asyncrat | 2bb00b6059c1b0dacc9e952ccc1f819b09542f17eda7994a40d7ea361935ac34

Analysis

max time kernel
118s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-11-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

d1642320b4b4733552b78f746ccc2287
SHA1

bc473457b7a95e6bf31f87645ee021041f818afc
SHA256

2bb00b6059c1b0dacc9e952ccc1f819b09542f17eda7994a40d7ea361935ac34
SHA512

680c7ecfadd4203f673db5fd4e7d245bda57cc3aa49cd52cf9cbad3dfc0001331d206e90a255f2a1687bab5fbb482fa4cb288e167fd39287cdcaa5c11bea2542
SSDEEP

768:iil3pYNlrm78RIC8A+XjqazcBRL5JTk1+T4KSBGHmDbD/ph0oXz60m1avA74Su4V:Dyr0AdSJYUbdh9i15ju4dpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

147.185.221.23:64395

Attributes

delay
1
install
true
install_file
sigma.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00290000000450d8-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	Infected.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	sigma.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3368	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe
3424	Infected.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	Infected.exe
Token: SeDebugPrivilege	1708	sigma.exe
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeDebugPrivilege	4340	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4088	3424	Infected.exe	82
PID 3424 wrote to memory of 4088	3424	Infected.exe	82
PID 3424 wrote to memory of 2072	3424	Infected.exe	84
PID 3424 wrote to memory of 2072	3424	Infected.exe	84
PID 4088 wrote to memory of 2852	4088	cmd.exe	86
PID 4088 wrote to memory of 2852	4088	cmd.exe	86
PID 2072 wrote to memory of 3368	2072	cmd.exe	87
PID 2072 wrote to memory of 3368	2072	cmd.exe	87
PID 2072 wrote to memory of 1708	2072	cmd.exe	91
PID 2072 wrote to memory of 1708	2072	cmd.exe	91
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 2356 wrote to memory of 4340	2356	firefox.exe	106
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107
PID 4340 wrote to memory of 4144	4340	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD33E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3368
- - C:\Users\Admin\AppData\Roaming\sigma.exe
    "C:\Users\Admin\AppData\Roaming\sigma.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01b21309-90df-430c-8b59-1dbbc2a1b1d7} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" gpu
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1d195ec-8617-4d63-9a70-ad29860ebf28} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" socket
    3⤵
    PID:2560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3212 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db882713-4f3e-447f-94b2-cfc84e3fdd78} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" tab
    3⤵
    PID:1696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d852dd4c-2f60-4db9-9d3f-e0fe7bff8bb0} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" tab
    3⤵
    PID:2684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {215a109a-581e-4178-a4b3-32e4cc76f5de} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" utility
    3⤵
    - Checks processor information in registry
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fed11aa-e9a8-4662-ad5c-fc183142e4a8} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" tab
    3⤵
    PID:5608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5e2a685-8ed9-4edf-a7c9-c63653e7cced} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" tab
    3⤵
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6162a15-d7b7-467f-96b3-624171d7ba59} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" tab
    3⤵
    PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f1lggfg7.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
c8867eecf963bb33623edc4e110b3144

SHA1
5e62138ff75482354ea60056e3b9afed6acb7e37

SHA256
cc368f9777ad40ffb7768391cbd16ea08e680fde1020408e26f6b26a0b1a888e

SHA512
38c43a982416153bc6cf1210d33ee9347c5ff8a68e3c38f7c45593274509758bed98b327c43d5ad5507625a634aaa5218e747229b89eb71c5c1cce978ff74437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD33E.tmp.bat

Filesize
149B

MD5
7f7e2b7035e07a8a4bd5de21e1ba3622

SHA1
345fc1983cad44add48ea7fdb1579a7d6f76c563

SHA256
ba3b66fbb84525191fd0a3fb812f2e48a7ca48b7bbe5619be18eacf1a261b707

SHA512
6f21b877992cced5b660028d1b3006243ad6faa03c3aa7b99b9b0067b51f3b9bb3c050f4c28076a609cf2b1cbeb0e51b159f0c5cd0f786fe341d0c8abaa1641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
8KB

