discordrat | 295cd12d448a0960ae0b2502505bfb0c23b11b651a28ff92f5c04c18712c787f

Resubmissions

08-04-2024 09:27

240408-le461adh44 10

08-04-2024 09:27

08-04-2024 09:27

08-04-2024 09:22

08-04-2024 09:04

08-04-2024 09:03

08-04-2024 08:59

Analysis

max time kernel
293s
max time network
346s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

ad8199a07ecbffb2b61f1866d7a32fab
SHA1

9fef07bdbc58f57a0dc118fcabf255abbb74cec4
SHA256

295cd12d448a0960ae0b2502505bfb0c23b11b651a28ff92f5c04c18712c787f
SHA512

517440347557ad4e3cae8f53df037ba37afa56bf59ec413d08ec70794daf1dd629e6eba302bbe1461368c00981eeeb899c209ad94aba8785a9173484dfbdb39d
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNjc5NDI2OTc0Mjk4OTM1Mg.GGcfSn.O22YiEnqD05TMhl029CMEeHyqw41ZN4YIb_np8
server_id
908750895850872873

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 4 IoCs

pid	Process
5340	AnyDesk.exe
5500	AnyDesk.exe
5508	AnyDesk.exe
1232	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
5508	AnyDesk.exe
5500	AnyDesk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
281	discord.com
283	discord.com
284	discord.com
285	discord.com
11	discord.com
19	discord.com
246	discord.com
272	discord.com
273	discord.com
282	discord.com
10	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5508	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5500	AnyDesk.exe
5500	AnyDesk.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	Client-built.exe
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeDebugPrivilege	5340	AnyDesk.exe
Token: SeDebugPrivilege	5340	AnyDesk.exe
Token: SeDebugPrivilege	5500	AnyDesk.exe
Token: 33	5812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5812	AUDIODG.EXE
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeDebugPrivilege	5136	Taskmgr.exe
Token: SeSystemProfilePrivilege	5136	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5136	Taskmgr.exe
Token: 33	5136	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	5136	Taskmgr.exe
Token: SeDebugPrivilege	1168	firefox.exe
Token: SeShutdownPrivilege	2720	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1168	firefox.exe
1168	firefox.exe
1168	firefox.exe
1168	firefox.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
1168	firefox.exe
1168	firefox.exe
1168	firefox.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5508	AnyDesk.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe
5136	Taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1168	firefox.exe
1168	firefox.exe
1168	firefox.exe
1168	firefox.exe
1232	AnyDesk.exe
1232	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1684 wrote to memory of 1168	1684	firefox.exe	99
PID 1168 wrote to memory of 4724	1168	firefox.exe	100
PID 1168 wrote to memory of 4724	1168	firefox.exe	100
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 3500	1168	firefox.exe	101
PID 1168 wrote to memory of 4444	1168	firefox.exe	102
PID 1168 wrote to memory of 4444	1168	firefox.exe	102
PID 1168 wrote to memory of 4444	1168	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.0.737195705\432407291" -parentBuildID 20221007134813 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {107aa8aa-78e1-47b0-9ab0-004da92778ad} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 2012 1dfca7f4d58 gpu
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.1.1602047813\2070537379" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8154e101-06f2-4421-b8b1-ecbd0397ad9a} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 2412 1dfbdde6e58 socket
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.2.309481191\1233369000" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4947eb30-81a7-47ad-9d4a-1a607e7c360c} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 3160 1dfce5b9658 tab
    3⤵
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.3.1632617173\1152218480" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9f75db-b844-4b9d-84d5-8b08ac7eee0f} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 3592 1dfbdd62b58 tab
    3⤵
    PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.4.508867654\1986063703" -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4180 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d738b572-b61a-4314-9bcb-bf4a907576b0} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 4324 1dfcf8f5458 tab
    3⤵
    PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.5.1489339128\646636375" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5160 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {053d821e-bc65-4575-b10f-9e1a381cebb2} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5176 1dfce569858 tab
    3⤵
    PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.6.887970907\958714486" -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72073de9-ff12-44d1-917f-9da305599239} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5292 1dfce56ad58 tab
    3⤵
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.7.250060751\482166497" -childID 6 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4ecab7-8e11-4a6e-806f-b44e73201878} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5588 1dfce56b658 tab
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.8.711924216\1895743018" -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 5924 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2034c33e-adca-4b3f-895d-34bc068c815d} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5936 1dfd29a7658 tab
    3⤵
    PID:5372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.9.1411459819\377081495" -childID 8 -isForBrowser -prefsHandle 5212 -prefMapHandle 5208 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35738958-066c-432e-81b0-bf60c7b2d904} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5276 1dfd1fbe858 tab
    3⤵
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.10.268306356\627994883" -parentBuildID 20221007134813 -prefsHandle 9936 -prefMapHandle 5212 -prefsLen 26381 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c48f06b-1a66-470f-b582-4b78e1a5da2c} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 9928 1dfd2c47858 rdd
    3⤵
    PID:6020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.11.1466166210\2021349016" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 9856 -prefMapHandle 9860 -prefsLen 26381 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb054f9b-58d2-401a-8060-79eb94ad7ea7} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 4496 1dfd2c4a558 utility
    3⤵
    PID:6064
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5340
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5500
    - - C:\Users\Admin\Downloads\AnyDesk.exe
        
