272ce7e02449419c2fcd5bcde69825a6e

SHA512
2ba5c12cdc456e437da314759f3d3385179d313ae1118edb3692e2e32759ab3be789b2e086c087ef0ac07c488d860495c99935aed32247b234e5e77f088f3e45

Download Submit
C:\Windows\SysWOW64\dllhоst.exe
Filesize
130KB

MD5
d422f36032337b8996926d750b38fb15

SHA1
3c469472c5eadd2af6d93d9498e62934149f104d

SHA256
9c7708aa2255ef6df7faa3eb2821687272ce7e02449419c2fcd5bcde69825a6e

SHA512
2ba5c12cdc456e437da314759f3d3385179d313ae1118edb3692e2e32759ab3be789b2e086c087ef0ac07c488d860495c99935aed32247b234e5e77f088f3e45

Download Submit
C:\Windows\SysWOW64\сsrss.exe
Filesize
115KB

MD5
46876588de250f948d185a55b87c7c19

SHA1
2d098bcc85ff38027797f8a89116dad249afe67d

SHA256
0206f4977c8992745fcfc19723a473c3a5ed9b92b990271dcfe4edce4e64ebc2

SHA512
83af7f7a4e7629049fd41185e23d0c4cfba47db7300e4629cc7578dcfb1a403315c7e82b30dded4350e4c38abb942b08e17a1cc3557a2cf0f9ad8e0541e7f943

Download Submit
C:\Windows\SysWOW64\сsrss.exe
Filesize
115KB

MD5
46876588de250f948d185a55b87c7c19

SHA1
2d098bcc85ff38027797f8a89116dad249afe67d

SHA256
0206f4977c8992745fcfc19723a473c3a5ed9b92b990271dcfe4edce4e64ebc2

SHA512
83af7f7a4e7629049fd41185e23d0c4cfba47db7300e4629cc7578dcfb1a403315c7e82b30dded4350e4c38abb942b08e17a1cc3557a2cf0f9ad8e0541e7f943

Download Submit
memory/1536-131-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/1536-132-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/1536-135-0x0000000002B60000-0x0000000002B6A000-memory.dmp

Filesize
40KB

Download
memory/1536-134-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/1536-136-0x00000000052C0000-0x0000000005316000-memory.dmp

Filesize
344KB

Download
memory/1536-128-0x0000000000740000-0x0000000000768000-memory.dmp

Filesize
160KB

Download
memory/1536-130-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1536-146-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1536-133-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/4676-121-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4676-129-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4676-120-0x0000000000190000-0x00000000001C2000-memory.dmp

Filesize
200KB

Download
memory/4832-143-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4832-148-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/4832-147-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4832-145-0x0000000009BF0000-0x0000000009C56000-memory.dmp

Filesize
408KB

Download
memory/4832-144-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/4832-142-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download