MD5
31c0dd60ee38f7f7a0a8b2c78fa08936

SHA1
0c07067015262015481f794c44233b85bef1fc4c

SHA256
877adead4a502bb4bd9992150fec2b5fe7fe65536189f886b2b8d02ce7701760

SHA512
cc124c4129bcceeb683424cb26a0385b3e7868bf713f127907bb9498dc901d13367e2606c01950889a173fa10c1bce2635339d9f1af1ff2312d2b7767ca8b35e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5557ec546a48e36cc088e29e05ff9025

SHA1
daf367e4655d007c6db0c7e8e2c58a7deea312e9

SHA256
41f4ebcadf63f48b3b2be49bce9dc2865cadbc0f7db21a7d1fc2fc52a68d0b2d

SHA512
cc5eb059a4aec11ffe6811bb590b2ed1bc31f89cadfb13feaf6b24c4193d9516fef541bdf98b15f6f036731c486bb0c6dc82a14f84673854781b8f93441466ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b34a5504b25308ed8929bc76fce0d65c

SHA1
03cf400b0f913a04cddd612af99f0f0cca731362

SHA256
0a39112ba4c6fed837eccf04406c2dcdd3c9e55c33dd350e4a714c7f08cd82c0

SHA512
dddf70a0ea582abce47c8c557449611cda6c7d745a2f0b0defff88f3d8461a43588d5aa26bcaea2a1902f81dbebaedb118751734763d3d12eec9be81b3ee7e23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
56103f3d53978e0ca0dd5258059ccca2

SHA1
427416281bb52d89dd5cf256862929c9e4e21f76

SHA256
74a791e565997fd45b891731d6724d9fe36dff8456ceaa9f0984470f72a29104

SHA512
3c0c3b7a4e5ad204e82d847d4cfdc91995b08db6327aaace06715a12ccf7c41f052c8bd977bdf8a631a26e80c346d1638347b6ef69f01d24536eabcd6c37e1fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
e1f08e87f15f113134f3d90a6f9a7189

SHA1
b61d76414553a4a16ab0e020d986d3335c78367e

SHA256
b9ca01a89b9fa6df1d37297f14e42379be854a0fefdec49e665ca16108714864

SHA512
af55f5143bf3ddf69906982d8e419bb1a9cfeaa9f53de6adf1894096a7686ba85f223b0b77834dd9b7d7f8cced220cf9bbe9fbaeebade00ac655553a789e9fa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\69645e7a-a04b-48ef-9c77-58b817800b7d

Filesize
982B

MD5
b2dfbe116542b7b35cb4cbc87202ad90

SHA1
9a860b65e7fcb2969edee10a2d5c14d9455bc086

SHA256
f95cc202d41c7033f7469a65bc817dc15cf30a82c545317bbabf830381b83012

SHA512
be1c7d887eb54b69103974d54a8def6822ff79780e642139f92cbca5d7f55e928c80b05b59e1e8152e28471e944dc7afd8f282e9ea4a18015ef20ee801cbaabb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\71837eb1-4c43-4275-84ff-8b3f8f0e01e3

Filesize
671B

MD5
39540caff12f51ab816f3ec3a56e319d

SHA1
8412766e445e494bd78f2cbcfc49890ed19aae9c

SHA256
da611aff6325ed9c144d92b26b2d616e6a12f93c996ce2c0a6a0c1727cbd3ef7

SHA512
b4b5182a6ad8b109069520dd49ce2f890ee83c2965c3027bbbe02a02e024f87d8d5a402b28a478426bf312293f2ae66df1d6a18627fff748e46e19d844dd6ee7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\da538d7f-08c9-49cd-9b2c-b5cc619da962

Filesize
25KB

MD5
724115c02c614e423d1d392b8a01afaf

SHA1
f03231b795e13cec04052c652ec72bd39d000cdd

SHA256
6ae98d1b4eae00da251ee19f131ceddfcaa6a2eb6abbee6dadf67656b2210269

SHA512
6692ba37f868065681e216670e8d5d4241cf1caa2d094574e2164e9b74e82143534b3af2e112e1f6ade08747de0a6ffaaf820afc671acb85b349b80a1e34e5f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
10KB

