xenorat | 9c987ba5a2af23422f773779a1b2f492617b8f6e68dba5b4e5684b2152bc6d4b

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_f47313d903d4a4bcf067567fe0d43817_ryuk.exe
Size

6.7MB
MD5

f47313d903d4a4bcf067567fe0d43817
SHA1

08516b4b77454dd4f948084308453d6619d94009
SHA256

9c987ba5a2af23422f773779a1b2f492617b8f6e68dba5b4e5684b2152bc6d4b
SHA512

dce19db50819af430c979a30b0afdc6b48d1b501325f492fb105384039a9eef90d1479284e5c5542b9a3be9d8ec60c4416cc125cbad8c007e0f54ae312179a74
SSDEEP

98304:3ijHdPkLq3Gknso4mDTGVCkaTdKiySh41U4WyBuQhoBCIS+Y:30eL0wcKfSB4WyMQmYI

Score

10^/10

xenorat adware defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3440-44-0x0000000008900000-0x0000000008912000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3212	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	IDMan.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	IDMan.exe

Loads dropped DLL 1 IoCs

pid	Process
3964	2024-09-29_f47313d903d4a4bcf067567fe0d43817_ryuk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\IDMan.exe /onboot"	IDMan.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4032	cmd.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\IEExt.htm"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "272"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\IDMan.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	IDMan.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeRestorePrivilege	4880	IDMan.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeDebugPrivilege	4392	firefox.exe
Token: SeDebugPrivilege	4392	firefox.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeDebugPrivilege	4392	firefox.exe
Token: SeDebugPrivilege	4392	firefox.exe
Token: SeDebugPrivilege	4392	firefox.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4880	IDMan.exe
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4392	firefox.exe
4880	IDMan.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4880	IDMan.exe
4880	IDMan.exe
4880	IDMan.exe
4392	firefox.exe
4880	IDMan.exe
4880	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3212	4032	cmd.exe	87
PID 4032 wrote to memory of 3212	4032	cmd.exe	87
PID 3212 wrote to memory of 2388	3212	powershell.exe	89
PID 3212 wrote to memory of 2388	3212	powershell.exe	89
PID 2388 wrote to memory of 3152	2388	csc.exe	90
PID 2388 wrote to memory of 3152	2388	csc.exe	90
PID 3212 wrote to memory of 4880	3212	powershell.exe	91
PID 3212 wrote to memory of 4880	3212	powershell.exe	91
PID 3212 wrote to memory of 4880	3212	powershell.exe	91
PID 3212 wrote to memory of 3440	3212	powershell.exe	56
PID 4880 wrote to memory of 5084	4880	IDMan.exe	92
PID 4880 wrote to memory of 5084	4880	IDMan.exe	92
PID 4880 wrote to memory of 5084	4880	IDMan.exe	92
PID 4880 wrote to memory of 1920	4880	IDMan.exe	97
PID 4880 wrote to memory of 1920	4880	IDMan.exe	97
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 1920 wrote to memory of 4392	1920	firefox.exe	98
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99
PID 4392 wrote to memory of 4924	4392	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440
- C:\Users\Admin\AppData\Local\Temp\2024-09-29_f47313d903d4a4bcf067567fe0d43817_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-29_f47313d903d4a4bcf067567fe0d43817_ryuk.exe"
  2⤵
  - Loads dropped DLL
  PID:3964

C:\Windows\system32\cmd.exe
cmd.exe /c start "" /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wo4lszmk\wo4lszmk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp" "c:\Users\Admin\AppData\Local\Temp\wo4lszmk\CSC690917BC514E4070907B357B3CEC2CFC.TMP"
      4⤵
      PID:3152
- - C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\IDMan.exe
    "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\IDMan.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\IDMShellExt64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5f9c5b-e796-4cbb-b57e-3a03a5bbfb0b} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" gpu
        6⤵
        
        PID:4924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df765c7a-c471-45bf-b055-8a1796e881b0} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" socket
        6⤵
        
        PID:4820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 1 -isForBrowser -prefsHandle 3512 -prefMapHandle 3524 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6dce9d8-5937-43e1-8a56-e18fdfad6369} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:1660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 2724 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb8cb195-ce23-4344-8010-21835256a4c9} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:4372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4700 -prefMapHandle 4456 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc237148-8962-4535-88a3-32396d83bbf3} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" utility
        6⤵
        Checks processor information in registry
        
        PID:1548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95141276-244b-4410-9e4a-f5b771daf9c7} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:3424
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d346f782-babe-478e-96ff-1270d08ef5aa} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:4124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5556 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977b8f5e-0d18-4602-b09d-ecc2ea53093c} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:1544
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 6 -isForBrowser -prefsHandle 6016 -prefMapHandle 3248 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2915cf37-bdc4-4777-a5d6-e8469e4e1bde} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" tab
        6⤵
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\IDMan.exe