        "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
PID:5452
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0etkwu5l.default-release\cache2\doomed\16344

Filesize
7KB

MD5
c4c9992bd0ac15f1d526301c95ddc81d

SHA1
9592ff04094bd8fc528085347a1d582cb94cfdcf

SHA256
1f11f707c5f2bb000950fa90febd9f94e081128d6a28f29a6ba13120c70732e3

SHA512
d64bed14600da637ee0fdb7f481eb1fa8dccfd1bff6dad2cb30ec556560047d2ab29e16ac28fc43a4cc98c60e2a28cfce07df9148393b4f5add9c67693b1998f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0etkwu5l.default-release\cache2\entries\BB23E73EA0DCCC59097C1E8EEFC946FD99DE9B28

Filesize
22KB

MD5
18e5ac10b0dcf66a0cd9cec4e6d730d0

SHA1
536a10ea86f5a9f3c354d7f81299e3a26432e722

SHA256
1f5929134802108978ad111c0748e17bc37a3f43557b8c5ae2183d38e97dff3c

SHA512
c9484730b8a5dc68ece9aa57d9a1947ffb95185f041d4dd2a86fa865e22def3a1c9817b434a29668653c990359575ced84950688528262b6d408ea1099a70982

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
5522b2f86ada2b08c4917066071c3cd5

SHA1
efc3d3d34822d8faf1e0a51ee29acbd96c550b48

SHA256
60b6e0a7169f8ed5ae7627c8bacf8b67d18e627e9173f90addfd2bebb7ab19a7

SHA512
4f718c69282e8f00730faa0b6d8dd3734cb5ad5c16b4fd35a85f14ae429f30f012ee5d0694e77239e89ea2d7cfdbcbae218753974b07dfa0a34c1b70e394d928

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
42KB

MD5
1461461b8b6d337245d5eb3dfc3dc472

SHA1
030ef56b4870af8de098b2644602711361a84989

SHA256
4c69a3bfb040abd3c6157417dbd716796ea06ce2b2121bf14ab7824a78a33e63

SHA512
2864cfc4420626e0b5f6ac5219224ae4ab1094a80e5c1e65df1b1629470ab6e9c4fb53831c64ba2e12fe3fed9613159aad25aad884c83258d2b96a23e0b2866d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
daf0c2d0e3a4423652bf953e6c16ea8e

SHA1
0020a48e555a1719d818e0bda1ee9ae39ea2ca7a

SHA256
3d1926f9a7687c1388e8bf1bad779de557e7a80f248477fc47b6139ac089b3b6

SHA512
8ce54a33e8be5abcb36bf46a7c83580e5f24cb32dd38850347a0aa390f3e398fad5abd113619e86eb10b8ae28b9432762c1ef777ade9e0c5e8883b8062b05931

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1a727c112f4f98d0ea26891b835df984

SHA1
d45ca61b2af102ce692a1381a65fbf8171211334

SHA256
ffda98410bb01e2bc6e07ab67e0c6e32bc6af7121640294431bebe58ac332fee

SHA512
69e8f9a742506e7dc13f3a1802e0555ae2735022bdb39ba8f8a79151bf5b75ed5ae610cd45520a6ef8488f5980f5ebc38518c08dfbf73bb5174d5b6d4b160b1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3972a30de1d1f04ea0d86871e04fc7b6

SHA1
29de33a8650af0209b4f253b38c512ee8d85c311

SHA256
df8d78e06734ddc7ed0b4005ef93bd5e76defda3f1c3d6cdfac37835b51d5b11

SHA512
f6ee0c105e7ffc3df92a209911703866f96410c39d191ecbf8cb1c558f5e6e79814ed976c12a930f5a9e54e159385c128963086cbbe092c31533a9c4726b79ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8dd585e558764f96fa3401a03992aa73

