remcos | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a380a625-2e26-4d2e-afb5-a793317a8582.html
Size

7KB
MD5

aa5d13590623abb5d3963a8af5dfb85d
SHA1

8dcb62e75f970ac4f9f78e2558f335951b599774
SHA256

4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA512

94899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
SSDEEP

96:CMq9SlLh2B3Zq36uWl/PtxyjttJQ8Maoah3vL5LaNclmnU1Eh2sS:T1lLhwJrPahtJxMaoah3vG12sS

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4740	WaveSourceInstaller.exe
2872	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 5672	2872	remcos.exe	108

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	firefox.exe
File created	C:\ProgramData\Remcos\remcos.exe\:Zone.Identifier:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
612	msedge.exe
612	msedge.exe
5948	msedge.exe
5948	msedge.exe
3292	identity_helper.exe
3292	identity_helper.exe
1856	msedge.exe
1856	msedge.exe
2872	remcos.exe
2872	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2872	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5948 wrote to memory of 1036	5948	msedge.exe	77
PID 5948 wrote to memory of 1036	5948	msedge.exe	77
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 3344	5948	msedge.exe	78
PID 5948 wrote to memory of 612	5948	msedge.exe	79
PID 5948 wrote to memory of 612	5948	msedge.exe	79
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\a380a625-2e26-4d2e-afb5-a793317a8582.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb23ba3cb8,0x7ffb23ba3cc8,0x7ffb23ba3cd8
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,14448385608463608489,13661707781202382994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2380
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {535b7dda-7108-492d-9fdf-070f8460c4fc} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" gpu
    3⤵
    PID:3772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20964fc0-a720-475d-a890-fe4998bbcd15} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" socket
    3⤵
    PID:3452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 3044 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f02af030-b65b-4fc5-99a5-3a87dab22a56} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:2136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02eca10f-a619-4e56-add3-c66172e4edc8} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44e40b06-e135-4d06-8b5a-97910785afa0} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" utility
    3⤵
    - Checks processor information in registry
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43d7b9a-084f-48ad-bd10-efab2c471194} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcc13770-be7d-47ca-ae1e-c091c7bbee0b} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:4820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da283fce-e6e0-4c4f-9bdd-d6d2eafe1f87} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:5168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3576 -childID 6 -isForBrowser -prefsHandle 2648 -prefMapHandle 3556 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d86d0b38-637f-4afd-b4f6-af1735beb540} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:6060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 7 -isForBrowser -prefsHandle 3556 -prefMapHandle 4108 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba09460d-afb1-4382-ae5f-bdff4d12c384} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" tab
    3⤵
    PID:400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2872
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
3a0040fb3f7dd1c2f4a17bd2f4e10209

SHA1
4ae9ec415f71bfb38c4f0ef235df0930ebf90fcd

SHA256
f4c0b73ca10f3329b1d89e9f32d1441fb697c8400942d709a975750820fb70e9

SHA512
b14b6e3a8ef05287f7fe12629b9285c76068cb0d19225469d6dcc8438ddb34a9e81c30e2474e700e0f48cc025ef90939cfafe0c40dd92971e1784495c2a7708b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3aee7785f484804f3be48b68d4b409b2

SHA1
ac15c64dd66cb4e30d7fb21c63ad584689366789

SHA256
553fd0270b1cb8e83660356c84602b36c24208fdc2dcd69203e45af0a9e70c46

SHA512
262b322be351e77552de52ad5ec7d8c20260669100102a51bcdf1b7ab142dcd8b3ead762655d0eb10d9e370bacf9d34adcb734d2a6e092bb566d3fb02a7bc006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02183837ae9185a497afe7c4a8ca5b2e

SHA1
08b1a1b956e34f26bb9ccb552656c0e538ed59f8

SHA256
96d9252253fbacaa02f5f858d0a412d5d27af03746ce55aeaa0f41c7f50a976e

SHA512
77362b1fc29547c4852fd909655bfcdcb29f8ce4bcf67b96567b7384d1184259b52e8caa034a6161133756e476acbc06c48004d982bc1c61f787642c724817af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df54f9f26c63bc5b44384b48fe270966

SHA1
d46cf8e32d1fb5e704d65110adf0933361578767

SHA256
075d6acb3aedf0c15d091914a3feff808883949370b37fa9b2032f599798f52e

SHA512
91d1690eb49ab224bb0ba6ffeb2b920b6e017ac2b42f8f22d70957d55443bf4f2ee078131801d20e64c8a71a49c8216cf829d61bf260b85e6a36a99afe085e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b9a9d1ccb77d14dda3223ed25f3968f

SHA1
2f2105ca2d96f6c1a37d66a37b4acd4d9d023ca5

SHA256
bf333d61e9896ae9558c20e0bb7b59043410a6f6f7717b6d15d8b8600822de73

SHA512
18bac615056ffc9b1a8bac2d526aabe929f34ce5b970008b5d4ac2cc514f0a21d163515d79857cc365232267f7a56bf478567f93c126fa80723f52fadfb6433d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d5d5a1356dabde87eae25d689cce230

