Overview

overview

10

Static

static

10

gay.exe

windows7-x64

10

gay.exe

windows10-1703-x64

10

gay.exe

windows10-2004-x64

10

gay.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-03-2024 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gay.exe

  • Size

    1.1MB

  • MD5

    088ef66571d8d08e8e8f56d9464d9a2b

  • SHA1

    bb77ae41dd0cb709f3938f264463aa2aa6943071

  • SHA256

    6230ef10cc3c6ff83a0ee0c5d87273ccae68c0f61883b9a218dc4e0f2b351cd5

  • SHA512

    1cdfd8428c2fcb29205be394c9a55824e7a5407611fd694a52526196852956e824f57e76e332b0c8d984ea8577f0000dfb9d72550344a9ced8c13e8d74938ccc

  • SSDEEP

    24576:U2G/nvxW3Ww0tVOOfWa+tZDfQgZ9E9SXNmgSG:UbA30VOOfUVvJ

Score
10/10
dcratevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\gay.exe
    "C:\Users\Admin\AppData\Local\Temp\gay.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WebreviewRuntime\DA0G5NQf2P.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\WebreviewRuntime\TaqdBAfZaG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\WebreviewRuntime\comweb.exe
          "C:\WebreviewRuntime\comweb.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4820
          • C:\Users\Public\Music\lsass.exe
            "C:\Users\Public\Music\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4412
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:3816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\WebreviewRuntime\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\WebreviewRuntime\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1124
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\WebreviewRuntime\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Music\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3132
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:248
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.0.1306936833\452536595" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1816 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdc2aed-9ac4-4f53-9de0-af79f055e0bf} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 1900 27c2b204758 gpu
        3⤵
          PID:1320
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.1.931450683\1732413981" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ebb5682-7bde-40f4-a48a-da035e29f8be} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 2284 27c1df72558 socket
          3⤵
            PID:4800
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.2.1753811232\1189633067" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3172 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d848832-70f1-45e8-b3a4-84a4ae68e0e1} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 3188 27c2f3a1158 tab
            3⤵
              PID:3304
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.3.589244011\1225144289" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2087cc3-e32d-4046-bca8-c814167f15a4} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 3444 27c1df30858 tab
              3⤵
                PID:2160
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.4.1358039474\1632957498" -childID 3 -isForBrowser -prefsHandle 4572 -prefMapHandle 4580 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ee1421-a5bb-46d3-bea6-cd6d17c23af3} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 4604 27c31085558 tab
                3⤵
                  PID:1824
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.5.551964032\1278630955" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4916 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f29c67d-b82d-4928-9201-a8fa05dfb8b6} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 4940 27c314b3d58 tab
                  3⤵
                    PID:1312
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.6.1613651851\485201053" -childID 5 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dc2a679-4791-4990-99ca-0df6eef96329} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 4956 27c314b4958 tab
                    3⤵
                      PID:1704
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.7.1185550761\1154352036" -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb9354a-0b55-4036-a12e-8556b784aefe} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 5344 27c314b3758 tab
                      3⤵
                        PID:4032
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
                    1⤵
                      PID:4636

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d8xutbrp.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C
                      Filesize

                      13KB

                      MD5

                      e6fbe1c716d33627cbcc3e5817845104

                      SHA1

                      33e88e54ffac5387be33da32750ccf9e877b50c7

                      SHA256

                      ee0045a1d3df6db9c4d74af1ab549bb0ce37a42b1a1c8e728fb4472f715e2e50

                      SHA512

                      92d3c209b0f50c90d549c62a39139e313676810beb7a27f1bc965109114e0bee52fa36ff6cd7c0c32c19de5034150b860d5b8845c1c74392e4d4286010767bb0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      ceb11c2711c5585c0a77d9e406c90615

                      SHA1

                      ee3f3a26d594975c30261f2f8b543693bd2344ac

                      SHA256

                      3dff93e3dcea57465597e579eb3e17ab229355a9b630c1ebb57a14fa9904b67f

                      SHA512

                      5523005fa99ec91abc5e8126d59e99bf4e9270a1a7ce5cf72a8e7c2028bb84f5a1d4959309b5b528c3399c89db6777a7346d3756d6f59e1f1339b810e1c569fd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\902c4f7c-2f88-4efb-a67a-340e2af61a4d
                      Filesize

                      746B

                      MD5

                      d2400e07bbb271b2fd0b37ed4b5e130b

                      SHA1

                      a7eef95b51ce9dbbee3ea2a7a38cdb5dc3b16caa

                      SHA256

                      4ef3a39d167f6655cd40c6ef0200a50c263902748d36e55c7d653fe41dbe946b

                      SHA512

                      bdf45e562515e9a279c6ce43f420c2501d55d8ab3c9d2b1a5d1d0d880fe72a11938640f4bc704f1ff22d12b8d8d12bdc62ba703ce0a2e8746ff88523fe5e7eda