SHA1
3c601b42dea079d384f7c86cc579c12eed421898

SHA256
849b24bb8dba2ac9d3c7785ef3b9ced93d6993d89d1f58861f7053d22cd114ca

SHA512
553d17d390e478b7c7c53cad559bb0d8434242e13261c3bb192e4c50948380f4854d701a0549778625ddf9d5330ce25874e64f27e4a024a8af93d368331154b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
74935db5eb43bf5414ae5906c1f8c4c1

SHA1
ea220b9008d32a69720f0cce24f559dba0abcdce

SHA256
51e2cc8f678fd687e3153966269e43e7d72787d4146279e0866dace049f2ac89

SHA512
827d608b7a518727fc57d87a5ca539e5ea1bed52256e5b92094fb47fbb05a9f0a4ec7becf2e4f23e6581c1e5303cbaf4e758507cab32f9dc0b2edc24d8958768

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c3443dbfb8166812129dd7e87969eb31

SHA1
fb325d2a6646bd28df5149deb04aedb7a5c47396

SHA256
a8fae32bd3adcb99ea750a56846b6dc57818219891cc9c7e1200c3b1767256ef

SHA512
f04f634fc4bd1d246b1ee9af6930b8484efde0567be22507dee62e066ae8c6250b6b2286237d27d3e1ca4726068f2800d1c0ba210c69bc0104bafcb0dfe6b0cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b60cda84c26252baba4d69961f0f68c0

SHA1
6954f3a6b1dc079a43d10df3054d371a0ee63708

SHA256
9de2089f50ac43dda823a5657ef7ed53a95cfaa4c1958bb2c081536ea931d7e5

SHA512
b53bf8d0037b080225a010db3b005f2b0bfe96ba25e51a9653094212653b3f1981913ec14a5c342a5a240610a3924935a7b29d2f8cc5feae6b38e0c6618b2aa2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8cfbe982502e5e83089abd673691ee8d

SHA1
56a173401f578e22d8cff0adcbe9b9e68c4a3181

SHA256
0874cab28bebf3978f68d2928bdab643094af31754e853c6213ed12e3f3cc7e6

SHA512
d9fffe4d1278bc87476238f044c20c316ed4ecfba14f6ff46ec9d4bc435599bbacd0702c2f8eba5cea081c21ce2e9751963cd25c36f039203efa79ea1b9313eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
acc7ed340a68531f9dd8447802512e00

SHA1
7077c016bbe6cf3e1a2088d378fbf109afbb2dbb

SHA256
a973da5e6592811b4b2d764d9da3968e7f749980a2071fe8a1ee58fb3b1d9dad

SHA512
784538d6c733ddbe52bbe071dcf72fe49869119fdc3046f7dd90bc65c981ecacc236926effa0c079d3ee790ccb6bf37275d2946b38dcb84e923f9ee4ad2236e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
96a4502b0b3c0ce4af71ee53da155fb6

SHA1
bd50169c2eea2d653cf1e0c6cb1e3d223ce73da0

SHA256
4274db44e09ad347e026fc07a65b0e4cdb4d12ed5ace87c1c340e143e70d52c0

SHA512
33bd4496f5ddb34555fb00311bf4db2a44890ed4baee538c95fc3de95411248a896c6c39be74a5edd3280dd5626de00d2beceb57ad443039f61602fed855cb8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
480123ed365a860a2e4cc9f4b145d34b

SHA1
4581096f50f861a42bd0f198fcb0588dc41da27b

SHA256
77242f3269a5e26d6b2e6373f38c976315ef61c3c664eff519863aa1b95070d7

SHA512
bdcd5d5263999c69468fb2b79f1010d54c9ccf717cb99d04f2e5a4a6b4fc6979d9f46c208978b5f3c713230c8507e69a3297c4f67fe97931de0f18898c726f90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5e7ad4ce605ee1df10960e343080fd9c

SHA1
4f1c065634dd7d55ae3d3af1a4635d6ca5dbd08e

SHA256
dc084911b622d780bb23622510bd6c02b30538efb84c52043f4c209a038924b0

SHA512
a30a80ca47c47cace37a8c3a010e9c8c63d27da592b5e7920ee4b0a923cf0dd44b4c3d1ed0fae8822291843d68daaaeaed2aa5bfe588ed12d15eefe1b9a8225a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
45d2af5fd5c7e3728690b535154bfdff