SHA1
92ee2f943d4e1e608ec9f244672f76b881fd610d

SHA256
73e31037560eb67d7b30bbc97376306de048749bde36b64adeb3b0a4c22f31e6

SHA512
81210948df54e5a741c3a2282553a2151b0ba2bcda6c8bcea7a891060fa2c7b8e200e6e7b3c55b7599bfe103ff58b5993a3feada16a827475e4d3fbbe67aaed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
d266589c558d4920c8ae9acce4238f45

SHA1
1d26b67f99a530d4493b44e814f6505bcd69e8b0

SHA256
941dd983fa59d26493a19d68e546c7b58be01a074e7390bc5b3d66dc60113fce

SHA512
e2ac93e5f4922d6ed9d2938cb072ecef24dedac8b57bbfdaf3e36cf49fc7a02a2aaf1871c12242a3e1ae654728527b968b4b963a49802e5dd62d67e5606b190d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\cache2\entries\764706273F6635ABCCA46F5EEA13466A9B1468AA

Filesize
23KB

MD5
972552dad42ab0d348cefce037de7f9f

SHA1
2fda04caa880dfb2b9793beb61b076461e49d28e

SHA256
545786472c97d143f75f5f4d582ffcd7dc907efa8322a0fbf86364261b73d7b7

SHA512
acd17af763cd78254b6340d14214a6a8138a33fe992c818e855411144a38afa5cd43ce3a70e93ff830fd79028c4db07f6c702a8b0503e83f534a867838fd8e45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\AlternateServices.bin

Filesize
8KB

MD5
ca0c7fce127a1b12475cd8b2f9461165

SHA1
ddd93e8035c1c95b06acb70519e6ad9bb2d13d10

SHA256
de12d693fd47094e23c94d38a3d406f96801007b6b91a5d2c53c5d79edbe4e47

SHA512
9ab842da145a243fea61b42a40a8b0f3a78c961c1e5227c71a6194a67dd4879e13dcbb1317e5dd1e996a8244a81b8907f93bf789d759a07d739531ca1d00f429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9ab1da08e12d33ce88cafd9ecf12fbba

SHA1
8b5c95f86e87ff2812d2f95ddc8307cc3432049c

SHA256
dbcb3bac6a4c889f2075d2916787fb3a7e62403449efd6159757c9614d64a88c

SHA512
545162cf73647efdae02571ed9b6f7c7c23b1e296c18a0be4a828274055cac4d8ae8363507b683819b2f63d27a361d5c18759a908e2156dfdfb2c93207753806

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
839fb9dd1c5fe463e7c7f08e30d57946

SHA1
f60bd54356f30ee23ac5a69d531c23d608ecaae2

SHA256
9211021a0c837adee45e0dce277e25ba74b602ac36e67c44bce5fae1d9c75a15

SHA512
3b0e1345c948cd597bd832e41fc0d16fa00c9cfa470bec86d12160342f26df847ac0ef8e743d9f1e3443ef8323c5bea444631b5924b3e8708d3aefdcf66feeec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e8d7a669fa6f73f74bb52423b1790d5d

SHA1
f47ccc7979df479293136a029fdb4fe808af39fb

SHA256
05dd3b486ae8739afca6f0377467b01c9199887de0278908e70690a023744f21

SHA512
764f86dbcbb43f0d309c7c4faa55a81d0955eb64c73106d3d06a8a4a120d8b7b97917cd228f5a6daf6a2b2bb67e1762e976787ca9c8a47e3be1d52bce93cf561

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
36288bdb43339b8a5e739adcd3ac5886

SHA1
b37c4b1cee904eb2cfb5a67569cb1ffe16421355

SHA256
68352eef282f3e882a26194e12426742b6278c0f838239d7761667adcade22b6

SHA512
5c8bf434b94e950d31ba852202112443dc126f703d497b2a82c881b83c382f7800f3b4215fe779ae21513482511fcd3e1f61d5ee456692c5352416a35b802e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\35a79298-d18f-4a5b-a916-4066b7b7c3a9

Filesize
982B

MD5
19652853186db2c4b6ff70cba1495707

SHA1
e68d16e3170cce79ea978f85559a8051a1745069

SHA256
4f21a8da6e7210941df20b5d2102bace70ea89524b0bb1cd00ff9fae28a5b852

SHA512
1c7039af9340b594fa8d099a9a2e8deabb3316fb964771fb846f8f65f5b6dadd0c60aac4a0a6ceccff4d3fbd7e85e81d83a56a78269e8ab37908ce62dfa8b00d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\9f19a2d9-cb94-41ed-a7cb-2a66e2983acf

Filesize
671B

MD5
a47e91b5e3d60d42375e84757c9e43e2

SHA1
571861326d2c75129fde9c6d77df0dcb48897b98

SHA256
7fd1384a16275aac263e8e9f55c50cb42ed475f29d31e9ad64024d1ffa9b3c0d

SHA512
33dc76c598ed430dab786ccdbbf3eac829d781d611bc79dc37407070884e71a2bccd4150fcd7b48e6434488eb41a4158f0d2b0aa70cbefa02fb754bc3aebe070

