asyncrat | af5b47951de18f9979f68163abb1dff919b1af9c0a6a44d664f49cdbc14f1a41

Analysis

max time kernel
1050s
max time network
1041s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Api-AutoUpdater.exe
Size

63KB
MD5

3a7e15932c71fd6a0549c01504d38c1b
SHA1

f3ec3762b11cc984aaf6d2b1ebbf0ecd639ead21
SHA256

af5b47951de18f9979f68163abb1dff919b1af9c0a6a44d664f49cdbc14f1a41
SHA512

033f730ec422a60d1c345566b32a60a6c1bfda2d2419f80e523e59515a01c2e11ebc99e6eb61ead9f15767c666976082022c4e1628a6cc4d01b429d2ec19c641
SSDEEP

1536:TeQPczZ9d84YUbAheLLEIhcZvGucdpqKmY7:TeDzZ9d9YUbAQLEIhuEGz

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

previous-casual.gl.at.ply.gg:42435

Attributes

delay
1
install
true
install_file
Windows.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x002900000004517a-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Api-AutoUpdater.exe

Executes dropped EXE 1 IoCs

pid	Process
4248	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4320	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
2456	Api-AutoUpdater.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe
4248	Windows.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	Api-AutoUpdater.exe
Token: SeDebugPrivilege	2456	Api-AutoUpdater.exe
Token: SeDebugPrivilege	4248	Windows.exe
Token: SeDebugPrivilege	4248	Windows.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe
Token: SeDebugPrivilege	1040	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe
1040	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4940	2456	Api-AutoUpdater.exe	85
PID 2456 wrote to memory of 4940	2456	Api-AutoUpdater.exe	85
PID 2456 wrote to memory of 4936	2456	Api-AutoUpdater.exe	87
PID 2456 wrote to memory of 4936	2456	Api-AutoUpdater.exe	87
PID 4936 wrote to memory of 4320	4936	cmd.exe	89
PID 4936 wrote to memory of 4320	4936	cmd.exe	89
PID 4940 wrote to memory of 3120	4940	cmd.exe	90
PID 4940 wrote to memory of 3120	4940	cmd.exe	90
PID 4936 wrote to memory of 4248	4936	cmd.exe	94
PID 4936 wrote to memory of 4248	4936	cmd.exe	94
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 3724 wrote to memory of 1040	3724	firefox.exe	118
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119
PID 1040 wrote to memory of 2872	1040	firefox.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FDA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4320
- - C:\Users\Admin\AppData\Roaming\Windows.exe
    "C:\Users\Admin\AppData\Roaming\Windows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4248

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2620

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3668

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1848 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39bb81e2-137c-401d-a3a8-faf796bb5f7e} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" gpu
    3⤵
    PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c72f291-9eeb-4b3b-bc38-bc6be666bc8f} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" socket
    3⤵
    PID:924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3240 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0d5c503-d470-4c71-95ec-c0e7d302cf9e} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" tab
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -childID 2 -isForBrowser -prefsHandle 4308 -prefMapHandle 4212 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ffa4b53-c809-4962-893c-d6fe691458f5} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" tab
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c72ac531-12aa-4241-b51b-d144de43ac6a} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" utility
    3⤵
    - Checks processor information in registry
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63211ef4-159a-491f-a471-4e40a6c15436} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc480fdf-defc-4749-8dec-e32a198fb063} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" tab
    3⤵
    PID:5960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5432 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f07db1d-962f-45d2-92e1-a7d4c8d4ba06} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" tab
    3⤵
    PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
a817d24b4541620a8478ce76377bec9f

SHA1
b422f66799bc37305a84dac006c1245801c30fbd

SHA256
37ee395a10da77c4100fe430b002b3a033e9137769d40b69648244a4e61e3287

SHA512
977500487909082b5ec26289e75136336e9fc47a9586e8215d9813a78a89656c44a1cb74567f2246f1b53e57a95866c3965180197e1fcd84876658513ccca2a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\15899

Filesize
14KB

MD5
bc343d01fd528e2e5eac1b4d6a5a49e8

SHA1
79ef0121c012cb576a1b3c830577819967ae9a31

SHA256
f0e7d35db0b4e749e530a19c09d619d082ba137cfb2e2c84b9a3825ade887451

SHA512
512f9a679fd8b2e430c5614f075508f416101e4f2725ee9d51a2b3c7c54b16e7c66288e524c686434b1bef926fe2fa2cddf80f04cc01375755dcdd9ad66ab077

