asyncrat | 452c77d9be7b82107a1325d98f75d0194e61c311e4fa7204a15b52e42bc3c2d2

Analysis

max time kernel
725s
max time network
619s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-12-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

3.6MB
MD5

159cb32f97f5a5297b9ef46e16556631
SHA1

d9a2cee6035f972e395015c0847ffd491a65b284
SHA256

452c77d9be7b82107a1325d98f75d0194e61c311e4fa7204a15b52e42bc3c2d2
SHA512

6e974f974d1cb3104e20a51cbe7a636bd81af111ff64784f58a3194acaf6970545436cdc9ee6182a58c168e5aed68a3929baddf0c5227743496ee252136c1e77
SSDEEP

98304:2kqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13C:2kSIlLtzWAXAkuujCPX9YG9he5GnQCAL

Score

10^/10

asyncrat gurcu default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot8186028481:AAFwGBBD5b2kT-q-75Ksfw-nU1TMlE5m8y0/getM

https://api.telegram.org/bot8186028481:AAFwGBBD5b2kT-q-75Ksfw-nU1TMlE5m8y0/sendMessage?chat_id=5685021465

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0026000000046500-17.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	build.exe

Executes dropped EXE 5 IoCs

pid	Process
3152	svchost.exe
5844	svchost.exe
5992	svchost.exe
6684	svchost.exe
4944	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	icanhazip.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6592	cmd.exe
6740	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6028	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5232	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
1684	build.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	build.exe
Token: SeIncreaseQuotaPrivilege	3152	svchost.exe
Token: SeSecurityPrivilege	3152	svchost.exe
Token: SeTakeOwnershipPrivilege	3152	svchost.exe
Token: SeLoadDriverPrivilege	3152	svchost.exe
Token: SeSystemProfilePrivilege	3152	svchost.exe
Token: SeSystemtimePrivilege	3152	svchost.exe
Token: SeProfSingleProcessPrivilege	3152	svchost.exe
Token: SeIncBasePriorityPrivilege	3152	svchost.exe
Token: SeCreatePagefilePrivilege	3152	svchost.exe
Token: SeBackupPrivilege	3152	svchost.exe
Token: SeRestorePrivilege	3152	svchost.exe
Token: SeShutdownPrivilege	3152	svchost.exe
Token: SeDebugPrivilege	3152	svchost.exe
Token: SeSystemEnvironmentPrivilege	3152	svchost.exe
Token: SeRemoteShutdownPrivilege	3152	svchost.exe
Token: SeUndockPrivilege	3152	svchost.exe
Token: SeManageVolumePrivilege	3152	svchost.exe
Token: 33	3152	svchost.exe
Token: 34	3152	svchost.exe
Token: 35	3152	svchost.exe
Token: 36	3152	svchost.exe
Token: SeDebugPrivilege	6492	taskmgr.exe
Token: SeSystemProfilePrivilege	6492	taskmgr.exe
Token: SeCreateGlobalPrivilege	6492	taskmgr.exe
Token: SeDebugPrivilege	3660	firefox.exe
Token: SeDebugPrivilege	3660	firefox.exe
Token: SeIncreaseQuotaPrivilege	5844	svchost.exe
Token: SeSecurityPrivilege	5844	svchost.exe
Token: SeTakeOwnershipPrivilege	5844	svchost.exe
Token: SeLoadDriverPrivilege	5844	svchost.exe
Token: SeSystemProfilePrivilege	5844	svchost.exe
Token: SeSystemtimePrivilege	5844	svchost.exe
Token: SeProfSingleProcessPrivilege	5844	svchost.exe
Token: SeIncBasePriorityPrivilege	5844	svchost.exe
Token: SeCreatePagefilePrivilege	5844	svchost.exe
Token: SeBackupPrivilege	5844	svchost.exe
Token: SeRestorePrivilege	5844	svchost.exe
Token: SeShutdownPrivilege	5844	svchost.exe
Token: SeDebugPrivilege	5844	svchost.exe
Token: SeSystemEnvironmentPrivilege	5844	svchost.exe
Token: SeRemoteShutdownPrivilege	5844	svchost.exe
Token: SeUndockPrivilege	5844	svchost.exe
Token: SeManageVolumePrivilege	5844	svchost.exe
Token: 33	5844	svchost.exe
Token: 34	5844	svchost.exe
Token: 35	5844	svchost.exe
Token: 36	5844	svchost.exe
Token: SeSecurityPrivilege	380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5992	svchost.exe
Token: SeSecurityPrivilege	5992	svchost.exe
Token: SeTakeOwnershipPrivilege	5992	svchost.exe
Token: SeLoadDriverPrivilege	5992	svchost.exe
Token: SeSystemProfilePrivilege	5992	svchost.exe
Token: SeSystemtimePrivilege	5992	svchost.exe
Token: SeProfSingleProcessPrivilege	5992	svchost.exe
Token: SeIncBasePriorityPrivilege	5992	svchost.exe
Token: SeCreatePagefilePrivilege	5992	svchost.exe
Token: SeBackupPrivilege	5992	svchost.exe
Token: SeRestorePrivilege	5992	svchost.exe