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\f0bd92b3-fa96-4ba0-9cd4-e7c21fef3479

Filesize
26KB

MD5
f1108a201bba255bc9f920cf219212c2

SHA1
70ff5e3eff9865530b5b4b909bda89ff0ba09e2f

SHA256
87e8a5f946ff4b8a11a63220427e97351900c125fefd43195213a8208ae608ad

SHA512
8be6a5cbb0bec564eb4c5f31a90d037c54e01b1f3f4e7e11188d4964538cf2d8c75b3f91555efe67580bdad891733b73d302f1150f20172f0cad9496239d5df3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\prefs-1.js

Filesize
10KB

MD5
e9249ef56bb87aa1235dd329adaaa559

SHA1
d634a45530c1881b2ea5049821880d93ab09310a

SHA256
1ace587c5d7b3fd33909210da7988755cc2a22fe617054181c9585fe0da4bb48

SHA512
2a0605fcf17129dba83453513babcecaff657346e125feb4f66b6dc29dba878826e1d548746533a59e4e58de6fdb1356a250c53b406e4e01197e3927be4668cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\prefs-1.js

Filesize
11KB

MD5
4ecbe30c0087f915fe21e29ae1685721

SHA1
157838493faf3367d778017c009dc985d604ab68

SHA256
d702fd925cfbeea1c99d15754c404e3b7509cdfd7ded6cb53af17078b8b41894

SHA512
eb8ad6f854cc2d696a0ed7033360ed592ad962e6c3feb67de46f437330f4f5cc736eb308e7f57860ca3c21a782f6358f1133c767f1653a6ec3a04a67f604629b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\prefs.js

Filesize
10KB

MD5
ab7641ffb639da120cfad2349532d51a

SHA1
7cb673b150601ff95e47ba1c6dcd946952ac48d6

SHA256
a77b24bef51478f9505d8fe5a7f24c822546ab840237206f525041368d0eaf50

SHA512
31349b237f06c634f053286845665333c9b648a9c23baab0a9a1ca8e4d9d7e41714d58c034ad29c5127d51f5b61e924f99a905efe139d3db79a2519f1b135a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
4fff3912ebe18a384a4ed0fe8b0ebe32

SHA1
87d4d30dc94688f7c1a62cc92ff229ea88a67c0a

SHA256
15d01433d595d5c7b2d977eca6080c39e59236accb75fc5663acb23ffae21ff8

SHA512
a2e917ca2baa15223b50869112453c6ea59afb5dd59fd4bb5e090ef358ee84a5029147aa305c5ec6978d0807325f5bca0bff39d71c5b387176d5a63edc08a703

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
06d75cd7913b9aaaf79916fd4d5559a9

SHA1
2a169d8a258930c28b6d4457e425092fedbacd07

SHA256
1126646a96962f3310c43a3d446776c77f109cd97154fc0e9c88673dac1a4f49

SHA512
d12c1f128192d04a55b2fc9f3bd53c1958c6b8c919de328c5cd3ef42f0b3d8759644d2997c4184fb72c481875eb28f50792ffecf596e53347536b2670015ae90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
8bd5bfb452be0dc677787fc805054785

SHA1
a45d17a413db0a5cb47b974a7c5513fe726e5536

SHA256
e1cb2e54330ebea1c8edcd8643b9fefa233690ac15a577d1a30404e24aeb23d7

SHA512
45596a539479f8172a80216e57e33b32cbb8e5687d5ad6441e00b30e37ad300d3ca4d2630d8b57d1f96053928a32bddbe530042b48d909af12b3e4180024b043

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
9042da13a83f1e9e536f7c694a6961d7

SHA1
82c8ce74dd4869bf9a5fb33c157361119a2009ed

SHA256
48f087fd43ef1a213d823765455dad15a194985d0b7a75c32923d831befecdf7

SHA512
a87897014205a095bfe901134d25d04fc18003630fdd0a36f53ee38e3aabe19637d868e2204237bef3b4015fa8a4c0fa577b92fddb8af90a9840bbc738f99f3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
aaee021130d5525828570a7a1a712eed

SHA1
6379668ed1c826c50a6334efa04001e73b7169a0

SHA256
ead9914b81b16fe147b61a3f9303ce6f341effd2d86627c8de3cf4364ceabacb

SHA512
4cb2301e5011bb7a205adab9659a9be7d26a6de54a36a8949b26566432bbc1defb52011ef7b8e8bf66f92925f330ea61671c5772c5296868d8031aca78b56d96

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.n7mrqI2_.exe.part

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
memory/5672-730-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-731-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-732-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-729-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-733-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-734-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-736-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-735-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download
memory/5672-738-0x0000000000FC0000-0x000000000103F000-memory.dmp

Filesize
508KB

Download