remcos | fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

Analysis

max time kernel
234s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveSourceInstaller.exe
Size

469KB
MD5

e468b718e67495ea73c85d8258059adf
SHA1

dcad70f5c39ab85f900ef1288067dbf51eaeb503
SHA256

fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e
SHA512

b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSJn9:uiLJbpI7I2WhQqZ7J9

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5036	remcos.exe
1148	WaveSourceInstaller.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 3916	5036	remcos.exe	81

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	remcos.exe
5036	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5036	remcos.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4312	1224	WaveSourceInstaller.exe	77
PID 1224 wrote to memory of 4312	1224	WaveSourceInstaller.exe	77
PID 1224 wrote to memory of 4312	1224	WaveSourceInstaller.exe	77
PID 4312 wrote to memory of 3732	4312	WScript.exe	78
PID 4312 wrote to memory of 3732	4312	WScript.exe	78
PID 4312 wrote to memory of 3732	4312	WScript.exe	78
PID 3732 wrote to memory of 5036	3732	cmd.exe	80
PID 3732 wrote to memory of 5036	3732	cmd.exe	80
PID 3732 wrote to memory of 5036	3732	cmd.exe	80
PID 5036 wrote to memory of 3916	5036	remcos.exe	81
PID 5036 wrote to memory of 3916	5036	remcos.exe	81
PID 5036 wrote to memory of 3916	5036	remcos.exe	81
PID 5036 wrote to memory of 3916	5036	remcos.exe	81
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 2236 wrote to memory of 1816	2236	firefox.exe	87
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88
PID 1816 wrote to memory of 2952	1816	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5036
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {773f3609-d47c-4970-8b1a-144cef338547} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" gpu
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bab82ed8-3e8a-47f6-872e-b0ef12a49153} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" socket
    3⤵
    PID:2112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1280 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3176 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {582d3fb6-5a37-4001-a468-7e9e6cb3dd56} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:2800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 3052 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79142833-a1c7-4c43-8285-eca2ebfdccf9} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:4500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1064 -prefMapHandle 896 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb39720e-a08e-4980-b599-820bf572157e} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" utility
    3⤵
    - Checks processor information in registry
    PID:3716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 5352 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3c61f46-44d4-4009-bf66-820cd5d02312} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5548 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15d1c994-e448-4185-8b7e-1b0b04b048a1} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:2948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8919a662-2531-4e5e-907b-2e8da32efd81} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 6 -isForBrowser -prefsHandle 3980 -prefMapHandle 4356 -prefsLen 27823 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed2671e-5336-4578-bcfe-927e816165a2} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 7 -isForBrowser -prefsHandle 6280 -prefMapHandle 4488 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39524ffd-e077-422a-a1ca-f45af9193bdf} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab
    3⤵
    PID:4204
- - C:\Users\Admin\Downloads\WaveSourceInstaller.exe
    "C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
28bc604aa7b63f91a0064dfd22ea743d

SHA1
3e3c34a262cde918b091b96bafface373cef2be0

SHA256
adc9fdb4bed57ec6e19d8bbd9e5855f6636119a2acae3fb4d1b1c33d4e7acae4

SHA512
9ca83690e6f9a23dd5b6f8474f753514d7a064aa7a1b1e66135080575409a36b07c78b290e2772bd0b449023a6b7904753f2bfb088097610164a91340ad03f89

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
6KB

MD5
305b0ed9731614b81b511cb2667f0ff4

SHA1
def8f9a60c84e4bbf2813a6fc3040ff033485282

SHA256
686bc9274c7616e5dc89e814a59476bcae6d98ca7377f6d54e2385f5f9304c68

SHA512
3be492c92b2716cb767f3322d0b7d3266c206d8dccf26f412b6a7c2515002b1c0323875fae1b76ad0fcea43c59a7e9a602194a7a896e2b6c6b832d7b61b9ddd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
8KB

MD5
852a80e5c31b281106bfa07d65e77f4b

SHA1
a0ee47f64f179b784ae2f70f9d0fa7f61b392878

SHA256
6416248eb6a7cdde0af8c0421783bcebc0d9ca7e21ebb40bd4e092cc51a1a745

SHA512
662a0c2ce8b5959428a978771435464a1f51972d316c4ffb983b1d87e54a7ca3cdf083f6cc31bf73efcd40e5a848b06b96723a72424ee82e21cceab9dae27357

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fb9d164fb7eb498927fdab345ae068a4