Token: SeShutdownPrivilege	5992	svchost.exe
Token: SeDebugPrivilege	5992	svchost.exe
Token: SeSystemEnvironmentPrivilege	5992	svchost.exe
Token: SeRemoteShutdownPrivilege	5992	svchost.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe
6492	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3660	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3152	1684	build.exe	94
PID 1684 wrote to memory of 3152	1684	build.exe	94
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 2324 wrote to memory of 3660	2324	firefox.exe	106
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 620	3660	firefox.exe	107
PID 3660 wrote to memory of 336	3660	firefox.exe	108
PID 3660 wrote to memory of 336	3660	firefox.exe	108
PID 3660 wrote to memory of 336	3660	firefox.exe	108
PID 3660 wrote to memory of 336	3660	firefox.exe	108
PID 3660 wrote to memory of 336	3660	firefox.exe	108
PID 3660 wrote to memory of 336	3660	firefox.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1684
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5844
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:6592
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6692
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:6740
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:6648
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  PID:7100
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:7156
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5716
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:6684
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\edc6f13e-e43c-4756-857c-c6f90b345ecb.bat"
  2⤵
  PID:3156
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 1684
    3⤵
    - Kills process with taskkill
    PID:5232
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4184,i,9196809988335597270,13533469875825522379,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {112b5f47-353c-4813-8993-4b4b113de6db} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" gpu
    3⤵
    PID:620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9b9e4a-637c-4067-a2f9-34d7945ff43d} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" socket
    3⤵
    PID:336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 1 -isForBrowser -prefsHandle 3416 -prefMapHandle 3448 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c1f06e-f61e-4aad-abb2-cf109d0e74f4} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -childID 2 -isForBrowser -prefsHandle 4212 -prefMapHandle 4208 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b2a4247-ff83-4579-9071-6a7674cb777c} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
    3⤵
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5112 -prefMapHandle 5032 -prefsLen 33283 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23540c1f-9509-410a-9bdf-2c7a7f56dfd5} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" utility
    3⤵
    - Checks processor information in registry
    PID:6732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4944 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5220 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccd986de-cc57-4e92-8cf5-2a512674cbc4} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
    3⤵
    PID:6744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6874cedb-db49-4204-a632-9c822ab9b02d} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
    3⤵
    PID:6752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 4944 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca2508d9-8a83-4d49-a10d-459a082c404f} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
    3⤵
    PID:6928

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4092,i,9196809988335597270,13533469875825522379,262144 --variations-seed-version --mojo-platform-channel-handle=3136 /prefetch:8
1⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3748,i,9196809988335597270,13533469875825522379,262144 --variations-seed-version --mojo-platform-channel-handle=3216 /prefetch:8
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\igamsxea.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
900939440fae8229898dea531ac24c1f