MD5
36011704c7ec412d678fb6746bdf8270

SHA1
d94717cb74af63a9d2611ae4c3ab39147e791ac7

SHA256
9fb80f98c98f352b1f3cebac66bbe6adcb2d1979e11ebf353ed7693be00cc7cc

SHA512
656ff90b30b74216824febecccda2165e4f8d2e2ea3563d0b053655d9a97d732061aa4d5f24fb689ecbe0a00dc1f1505a894aff7905d0e6cdb69b31dbc0ca7a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
14KB

MD5
f3146ac34f09baab8036bef2e2a67d5e

SHA1
f0df4fbe15dc43994c7f0f3fa017d951dbb28eda

SHA256
104dd134a8e3f078530699cd364607cd67318379c82dcab285ef6e6b76331efd

SHA512
3a38f79151953414cdf0a3c80c2ffff2ad5bacd842886989321074dedef47478ce978379e028d5f53a5973bee6e3d5f31ac36a1923eed3e6f9434933169b17fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
11KB

MD5
6270abe9b71c1790407a1e8a92ee9f7d

SHA1
0c59acb702871f7b949c66373e894bd2473bf4f1

SHA256
27a1c353c49c1f451f23733061aad5e50a1f46f0bf3b4827264b1ac7d84ffd73

SHA512
af87e29e18299ab1ca82e0c886f57f4993381ce2d5f628f7fb5e93389a284d797102ffab54926120963fce7a80176a3c89bd64184c6510b9da9b65c8fe015705

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
10KB

MD5
ba5ebd89ee239adffbf9537ccc8bce95

SHA1
7a6941ce0465c267390edb3cfa7ba613220149db

SHA256
b9fa58492dc96c516544aaddc07e890f27efaeed9caaee4ff5dbc960a5fbe46a

SHA512
4fc6ab93cdb6a4cf7b905e6ebe73e27d3fa928bf1658dc79009cbd42df85a7874ddb722460b8378baffab94d71fbadc43d779052e6e175c1b3ab3638de47f284

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.4MB

MD5
90af717c5f8e071f51e830577248ecef

SHA1
452847fc3aa5fff434712fb5627d105b27af79d6

SHA256
e29e3cb7cc3beff01cf06aef1242f41ead58b08789bda840d89cef619b3dc277

SHA512
7165bba958ea3b4131950467e47fbb78fcd96bcbf26803c56736ec6dca9018d97636cc4f1faaa4174cf586d9c02fcfd72401deaf185913f7ebd71f9d426874dd

Download Submit
C:\Users\Admin\AppData\Roaming\sigma.exe

Filesize
63KB

MD5
d1642320b4b4733552b78f746ccc2287

SHA1
bc473457b7a95e6bf31f87645ee021041f818afc

SHA256
2bb00b6059c1b0dacc9e952ccc1f819b09542f17eda7994a40d7ea361935ac34

SHA512
680c7ecfadd4203f673db5fd4e7d245bda57cc3aa49cd52cf9cbad3dfc0001331d206e90a255f2a1687bab5fbb482fa4cb288e167fd39287cdcaa5c11bea2542

Download Submit
memory/1708-15-0x000000001D910000-0x000000001D986000-memory.dmp

Filesize
472KB

Download
memory/1708-17-0x00000000016F0000-0x000000000170E000-memory.dmp

Filesize
120KB

Download
memory/1708-16-0x00000000016C0000-0x00000000016F4000-memory.dmp

Filesize
208KB

Download
memory/3424-3-0x00007FFBA82D0000-0x00007FFBA8D92000-memory.dmp

Filesize
10.8MB

Download
memory/3424-2-0x00007FFBA82D0000-0x00007FFBA8D92000-memory.dmp

Filesize
10.8MB

Download
memory/3424-8-0x00007FFBA82D0000-0x00007FFBA8D92000-memory.dmp

Filesize
10.8MB

Download
memory/3424-0-0x00007FFBA82D3000-0x00007FFBA82D5000-memory.dmp

Filesize
8KB

Download
memory/3424-1-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download