SHA1
d3b99c2f45c625bfd0ba7139faaa98ebfcb3913f

SHA256
7182acdef27d0813a70b62bad3f035a97744f7fb3382cd388649bf9090477cff

SHA512
2bfdd1b5872bfebfbfbc83df025e6260e8a97072047923690affbcde48d120a45f73fd28ce5f5ae2cf275032ac45352e772cbc74c46a9d9af3ed10cbdf351588

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
efa1a1575b36a32acc7a1996c148c405

SHA1
1cb01c01ae323d98b76702a5d361134566897d56

SHA256
5c20fb659eb0c2fc69a89cb1a279170266c603546e8691a8a4448b9261214d16

SHA512
d4d111f67d1e70379fdf6ddfa59e2e41fbf88a9927b948deebc2ef74abf5c8c42807efdaf40bac7634608fb9552d8713236f2f3ef859caeb44bc878462e3b14f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ed6d8379639dcbdd6d8095e6ffc4e923

SHA1
2376c6a59698461303b995dc7b39f683544fa161

SHA256
5b163a35147be3b0e8b2a65e39591b3f2c935183ebbfdd30dfc83e63effaeffe

SHA512
16e062fc7ecfb877d0b0b07e96f0d318a7edf609b839d3b0402b64271fb13dbea63f0fa8fc7d2de40fcf00c3d285df66240fd288c78955fb1942221860276775

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04ca190095545f7554dc59fcf0062773

SHA1
5664fffb505d47846e45b4ebb665b5cc0172171b

SHA256
45df906756a80c72d02f61a104950a030ab1bead8abfa69ea9326db764acb7ed

SHA512
f05f144131dd225c3a648045d68688b54e5b43d71934f18a182d2ba650b15522336df70b1a5a0b6d87b9b1b9eb86d083d184429987ff3cf37a09cb323f8fac61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1e524089e9ff0f0e216b1971735906f8

SHA1
d1bd6405fa0507c3c56cf876d34cedb2d4d7d1eb

SHA256
cec9c916a7b4e4fc63ad82f78ef52b61dd102ccbac159b3b12f4e2caa6b27fc3

SHA512
b440d14c0efd923a2ee13e1b094396f6b3372b890fabb9f543cae9ccd6745e26c9b386817e0e28d2e63eb8919bc8b27aaa5e5640e26ce5ac03fd55bf4e7b4e8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
54a23b4a9550ea8abd6a7a92ee07d185

SHA1
680071eac8796a7130caa54cb16e735a1eca558e

SHA256
8ca0e8d8c44c5cccdec94fd2790db9eeedcca57d488cf5c82cc80bc062fcd863

SHA512
e394f18427da7a15c214d855542b5adb6f35ba4ed4f85c3d8faa84ef16123a2e13cfd048ecd26da609aba20cfae7aa20c193f40a7469f4445a0f81933cf3366f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
f96a8071e90094c8b17fde6553c1973e

SHA1
27c31a29d96c76e7fc54dcf85a3c79bafebc5e44

SHA256
8cee10b6d75bbde0dc8cce483dae7e3d455ccd1ef932a48b36f68f0454d0525d

SHA512
54ae0271d729c9c125283829924c167dcc8da342730cceb143a60cd6b0df0df9ff3ccdfeaec173bb489069b8d8550df8918b5741858538fab3d6f68a80520782

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
11b40f667e8af749be64c08f41e67a28

SHA1
153af5973e60cf6ee63e2a884d619514c6ddd20b

SHA256
5c93188ba95e20849cd0ed1fd1b6bbfd19753ab046ba495734b365fddc0248ee

SHA512
4b6687b52d2f0a8d2359ac20b4336a6c45f6f9637be641de4bad45ad1d25f3dfe44763ab70534bfbc52d73e5d1f3f27f9c9b5cf6ca13fd2c3bd80a8ebef0ecdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\06d6b10b-48aa-4721-b130-3dec1cc89346

Filesize
11KB

MD5
bd21884bfe197c4196f8e9de7e94f785

SHA1
fe198dae26ef86de1dcff090a5cefe27fef781f0

SHA256
2d194ac11643cb8793d1011263d4843372051b8437ba97734ba024124c372dfb

SHA512
a1eb567308cf7dad414509a624a3281924922ee650cc31671dcc1750e52ca7bd18752b6bf2066b314fd90eaa9bcb49f183bf5192654b9a60fe7f393b896a9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\bf3bb32c-10b0-41a2-8527-9a561b3fdf1f