SHA1
4284319a146bef969700577f9fe3a990e787d42e

SHA256
9291a8ea7e1344704a8d1e0007235a29faffda233db0a254807e29792a662ee5

SHA512
144c4e5c9038b367bd26a3f22700217fcb268842234a33abd4c1b3503b6aa2facee4fae14d4025ee2e575e48ad3446982a55ccf694df4edea00576f25dee1faf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\igamsxea.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
b0d4cc5ad7415eb33842a018950206c1

SHA1
2c160ee7f1d9e5407394ac16e6d7b39869f08fe8

SHA256
c610f20babc6f01b47f3adef43193a70d1d5eae8d8660e482df346f1c61d8b4f

SHA512
d8a95c40e3d32944e612551dd0684b237c62f77886d55ba002e2ef6bf589954b62c082ff26420c6dba204428a361863fdeeccb39eb3c0de98ac19184a23c3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
04fe8d95a6e322ca96821940a1a284fd

SHA1
f88bc3f3e52372e17874a1da0bd87082f3c3d102

SHA256
15c9af4782c06accae74237a9377aad2acac58782d267cb98d63919b924c7b0d

SHA512
91e263511014b504e16506f6dcd231c8dd8dc5108719bc87c9ea8beb0232f357314a91b0bfb4db9a351848bae156b9a639bf67fc353cce27418594ac29b68dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
76de5e2af870d5f4f989fb4c577a4c4b

SHA1
ff11bfee028ae7baed79aa2de1780bd21d111a38

SHA256
3f59b0ddb640999597bd1432537a904df9c31106dc9371709a40b9acabe331aa

SHA512
c4d30fca2bd0f9f9408b5039ed4bb9eeaf358a045b4d0f5a9d7d6b38c286cb7d4d78d5bbe3a632981e6f255c72d31746a3a60d933882220586b47c7b0d9a420c

Download Submit
C:\Users\Admin\AppData\Local\Temp\edc6f13e-e43c-4756-857c-c6f90b345ecb.bat

Filesize
152B

MD5
e0e3cd982bc75003199aa1c79d5e5a3d

SHA1
495a93eb15fa3ffbd8d3938693b9367d63cc34fd

SHA256
995c250acf174d07a253f83af4d3469be6abfeffee81fa0eacc587615d23e3b7

SHA512
dd7dbaa872787bdb513aa6ea9540fcf7e9657bc8f0eebe4f0d5265974b1d47ee3cf4303a6ab409b89063a6c0fd0b77747bd315cd3c2da946d24eaae0e14e2be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
220B

MD5
2ab1fd921b6c195114e506007ba9fe05

SHA1
90033c6ee56461ca959482c9692cf6cfb6c5c6af

SHA256
c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

SHA512
4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\System\Apps.txt

Filesize
6KB

MD5
6710d4c8bdeb3dcb296387af5b203948

SHA1
1392f8bc6d7097cc002c6763d6297fa6f3b2d1cb

SHA256
ab3452eb9497290080df8411fa6836abe42d3d4927e1df4f2ef875a8c9a44d36

SHA512
17915c3c3f272961c5367bb08693a631bb8abdb62501742c2a80b9862e74e48c759646e29de3aebe699b29532014d3ccbd98547782bf794cdba099df8f6b97ba

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\System\Process.txt

Filesize
577B

MD5
50a9e86c1f678bf72bc8d7c4f48b662a

SHA1
cc868c907ae47e3ff648a6019fc6e51b24298309

SHA256
8c47a783e7df8fd7d062d8cf7b4472924b3d8f3688287255faf398eae028aabc

SHA512
1405209f8c29612fe13b49574cd781b310c2983ab6b422113a350278f380b51d9399100751f405bff738e6b3524160481fc6ff3bf1157c910f3a7a3bd5abaf6a