Filesize
5.7MB

MD5
57f08cad5c4a34e4fc5b42a7a0fe9ac1

SHA1
17d7ceee243a924ad324f266d8e37f441ed87658

SHA256
a75ba6948935a5005212f576be7dcb1d9814011c11f6a7c133a2c89673a7dd86

SHA512
7e506883c8e221c7c6847982efda2c4cff2fa142d7386be413f46c92fe8b48cb6a5949315b882d05c6bc239a197156c986372e8d34d232d9f8fa4486f65c763c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.manifest

Filesize
47KB

MD5
6fec4faacf51e3f656421e6cf5217299

SHA1
b4963d03ae835f9b064491dce20108f9450e7507

SHA256
582524e8046a86b6729bd9c3032f0da3d2b99c9eb537cce4b827b1a55d65a638

SHA512
2b2951dfb9c856cfcee73f5dab6218118b98e98cfa7bc47f5d241215024863da5b0d08ebab43475ca97fd13ca2d3ddf5ecdb5a16bdb117fb5bb0a506b6a7fe26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1

Filesize
5KB

MD5
37ad876274cee87e5cd06f73a11f7b25

SHA1
089f488d67c4cfb0926e800447ec2f4dc5ed19d3

SHA256
bd7e27789b783b8c606b796899a64653264b93d0044276b769d01d580ff7cc81

SHA512
28a34edce21f9f24fea114843373f474e74508cf036f8bc6ee3b10c7e6db1f90ed832d5bfa847be061b2b521ba8b52155854b8f947ac2d5f29ad74489f04d6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wAPI.dll

Filesize
6.3MB

MD5
83f543239172049edf135de8383a1a10

SHA1
b35559b0fa24afeee4295b6a5b5522b21c52101d

SHA256
4071b396f1152389806a3127f84b4f6a8b4cbfadc6d7f11f77a93424e9306dee

SHA512
2dededb6307c646844430f7c1f2354c0ad26351321b64dbc1b573592d8e5d4833318711447e6ca3e11912fbff3eac507dd6732ceb1f692a4cd92570f40d19a26

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

Filesize
13KB

MD5
48190a5dbdbee4a1e759174974f4aecc

SHA1
4d62bcdecd8f44cb6d75c5878a2a3a47b81bae0f

SHA256
a926779e01b079f5131cca3bd2e2eaa7d5a3e32b5b33470687950a6d8922eef5

SHA512
66e17f1d389d1222e5ca0b7c7721d3ba2a0e69d761d7dd4f6b1653a29dbbf034c0159aac401dbe5c461c029ed62cf180b40d5902d99717fc2ad14db543fc1556

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp

Filesize
1KB

MD5
bf5c537385abe4b4df8b74e672def794

SHA1
5bace7d2c0b818b6cba3ea67c9f60071468fea2a

SHA256
ec3a2548cd981c45a9c29612ad3cc7c063c01707a41354978c8381107455e455

SHA512
3a77c4dbc6fffd21df5ed8302a6b292311696dd2eeb77fe4afa74b67050e1cc3a59bbacce195c116e5078660ae8eb6afed91bdf3e550991b282a912ccd1aedca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1h3afxs.24p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wo4lszmk\wo4lszmk.dll

Filesize
4KB

MD5
e581930d10c27b7f98b52bd57f2b0dd2

SHA1
a312f106a61ae537e33a605a6f76f2b0eee8810a

SHA256
840bc834f2376ac7ecb86963e7163897af6b413df15f52f12f61f2a1326c854a

SHA512
8bcbc01cd2670df1e21d971f1f7e358ed30dc189ab6e9793bc4971e34ab9dbe8b3b17a90392e9b12558de0450d0aeba95513c161757c661bcd03bbfdb0cff4e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

Filesize
8KB

MD5
889a2433174c71ed2c2a9bb50efa02f7

SHA1
e00b79c3c8714346262d85eeea5777cec8cfc2bc

SHA256
251bd949f4f07dafa764d40a2af2b6458e29011fc23695a9f1196783e2903a33

SHA512
9b6dbc3e089a49c52cd9eb9cf9e992a7740b920ddf603075ded720e40b905148586aabec457efc7fe23dd57050fec8f024e89c95bbce6e207770891c19361f24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