SHA1
27df1066005421fbda90803876cd0fdbd27c3794

SHA256
a10f3b7db184d66520bff00e8506234060d540e43217370995af79dd76b33364

SHA512
5eca98acbc395fbcd5d44e85cf7663a399c17fe8eddf4771147ba81b6ea9f4a4c122673b69bac387c9b73322d66fe6a0395cbea4955ddf60e9a3291f3388d3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
453a4271e62e5058ac109e6dcc6b26b0

SHA1
2a9c6366b003346f9a08b3ca51bc902a8febce1a

SHA256
9bb19c449be085ab8c436406998eeebaca94cbd955f05bf0c22a758e87de759e

SHA512
fa9bf025e8fa0d410a6dffc8e2af08d9ffd69b5b465f291910880eb35d7ad21066d0364c8feaf49a89b0dee6d86dce7d8b1bc3a0303e07271436642d5116f5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
48c172d3e80230b5b3a55c420b671b17

SHA1
db137d6f1656991ff14ad888f6e4628f34b060de

SHA256
bf069890a9a4bbfdf82485c52e60a51c18130f5db4f89394d428f2ba93cd511f

SHA512
a1458be06f2694182750afbbcc4c73e8894982d4b2149fddb085832ac1a8ebca687e4d4c73538e3acffd7ccf0e2bc48ebcae0c8e59419ed44383e4587a4d6bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\266f12b4-ea89-49c9-891f-212026ea7d51

Filesize
671B

MD5
9b5f52e3fe9d4904a4158eb91c3b4659

SHA1
65f620447b2ac877b7daf795358c10f8bda1f520

SHA256
ca8a0ee3df7c55c6d7535f4445a3773df31d8da1ff26c8032bd4909b71a92883

SHA512
145e150b3ffe37a10bfe0a665184bf7596cdac7fcebb150ee0dacd9d4a4a8357ad205fb4478a02bc1123ef50674334bd53871716b6b630f8c668e7ec55f9a43a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\79fa8c86-893b-4af5-bab3-df428aba9df2

Filesize
982B

MD5
b4c61a7247c0f1b65fe1b4de87cdc2a0

SHA1
615d0c09b11730258a97ff9e15b255a7e8766bfb

SHA256
5bf6553e957b99390e7af9dfb1b3ad971b5a28d8d56f244360e02fa9ff242944

SHA512
0cc2a6a812595fb775fff8017b5f5efd812312d9b3d51d6596ed242ae8701ed0a054e3be954a3a1e170fa6d2110b040f23d3b07d930bd1badd9765dfca0b7623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\7fe61efe-ac15-41e8-94e8-23ff33b93967

Filesize
23KB

MD5
4303c2072e96c79da2319fc22954bed4

SHA1
9faf6c8c92b8668001f267cec60c730aaffb5ea2

SHA256
fc1051997f84a986b3f9582a07108343e624c6f1aed576f33fd943eb2303a2ed

SHA512
9aaf6a9dcb3d380433c57650c6e32f2331f27cd06c57fdaac5575d8c57c7e2fbe25867373d7c137447f1ad089f9ff9210df5b1949836ca478b4b49ce7c6b01f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
10KB

MD5
1f8efd45ddba41f5ce4a57df1bc7d681

SHA1
f466a0c6d45a61c32f3db6b7ba3a4c651750d375

SHA256
e8223f5c2c2a97611a134506e05faa53cd407cdd7ea169d462052bf106288cac

SHA512
a69de83dabc5a3f08101af790858b669fcbca4d1a9416d50825eda78f09d4613acb19c5593a1848c48756d5780edc2295d2ae8ae1917baa510b233d1db62d038

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
11KB

MD5
16a03d984d0d8c6562f4201513aa485b

SHA1
17250215f28b4532489457b4297b4c5a2b6d7577

SHA256
53fe913a2e9df3a4676d8615ff4b402f6facdee96573437925577bf3ea41f492

SHA512
01c1f12d15ed3852b4ab7420448077737d48ce39502729188cfa7f76dbdc724012c12723bfc67cbc108473f1b937a68abc1e9dbc4589ede1549c5c51badc4e6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
10KB

MD5
c622b8d5ade0eb73d719eff0f8f2dcd3

SHA1
48731f808cfe364c6c85505b7f823e06078ff172

SHA256
51ddea2e5da5fa8967fad1b3203cf669cc979dfdb64297e06ebfbb44a7779d44

SHA512
9bc80b25362dd8abc037881b2e8892ebb4d9a842e06d1fd133515d7cfff02084464ca6160b2db72d18e8f217177ef25b93db54dca8d95c2690a84c0d66d94bb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
913ca4f1305c9fb54d32710fdd177538