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\System\Process.txt

Filesize
3KB

MD5
40453f4cba5bd7c7c20d0abbae2ebe7f

SHA1
e1a1f59d35435a7445be5fbaf0060857345d8619

SHA256
b26385017c297755c8aab2fc212adb5eacbbb12d701c6ef4f126782467b68ac8

SHA512
02d3a72030ed8243ff9ca78fdd41b3d588085610764a29246ca530cddff17202be79f75a0ea976602e2a6bd9f249e267167476dedf2649ee7eddd3bfff3ff2c8

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\System\Process.txt

Filesize
3KB

MD5
7ccf1ff33322369a1ef8f06f6834b6c6

SHA1
ab59403a562cd46f7e8bfd8bc01c5195e3102118

SHA256
174fe2e26d89e27b7d8c42c9b88af8e486974d98e62c466830a2b6ec593eb964

SHA512
7e79f6a1560a72e405d86a9e33c71d9e92334fc862bf8c72d351d4e3b31d8bd32df6ba11cac512fe12ed83035a538e242c5d87e1a1d6f18e3eb508ebb314c6e6

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\Admin@WYKESHLM_en-US\System\Process.txt

Filesize
4KB

MD5
7e87c27ffbafbaa489a3d38969f7c767

SHA1
09980d8fe2faf79793a5d362a5a3e5f399351a44

SHA256
5d1471338af2ba76e9e1657a13dca75aeb0a3e1032c2c4d9cff682701ae71181

SHA512
b3ff58e2dd66910271435c7e4f3adc10b32665d5503a69dc7683ce61f71248f6bc7c15436d193098318a7e663981629468433da32a3fe5c3cf07af76bfa76e34

Download Submit
C:\Users\Admin\AppData\Local\fc46a7ddbe61639174a588ac7c2301f3\msgid.dat

Filesize
1B

MD5
a87ff679a2f3e71d9181a67b7542122c

SHA1
1b6453892473a467d07372d45eb05abc2031647a

SHA256
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a

SHA512
a321d8b405e3ef2604959847b36d171eebebc4a8941dc70a4784935a4fca5d5813de84dfa049f06549aa61b20848c1633ce81b675286ea8fb53db240d831c568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ACW2MW72NV9KTWCJ6KT.temp

Filesize
7KB

MD5
83dff5bcf35030ee9971484ba93fa89c

SHA1
8745d7321b3b8a0f770e820e12b2cdeddc170efa

SHA256
95e1dbc2e2bb66ed7686727b7c9a8517750af947da73901f2f3dfa2ae0d07b0b

SHA512
06f133e4a8a5d51651ea915af7d02814a36be7e2cde6ea89ba5409f5bdbc1a803e75159ba3158068f13357914251ea9d44223cedd7f90ab1473855181a9faf15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\AlternateServices.bin

Filesize
8KB

MD5
40e180d84fcd6255019cc1b05cb31dd2

SHA1
68db2d92b9eca62552cd9388c123044cee99b1d8

SHA256
17bb1a024c4d9d16ae911e81258e065bf2041b2c2dc8d0e5643db16f5de1d559

SHA512
d1eba3e0973b5470dc798b0ef47e0c155a906b8edf04bd22be083c71d7dc9911a98a54e1fe6b36f4ddf9713c3decb9d421d2e676629b0d48dcf50d41fb99f74a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\bookmarkbackups\bookmarks-2024-12-29_11_xBbx+Pu3mF1DfYJj7E0bhg==.jsonlz4

Filesize
1013B

MD5
49e35b98b09b4907c4bc21f368842b85

SHA1
815ca7ec6f29f1602dca5819f721e0ce4d1d5fa5

SHA256
a539bca6639618395f98066865ba571f4c46fe7e87b2255740817de678a6e195

SHA512
83ae45e1d9822483080e295fbad41ee2091f5f3e0a6662be9f8e4fa18602405050cde6662a7d99a9f87c57e53c6f82ecc1934d9dee5172027d382edfc9094ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
fb441e8deab08f71c450741728ade43c