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\df76d4e0-4f39-40f2-9c05-4031a5e774d6
                      Filesize

                      10KB

                      MD5

                      d8ce9e8aef2056773585006ad4f47db7

                      SHA1

                      8032765bf2ce09d1f8b5ab28817b111bed621b92

                      SHA256

                      aa99d1d517b06b0ba39939d5fbafa930824a7bffda0dabc0e44ed3933fe8f3b2

                      SHA512

                      f63ae5eb3db21f7e0d79a75fac5a2ce12edae7f36ab0883c68f48b3371e67894dfaa4e8212618313e26f34a044761aed1d0e6746d088e264e3afa0163ffd3fce

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      b55bcb3ec64b4790668b521b9b5a0b74

                      SHA1

                      273229eea9260fb3cd1ded4f29e01a1ecd14bfd4

                      SHA256

                      8188379b3bd12e6b171cfb00bfc16a14d1754397e1bf7113ba0debcaf2d655d8

                      SHA512

                      f7d67884e6d4b46d21c535d1e1b5c36b826d9623351643240ba0299830b2f021d35dc6932a055fd0ac87fb8bb8455cf32ebd18b3b07d69e455e0742df3194019

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      ebd7b98ab111aaee4d7fb760de667a12

                      SHA1

                      deed07c61d4c37e8bf38f24f8f53077d2b197a43

                      SHA256

                      b5bd9777ba0537d1a1efd750b4c94c8a68dad8c8da302135f2f9e86c653674ce

                      SHA512

                      50b150308ad9ed58dfd8f3d2a7abd7c956efb27564d43adf9fa12e1294d000228ed0c23ed6dc0ef17ed3fc894cdd9f5e613a559125ec83a30d1362110446ae43

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      1.4MB

                      MD5

                      accc1723586e6043e9d87d4196def287

                      SHA1

                      4f9c02848907128dbfb6ffa0b896596729110ab9

                      SHA256

                      e1a59fba1c4a53b7e1c51fd02cfe3b6aae353e39e4752e92c507fd7cb7d17a0b

                      SHA512

                      e974c0cba6730cd6f1c6dcc46e0f2999f5c5b7bbe37569b3e3e09c2ac0d55671d0f6f1e912ebd14cea7f5265dcedd4b98ccef97f6dbf9d04dc7cd7b308c9d58f

                      Download Submit

                    • C:\WebreviewRuntime\DA0G5NQf2P.vbe
                      Filesize

                      203B

                      MD5

                      7fa3bfacfe0cacddb6346eeb7778b9e0

                      SHA1

                      78401945f41a85308674f3bde838b26a510e4233

                      SHA256

                      3d3d160d1d8264ac4aa1893fe67933ed5beb63aeaac1def84303abf3ca339f5d

                      SHA512

                      593ad78bad06523899c96afaf02f50cf8cda5ffffb01b402db63d8640beb55cc777dea84d568bc094d6320263d749a45a3d588562af1d2f4a9238595354fe701

                      Download Submit

                    • C:\WebreviewRuntime\TaqdBAfZaG.bat
                      Filesize

                      144B

                      MD5

                      f58eadc9badc34d4296980bcd9a7d257

                      SHA1

                      cee017450cadfdc68e6ba8c9d26f76cff1586cba

                      SHA256

                      a4768266d92d5695d29070cfdb3538a5fd8557ca3674dc810921a0d9f6212219

                      SHA512

                      320299b8a6186b3af170d6997818ff75f7c34205da139aa0031afaae8e101ab7f2c30479fe5cc40614daf244e0b4d17a7190e0d7123bfcb7325b75122edc7677

                      Download Submit

                    • C:\WebreviewRuntime\comweb.exe
                      Filesize

                      863KB

                      MD5

                      30f1d9098a779211064a5a0e258e74f0

                      SHA1

                      23109fab7d75cd1cde1d4bd94a1313f432497314

                      SHA256

                      6829753d21c982cf0ea6700ebbc9f78c411047406052507f00dd0169f9db7b95

                      SHA512

                      f69f49a166e88db2331a1e3826554d5fea983becce45260518e65d09b069babcfe3e478c612ad856b7eac79d66e395d3596b69b9caa1444cbf71b56714394c33

                      Download Submit

                    • memory/4412-49-0x00007FF9C5B30000-0x00007FF9C65F2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4412-47-0x00007FF9C5B30000-0x00007FF9C65F2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4412-46-0x00007FF9C5B30000-0x00007FF9C65F2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4820-12-0x0000000000850000-0x0000000000930000-memory.dmp

                      Filesize

                      896KB

                      Download

                    • memory/4820-13-0x00007FF9C5B30000-0x00007FF9C65F2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4820-15-0x000000001B450000-0x000000001B45A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/4820-14-0x000000001B560000-0x000000001B570000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4820-45-0x00007FF9C5B30000-0x00007FF9C65F2000-memory.dmp

                      Filesize

                      10.8MB

                      Download