SHA1
39272c622296b50b867dbd82a831cea69e684fd7

SHA256
306b59ff17aa553f60d6433f2a26c43c079216bc0f43c5413a288d75daaaf1a5

SHA512
cb17636ce923d8e37f31388cc0eb71b830868ed4f03ee9ee1c6bfdd104362b9a3f621645167f7c5b38dac0d463a8b2dc80204fa00f2adff76a292c77018b72da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
45a57241444f129c606d1ced84404fbc

SHA1
0f8f0144dfa0f177aa701813ff6c4e60a7a54796

SHA256
586c3793e03663b3c86d30d537191561ce01f70d67fe6a422850de3c5cc287a5

SHA512
4130cb82c6f415171cbd11b0a3743930e17e4668eb78d5660b8d8d1922c49e02604022f476a2053b0df328279544b4b013ceaad82f6cc21c4608f400091cba0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1fa77e23221f2a86eeceda63d87bd4df

SHA1
98c9c2fa8bc9a145bbaf708bcf4177471f12d3ea

SHA256
31fa7c4db62961f0e2cb6489bf533af4a54d0b0d62d27304c78bb582da32784f

SHA512
a99d00273025b8cc31a81e59a356761cd4dd857b75fdf9f9d4bbb3a2070643f879d337a79d563de3a52a8c9dec3aa082a4c08a6d3a5a743e7239e4676d6a18fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
27a7188a3021d20da9b3029a703e596b

SHA1
58d950641ec87777fc1172a6eda5c27b95a4fcf6

SHA256
fc68927a04f9c472b1e6b6f6d828d36f6727ac8417ac7c95ae7fd00ab52da52b

SHA512
f479c3308141f09fa83b985742cc21c52c3a004330fb46b9e1eec8f07058c782ce9019181d87d83834f80128823de02644165556c2aa1801279faa0a958ea8f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
f6f44f3bab7708668bba5b904a249cf4

SHA1
a35a114e43526262290732097561318c1b7d6c5d

SHA256
203898c3d7ed26e1b5d1af1b85c220c0f676888db1dc690aa9a22614a4f739b4

SHA512
e8320a1a5db8f5de43b635dece7ad95ae1c502a40e932709858d1c9e3678b4597b0e516b1253130a6d9a11e983133cd5bae77b4fe183760cc80686866620bab3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
552KB

MD5
cb7af97418c5bb4023ae3c5c37bf4281

SHA1
df3b99cbdfbab99a2bf12dba5fe3ed6bc6e3ba70

SHA256
75b691c3e4d573609c77ea6331f3024fb0e54f916a0b1302e47f0b9f804fa0b2

SHA512
e08ec09db26bb2d3266554eceea06569250858d6741618129ccf91c323d6013f272d162f8d21378e957c10d8075f008df1578c856b89833382d08e2371f21df7

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.UIjQ9MR5.exe.part

Filesize
104KB

MD5
acb0bc61fb0cfe27dc4b9ae9d3f84efa

SHA1
22326ae9d8be0c71d354c199e72214d1c9ae355d

SHA256
d2f6890f22ddd3ff6c7e65459cc5ab7d13d19bd4b8fa93ecbd81dfd998eff63d

SHA512
48f1c2ef091bc59d50656583f1c9dc5b92d79c7faccfe8d45c87174073b6fbc35261a1b8ab6bf2217ce3570b1006794a96af41e8a3e498d401d885345cf1578b

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier

Filesize
166B

MD5
964051a4f3912e9d3e84968394c52815

SHA1
5a87be3c19d4cbfe69b6858cf0307546ade3255c

SHA256
cbcf3ad7e5a9b0dd467ecd8b208e2bd8b410557099da78ac88b30097bcefb1f4

SHA512
57da951701a31bfebe5a032c78d2323d61d9475ecccec43d81a6588cd8c1241612a4616f5d994e07fdd448369f58f6562e1a77a34b68d901cb6bfb4699a8705b

Download Submit
memory/3916-13-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-11-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-8-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-14-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-15-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-19-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-330-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-16-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-10-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-9-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-553-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-554-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-574-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-573-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-577-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-578-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-12-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-595-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-596-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/3916-331-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download