Filesize
12KB

MD5
87df79648202e813f2c3dfba75dee54d

SHA1
821b58dce9fb31af7c2ad9069435c3decf8d6450

SHA256
e944e5523fe11cc9306cb515751747330787fa17a97a0c3ad827c07a797adc9e

SHA512
6ee5ef44b67c02caf3c6a9fd52758e80ef992ec242748e463d4e410f7dc14c5655343d2b1cd5c4f96eed342874a6a75aa99398fa5128fbb572c2331666fad8bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7ba18ecc9e5f275bf7297167af8eadff

SHA1
4b795d5189a3a57dea525d78dcc85f61fdcb1106

SHA256
aae9883e30a6b1b4d62660c092832258dc6db534aa74a8162472d505188788ea

SHA512
5e9e55e9f0421c9e5ebf5bcf013785645cb097c307aaeda4c31858a3d6cf08b693e437f8508e501981144ed1157d1d57fb5ac2eeb9cadbd9e2d6321e1ea4a1b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
e52366c96f6ccfdc5e6300924b10a002

SHA1
f4af4a2ed980e262e2af50726d1c0449238a7d38

SHA256
6cf4070b85a76e31a81d00c77c1887dd317fb701a426534232be600ffc42050e

SHA512
908968016634f1a75618ec2900dd70b0150e960a22bf8464d2c0397d9cdab0c68c20bbf3b5ce5ce3f0db422c49f853cd73b12792fa96585503182ef38407a3fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
4e957875cf92f2643e559f72bbf31517

SHA1
4a823495b0a3cdd178298d998ea72bdf9145802f

SHA256
9758db5aef5221967565d475d93a5050364aec5bba1557d9f71a9cf67bd0b6b9

SHA512
c9372121394f6a71f82198eb923181fe02c5c26f70dc147364c366fd40ec69beff0f5875e3ffb97cf618a34a51a1d565303fc4258aa4a157bf8543fc37d05ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e0bbeb4cda6593e39badd6c87cd30d93

SHA1
501ffa83f4ce9fac915a44a0c1a6035501494b18

SHA256
d70963dfc67031ea8deca06c4680593eac586bb81c44ceb84c28b514fd5b7dc0

SHA512
38e4328bbcb16dba8c5ae4ce6f6a9220bcdffffe4548a673c9c968b3443e516dd6b0301ab29fdb22ad24e2b0d1da9ae33df9cc9fbfdf062f2837bd97c17d9999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\4b923c65-e6f1-48ad-b29b-d13ff150b894

Filesize
671B

MD5
4595d2c9846209307412908651fbcf6e

SHA1
80632248f3eb09e4c023c505938a71f59112f6cc

SHA256
0e3833feccffe41841c858736615d4cbbd7d30cf96a09bc5f4d1fa9c1b118a98

SHA512
65aadb35b94314fc901e2994b4ccc3bbc1c16ae16138aa3d7da5ac24c823104b39b1215c3a64080f7cebf78b3269d788eaff5586090d020aebaf292ffc2cd933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\b9cb0858-a33f-4f38-871a-31f5a5e04e8e

Filesize
27KB

MD5
9780d2ddb1d3474e2b16baa5c31c6fde

SHA1
b8470a738845b49c8ed0eb5f93a0f4ce3cde6e94

SHA256
5ebf5d2a625b8c2a839e53c72b508724d9207723031ee6b7259797a18f162bde

SHA512
d4116393620d2a22f4f2fc8611cc86541a9135ecfa92cfeca89c3663674557485f1badddad4e45cdec9939c50efe9037260d9df6ac612616b8fa6e70557631a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\c321cee0-1470-4f5a-9ebe-b6bed4c49149

Filesize
982B

MD5
f6329c2b2fd3ccfbffdc62896e503ed1

SHA1
7a71fdeb0541f9104c3162426a13aa46307fd281

SHA256
c0f6e6b803d78fa51e36d899f592288acbd5c9395fdec05ddc1e933ce66dc10d

SHA512
c898dd9bd8836b8f60d2abf74ee7525005fbeb0a489edb5670d637d6ea2d13515c081a4d13a3aff1afb045238099e3fb513db685bebd5ee3a357b71b7dd93404

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

Filesize
12KB

MD5
b593349d505c02d0302480bb5ad17640

SHA1
e6c39a8f98672d7407a95218656ac97968eff338

SHA256
7080cdd41713d0365cb10f0599eb44553ec67c83718eec41c5ee9599df33617a

SHA512
fb9a6764d4d39fb761dcb414ddc24db788240d7148ae6df8f9618e1eb591d59494776d71141eb0824770a85bb897959afbbcafc92e9f1ab1d4dc59e6f9907a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
11KB

MD5
7d74a5bdd8a50a46192b938970ae4086

SHA1
f223a499f9f46fe9cefc7a7e0c8978760f3ec853

SHA256
c6921a5df447875a330b76ee3a0ef64587c7480934f53d09f773bfa6d80af42d

SHA512
1a2ffb144430b018f9bbfb0b619f6c4278a000bc99425fcb8f63b0edf68f607fec20f771b9aaeac33ec1a7299f6a1a2291d640d97e7aeab3768e8e434f616b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
10KB