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FDA.tmp.bat

Filesize
151B

MD5
f802b25c62d49a2fce54f9b468180712

SHA1
a7c02df8097ceea7d0edf4134c5ab4957b2ae666

SHA256
9513f3e16ea361bbf06ba30eacf45f4197eecfbffc112c10e9c80acae71a5042

SHA512
4c69bc614a0ed0a2e97543261f3aec0b7c2484f13cad6265ca16e63c221b140679a104eb8d50e62d80d88a4f00d55435b68ed00473b7038f63af8e0f6d2f6089

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
e407ff235a6dfbee3abc83fbe106fc97

SHA1
87bb78ec88cf84ae9129c5ff14b8db67b03e4537

SHA256
477ac791f4248f35e2161ce2b1e5c2cc51cd7490a3bdf1f3a848718e73452f2b

SHA512
7ed19abf91cb598a233d3723d465f73b59dcb2c134db04e899c30ab2bd779ec062e0ea7a4c1e5cff425ed021597ab23a95e8ee87705785fdfba958d1404c54f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\AlternateServices.bin

Filesize
8KB

MD5
186bfb67a524d1b9967ae8efa20d16fb

SHA1
843cd117ed263dafb980d523283163e7b54ea1a1

SHA256
b09691856114fa9c01ca462409abfdf7f7014d2094432c4ea79628e3f4c41180

SHA512
63254d901f7a2f75af1f7b8f4b848dc2ff0c56e730d10c0e60de96952cb357e3559f422160d50aa91aca1ebdd85f509dfe507d70cfaddf4d6c6301827afbeb53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\bookmarkbackups\bookmarks-2024-11-16_11_vOM1VdUT+qREIZ1Ij4Ba5w==.jsonlz4

Filesize
1007B

MD5
32c60277b80f4575e325e277ff3910e5

SHA1
b70a820bde0cdd7a1996c61a5b78c2099c97e892

SHA256
dd2c97285c6ea289db34ca3b0b4777f9e0b9f3336eb8573b6061dff5f7fd0355

SHA512
78c18e66d4582e4188e672089c9b49852ec88d6992759168bcf6af6c2c5f7de6876691d15b7dfcd88fe3251b26c980d6b3c7c6f84ed9f28b3cca53483c140b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c39932f91c1704dfb1440beafa5cf1f7

SHA1
b2374a07fdd8244c1efbc27da1d25c9d3f5d6570

SHA256
c8f1e63e5bdfcb726a494c827e9dce0e1f194aeb1efa8862342da7e898ed940a

SHA512
b1675c109cfd8942914472507c7cac37c8eb9b0e02c2bc7f25ad85ec5e04404ecf0cf5a532dc4a21fcfde3e266b6d430d93398025b62c1ec40529b683dc12708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
0a7b8f86c4f5741d4d7353e67d3da841

SHA1
e01b0dc398f9fc13db3f56e7fe0365c71475bb3b

SHA256
d863c94d0bd5bdb846ccf083c9553f3f59e28d968b56cf931e38c3d7d49ac22d

SHA512
ab9d1bd98d110c4cec86b8f031b3e5c2368fd3ada9c2c04648565eb811287b6aeb0cc084b165678aec51d3ecc3ba817f35eddfa0f3cf649c35b7a4297a07c3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
3120ce843150afe055ca2d3fc5be9c49

SHA1
1a3035680f85aded75633b4cc3e862425e4dd8b7

SHA256
c25ebed49dff1a385d7497cccd52af5b73dfb4239dc11d3c9bc84e5046d47612

SHA512
46d3a1fde840d6dce520f37eb746cb873d827a34e6b36812b348afd57bec98c6579a3f02b1ad1393d6161a7f6c7040ec9b75eddf5b3c8bf6fb91af4e890463b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0f11cd6c99760127a90bc5a717029656

SHA1
ba6369eb9826910b37499f3948c269d3c21fc759

SHA256
84fd20428de24baacacc9cf951df1830c477f20e91bf6f3fa85df69968e4b2be

SHA512
6c6ebaf425f2ec107f31c8be791cab8ea082161e86019e8e5fca78def029539d7572fb3adf8b3292ddd20fd256d649378c1c4608d2d757892dfcf9fb72f3c409

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\04c33a7d-53fb-4a10-aa3a-e36fa797f41d