SHA1
cc8c167b8e1b1aa8b9c7b02d44058c1b1a89c405

SHA256
a182ea9c2ace88cb1aec7d85815f7814f8837c16c1c81741004e03b4c1ed49d6

SHA512
ef75a9b13e7a482aaeaaf3c8d244a8b855a177cba9aa27b3bd961601b360549b3a8ec8575165637c4958d53d57142231b35140ca36d722b660cafeef358490df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
38f769b69d6e0e8a34ee265f162009cb

SHA1
857e882b889a54bc53ce292ee3c732c8a56d745c

SHA256
e021e526f7d1c332c434d020467b054b870c3341c9714e594f9971af44c53b6b

SHA512
330c3e2611e960169acd08d331d234fba1e42b5e97387795352cffa0a9f6daea1cab38c65bd2587c62b05f926c7fa64ad076f68a6340f129ab60f73c33455bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
adb940b6b365c792f9e495311c4731af

SHA1
1284527eb87794ea5997c0f22a0734a2cf564d77

SHA256
65da59656f64cc985c9ca23b70ceb36cd5e45c80c65f58952a59cc061863124c

SHA512
85824e3203017441056e47eb8c37f40f86fad6f2d0ab309a246550aa5ce2dbf79e40c866ccae11f5200cd88849d30d57a1112ea44f89cddb314dda4f71726c84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\1a75b0e0-3251-4987-8c9d-af0ee30c1ced

Filesize
982B

MD5
a3ea32220bd239fdb062b6ad01461aba

SHA1
da42d54eba7fdb6987bf6e0f1a1f697f6d73c221

SHA256
e15013ba3182e4ea933a68083a58f13300216a61e16d0e4cdb8205f8cea620f9

SHA512
bba05e21fcad39fc190efd1c3535b58ee1680f200f185a38f276493f6c87dde5dd660764b522f653b199b93d328e3958bc5edadb9b0c67821d083055b81e0348

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\3854461a-1295-47f4-b927-93b768883cfb

Filesize
716B

MD5
fe8cd4222b1ad013c50c705712ec9c44

SHA1
b1a6d8b0c5457a86d12ac39a6130af77606304f6

SHA256
929b1564d9f9477f708f938e1c88fe646fd8cb54b2d6282707b7b12001653414

SHA512
8efa92e11f81b7032041561bf1fc130a740ade0d9d94d0874ab4557afe9d86c70ef39cd9348cf134a9f02e38487be6c79d1e60fd384f487813fc78dc14036048

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\86c903cd-f9f1-4095-b6c2-8d5ae7036132

Filesize
25KB

MD5
a83a410161eb77632bebe10242132bc0

SHA1
a4ce90f81941abb60c6b3f43ab9139e3d89513c5

SHA256
249a99d6e4d71da2c545714b258dd3a35ee6a9f7196eaabeec0d0a1165f23bf7

SHA512
39e3bfcd581124be2c99b0e097d9a8686ca93a713f90a01e27bcc3687706502ce464d6375f13748b2dc48b7a871272ec24e0b67d0c2d41e5c7ae10efdfa9a429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
10KB

MD5
df1e539e49873e83a30af30c6023eee1

SHA1
84161b630e029b24e64d0ddbc4a92d479a21506f

SHA256
d37893618d2b9fb621287d155d9712a30507990e101b55b147a649bbb5822886

SHA512
3d3cf3e6e4839ab6113fba446180e523beff5e48fe997a62d3974b6797657df52e6feeba1de9afe412d2c88c030e7cfadf6b86511177031618d85c72b5450daa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
12KB

MD5
714bcc83c31fd0f85103b09aff4c43ef

SHA1
3718690afbfd2f620d3618da83292681ed504e57

SHA256
5f7d1b64f7d6b77471aaf149eb56ae8a9ac9174f23122d80f407258183f782ab

SHA512
aec882e0a3d75ea575b79392522d76b988ac138ffc71f8573240f328c2ac3d2004396e9ab00f7fb1b57dfde8e1d998cc9307e362265cec107e774334ff782c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
10KB