MD5
b0466014041f0e22e1ece16c219b5768

SHA1
87906d970517f883fcbbd39e0b7234d4a5a484d6

SHA256
48d2d908a3861cb14132b0f465d1276ad67157f102e8d49ab6da01865295c681

SHA512
a31c16267d0247d1ec28f536d1109c21ea43945f0498c5a48ab6723eb6ef4ec68cf260e7eb8268df1fee463e1a93f686715a47116939a27a858ba73e85b24c01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
11KB

MD5
14ac33335e7c93fb7e66f2e9ac73acee

SHA1
09ce10b8f01b568b17640f4147fe7e2d58bd73d5

SHA256
e78fad892ac888e66b253fab0488870e3a46c81f39b8884cfd0b9f03c1f5c487

SHA512
859d487b596a5b1f89efe2044fa7dcd516da59a7d514d8b62545934d6d7f5ceb6b206520949bab2924ddf3aa09a08fd0db55525010f3a0ef43e3ca688970d2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
45e933a704f113356482745fbc35a241

SHA1
d78ed658ed2b5fc7210f0fc01263c8acff29f6cb

SHA256
4239a4ce04a8a122aecf8f8aad832ea338dc823f48b288d74717334c029d396a

SHA512
d0a09bc3cfa23ecb2e87828b828c178a4fa80c510c91df1e6ba7c518ad60b385361f1977efef596c73a7f2e2a0e5143b788707ad74a148879e5430e88cfcee99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.3MB

MD5
540127fb679cb704cb36f94c4e0337fb

SHA1
194f2cf7a71556e4dd70c58554c47adc91581969

SHA256
96490edc5ae5c3a5deeda284100bb46b08a72d44e9976cd1dd8dc4acea973269

SHA512
d4abb64f93f67947b5044f24893f9ac3b862599bfbde200fabd7e69459dcb72488fa124051862672a1b6437d6e8f9c9c697ee22cf7580bc096717825a68483e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wo4lszmk\CSC690917BC514E4070907B357B3CEC2CFC.TMP

Filesize
652B

MD5
ec5ceb18a57cd78390a490a0169a35d5

SHA1
fbfb4fb7862569853147e7adbcb712d25f9d7418

SHA256
c186edb2defd3a7721eb48997e040fdcb28085a8f04e21b626eb66383035cb04

SHA512
efa13aa1bc279ceb526f11895f2047b09ec7446320e831c1d77e3f7ea9b304a5dd679a61240ba4dc8c2b924a5b367bf04a8b086e7418edbcb4a20365ea1b8414

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wo4lszmk\wo4lszmk.0.cs

Filesize
1KB

MD5
3fa19360e09832c3d711d4fe71911eae

SHA1
55a86c45af0f33419db93c39aaae09a06f610c78

SHA256
92a6b697b5bc2e42c280074823e06c1f39efc36fd985feff938b4f071756d28b

SHA512
880abc257e440799cbc718b39d776127e2a683cb5ffe4ebe426240aa52d7fbf6a4982b66b536388a88b00ed810088dc80b47e94297d24db89c1e2a92c982ec84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wo4lszmk\wo4lszmk.cmdline

Filesize
369B

MD5
15f7b4ae69999ba3c07612d5174bd2eb

SHA1
eeabe4f0bf29168710b9e8344b30d1562261e65f

SHA256
453e746aa57a72592800b981db2d11cb2cc28ffd00338d7f589c73a47be3d7c0

SHA512
c29b083b23a5b4dd8d57b5534243ad9394964c28e8f452a7a70a7623be6655dbe7e1be3b201b7a634139aa749064fa4a0babba3123967a042c7b03ed71d5add4

Download Submit
memory/3212-21-0x00007FFACE7F0000-0x00007FFACF2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-9-0x00007FFACE7F3000-0x00007FFACE7F5000-memory.dmp

Filesize
8KB

Download
memory/3212-19-0x00007FFACE7F0000-0x00007FFACF2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-20-0x00000248D6560000-0x00000248D6582000-memory.dmp

Filesize
136KB

Download
memory/3212-40-0x00007FFACE7F0000-0x00007FFACF2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-35-0x00000248F0BA0000-0x00000248F0BA8000-memory.dmp

Filesize
32KB

Download
memory/3212-45-0x00007FFACE7F0000-0x00007FFACF2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3440-44-0x0000000008900000-0x0000000008912000-memory.dmp

Filesize
72KB

Download
memory/3440-41-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download