Filesize
982B

MD5
8d15b0fb10d81c4bb95e29963f1eedc8

SHA1
74e3f2197e681944e3289c71d7487a8e16075631

SHA256
4f23a26ef372b9df77f1b04d3bd9741f571ac8a6dd3aa6dfdd8e40985eff7edc

SHA512
b070592d40aad2addad6285d1d9544fc38523133a96f8bee1b6168170e09b3d4362946cef400aebec911256a31711009fda7c3980aff543fd70169c156cab68a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\2b96d48b-946a-43b1-89c3-d0e5cfbdab74

Filesize
671B

MD5
835e7f5ce561afbb600cdb109c7c3082

SHA1
3aac9580ded935e74792bde1b5579e2ce6e613d5

SHA256
782e89ee99ffcb327d91cdf1c07340dcc4870c130487efe0de359b52b4ae4724

SHA512
4577cd41ea4fc32b4494b64ac7e314471f96d9f21cb8ba7bda0b665f23df8f34a393ab3b8eb225ab18dd7ef72e9325751441ec5e471b7a60c8563481cd5d4e89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\fab62c57-d053-49ac-b85e-d56dc65f77b3

Filesize
27KB

MD5
d13cd7e2587441da1065dc4f11092c22

SHA1
19ad7cfac151ae44f21aadc26143813e3837f1c4

SHA256
34c43a8c6f48314ce39e607615ec208fbf9e6c8f1e861be65595091f0404d789

SHA512
654ee70023927dce879e61c521e4a2b027cb43bada080114b81a5520a71f83238fb079efe48cf6ddd097ba6527a04271fd019d3176bee8256b5a4a591480cd47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
12KB

MD5
913ea6a6121ecd9b7afd7c8118837be4

SHA1
a17b211bc776d8e30155a74bfc24021dd1bec054

SHA256
b9b4755855f144b7a4e69c9e6da132d6a76faecea40f674f5f6583cd3a6fcf26

SHA512
69ec456246193b8f3a2b340f87239c808af615d86f89c498529fc56d0d02ccf5f6702c499e0bd8ab086d2519c8af8bd3deb2509a676b429aef4f6a0cf1a120b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
12KB

MD5
dcba75128fa545983bc91b63d3a8f965

SHA1
a2ce30806d622350598165ba260830dbdba412ed

SHA256
f9b965458ffbd172b9a0c0d50b79c5ed2a2fdb894e5692ddd934bc3a4959da15

SHA512
a54f237951c3e5828858cd1e115039778da5d27939e3bd885e1b50aa3caac9c5547e8190f35f797c9b8a733717e7057281630ec0a91d485f871706eb0b4b6a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs.js

Filesize
10KB

MD5
4edbf7441880c7e544bfc0cca3b37291

SHA1
7e3dccc1173b10a423808a9ae7a65a3d796515ac

SHA256
8616deaf9b62a0e22561ba17853f65782c5c44bbecfa09d1beda81ad9c0fcead

SHA512
b5ef54df8b24d808f8a91dfd9b377be353712c712b9a52634ae9b3f15d64b5c5ddf29f4a9e0b4a9741163468799b2338694af4fad9fc99d8515e334f68e93e6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs.js

Filesize
11KB

MD5
9640259b0ca9a0e297dc564cce8c820d

SHA1
83e724437f92abbe4c1a3521104eac7b18ef2b31

SHA256
191b04c38c1928e9c67042f12ab9504f9a9eab1503712e3ff5471ebaf27ef3e2

SHA512
76f462582c5ab7ce3bd3a09eee7d76a05f0ad11e56ad210dd39607113a6611e6d7601f88f22c7b11b4ca8e7cb3b8780c389ee6cc24c45effb7f07828dd48d8b5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
63KB

MD5
3a7e15932c71fd6a0549c01504d38c1b

SHA1
f3ec3762b11cc984aaf6d2b1ebbf0ecd639ead21

SHA256
af5b47951de18f9979f68163abb1dff919b1af9c0a6a44d664f49cdbc14f1a41

SHA512
033f730ec422a60d1c345566b32a60a6c1bfda2d2419f80e523e59515a01c2e11ebc99e6eb61ead9f15767c666976082022c4e1628a6cc4d01b429d2ec19c641

Download Submit
memory/2456-0-0x00007FFE060D3000-0x00007FFE060D5000-memory.dmp

Filesize
8KB

Download
memory/2456-3-0x00007FFE060D0000-0x00007FFE06B92000-memory.dmp

Filesize
10.8MB

Download
memory/2456-2-0x00007FFE060D0000-0x00007FFE06B92000-memory.dmp

Filesize
10.8MB

Download
memory/2456-8-0x00007FFE060D0000-0x00007FFE06B92000-memory.dmp

Filesize
10.8MB

Download
memory/2456-1-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download