MD5
73e4d18a0e4c4787dcfc84870e456b28

SHA1
a97359f7cd367e8ddde3bb86ebe0bafd6970b8f1

SHA256
6948ba4ce5009ae39faf8dea4a7ae2513258fee119064ed9d00ce20f79366fd1

SHA512
84dd92e7e5e14159e6b5da2d9dc1036a22403313e1111dcda06d2bc1091f30d22b87f58c2faf584d7aa8735ee0960a2deebccf00ad8e31b4368cc009061b0814

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs.js

Filesize
10KB

MD5
9b6d6b38c9dc03463335a6354b3e29b8

SHA1
efcf9632be3dfad13d3c9e9c41756729f92159ab

SHA256
f3d6c3d1cd4afc2e010006a441802788e85d2ad153516d443c4546e30d2d9caf

SHA512
56790339cc1c8ec71bfa14ac716ccfd6d10119274196c8589826a2bdbf028da6c3a9529d0a61615bae7886456470c1729754ad08eb212227004585cd6577c349

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs.js

Filesize
10KB

MD5
43a751d8da1fd4a698d99323d385b2cf

SHA1
e460e2fdb62fe82b2cbccf79c82315fdce82c5b1

SHA256
a733048aff7dbcf674be8ff4ca32a2765fdc9cf795f70da84b217034c3f1aef4

SHA512
c9254dcb6716637661476b60ab03d6cea2ae879654501c3230c7c4cf1ad99377d3f68fa01d663bdd61ee1e7352f03e65f2769c0dea32aa029961baafb97a080d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
0288612b3cbe2dd1be876693be440659

SHA1
e1127cab077ccfd6b434984a1b16cea4b1e63d85

SHA256
b29059ff92454ea3b2162cafc3de00ff190297300566312f02998489d93ac168

SHA512
b5363e319cae62ba0c3b101323fc6cff8e37d4721cc50958c8e60f11be3b28da4f6dadc94563975022a852c4659f03b2cd3c3e269e3f2a45c50ef2440b78c0b7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
67ca41c73d556cc4cfc67fc5b425bbbd

SHA1
ada7f812cd581c493630eca83bf38c0f8b32b186

SHA256
23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

SHA512
0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

Download Submit
memory/1684-754-0x00000286B95E0000-0x00000286B9680000-memory.dmp

Filesize
640KB

Download
memory/1684-796-0x00007FF9514B0000-0x00007FF951F72000-memory.dmp

Filesize
10.8MB

Download
memory/1684-738-0x00000286B95B0000-0x00000286B95D2000-memory.dmp

Filesize
136KB

Download
memory/1684-685-0x00000286B9450000-0x00000286B9494000-memory.dmp

Filesize
272KB

Download
memory/1684-1-0x000002869E1E0000-0x000002869E57C000-memory.dmp

Filesize
3.6MB

Download
memory/1684-690-0x00000286B94B0000-0x00000286B94CA000-memory.dmp

Filesize
104KB

Download
memory/1684-0-0x00007FF9514B3000-0x00007FF9514B5000-memory.dmp

Filesize
8KB

Download
memory/1684-737-0x00000286B94D0000-0x00000286B9582000-memory.dmp

Filesize
712KB

Download
memory/1684-2-0x00007FF9514B0000-0x00007FF951F72000-memory.dmp

Filesize
10.8MB

Download
memory/1684-56-0x00007FF9514B0000-0x00007FF951F72000-memory.dmp

Filesize
10.8MB

Download
memory/1684-55-0x00007FF9514B3000-0x00007FF9514B5000-memory.dmp

Filesize
8KB

Download
memory/3152-54-0x00007FF9514B0000-0x00007FF951F72000-memory.dmp

Filesize
10.8MB

Download
memory/3152-27-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/3152-28-0x00007FF9514B0000-0x00007FF951F72000-memory.dmp

Filesize
10.8MB

Download
memory/6492-422-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-432-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-433-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-434-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-435-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-436-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-421-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-437-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-423-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download
memory/6492-431-0x00000299EE6A0000-0x00000299EE6A1000-memory.dmp

Filesize
4KB

Download