Filesize
746B

MD5
1bb53d304bb2c5d9a624e71d5efc5245

SHA1
e274fd71e772aaa2dffcbc5fadc15cbb4dfd56cd

SHA256
c8921f3aa1cb39790728001bac328518745c5fd79851d1f0f964e8614a287436

SHA512
736d114a41f6a08bc57050de8534fc652ca868b9cc23d9f97ca5414751bb633e522200a8cc8d07f4475a0b4c927634d06f05750c4abb9b55862adc54938bc11e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js

Filesize
6KB

MD5
4e0be1977c9d00fd8be066aa0a9e02b2

SHA1
373a4012750851980d0aca27406bd7afa00b2998

SHA256
4d32c832684906eceb9c0cbfdc6ce40b65d66f0b073c681a3b4895930e6ca288

SHA512
4f50966b139113b3f3b0e997112a322e61b2150e6375ac6f9e9a83bd8772057b6b4d3706ece0c3605e4ee410bb5014d1c179d88fa8091646c9322085b0c2e6bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js

Filesize
7KB

MD5
4fcaf82656add4741aa3b47d8092ea21

SHA1
74da7ec984135bd759e5e1e308f6d1620f01cade

SHA256
467a340e2753cd920ee042b940660216307026cdb0f9717c045efa5cf17c96ad

SHA512
5ff1f694c93f8ed4fe7044152308cd140c8c9876c8264ccca4110535e6931efe4f4ad4b155f2be7da00b29d29fc22a8ab1cae74830eb3e5f74e3b86cd02f9004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js

Filesize
6KB

MD5
3105b202c3ccf02d2b66740903f24af2

SHA1
e78fdab399aa79c266fdb35af226f8dc39274ec2

SHA256
f219e7452638f46b8c5d471707f09f253c369aedc1069f3d37d10e4eb2e51155

SHA512
84b81b25a1c89f5e4522839a280a3f46b6c586a592a8e42f9138154adc78041a80a08c7f5f12af863447d3a166784e48786615c6f378de5f5420e97673e2f5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
e7d3a55ae9636ca1d975b9e2d9499ff0

SHA1
2e3d1561dd0951ce969fec0d4e72bf75fd3faf89

SHA256
daa89659d8acb4f6b1edb17b266fbb98ecbebfda995de3f9c5ce48fa212631e1

SHA512
0d18caed6b731dee3dd15907cfd99df0bb9eba413c5efc68d55ce8dfdac6d2af576305556a3245dcc85e5570d3ddd9f3d4c2fbe9295799781501640ace09ed4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1028568962944c64c5774cbd027f3d54

SHA1
1af9bd241dfbc16f1c8194363d891ac71c68ef83

SHA256
5c5d3ecdd79e82f609f0729b30051d83cd428133d630eeef088b8a16e5d44243

SHA512
efaf4e5c67006e582272c391b7ae6f255ccc816c1a6ad090c4cc704b0cde113029d07070789c380800fc86bc3974e200ab4dafcb461ce5678cfa56c41d27c398

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
da41e45790e4d97e2027554d44a28001

SHA1
6ff0df54f268384cfdd9f3469e72c051596579ac

SHA256
bc25cef9e74096bd3fb00d6fa5694b138a3b1a0c2b31e064746f55528609974e

SHA512
84ac61b793aebf150346dead49d10539ecd88c92e3262bdb2ab9688d35647a27246daf7ec7c53775c6f10111bfc79fb8ec5279581d9c27f05b152e1472495628

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3c6e2365cfdbfa8d39c6aac6efdd0437

SHA1
633d96a12c97ba5d5d5d1900b484e06aa74de270

SHA256
3b945ba35bcfdf2b012a02f3f1eb9d4fa3b3a997e33fd1e46e71ae94c0495c6f

SHA512
ac9a04562eb8de7819f23805a94215e97c173302d8b4732374d04349ef215d8923e6b74e97eb55078f0399fe7f99f06873835a3d59e901bdb022e6891508b7b1

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
5.1MB

MD5
863fa58aa1fe8a88626625b191d4722e

SHA1
e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02

SHA256
45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220

SHA512
ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd

Download Submit
C:\Users\Admin\Downloads\AnyDesk.zLFRATd7.exe.part

Filesize
32KB

MD5
a3bd5103babb6f17aac387b731e8b68f

SHA1
8be1011a82b87fbde1a251d875e6d4277c941265

SHA256
d95fca1f166fc6d10beb737893dd3f4dcd14a4b07384faae95b6eb39153f8370

SHA512
e9c06703d689e43c523f967b4c4f23a7cd83e274e3ff49e86dcca669afd650271f7ceace7819c582f09a13fda8c4bcdfca3347de579e68fc82f5ff45927623e6

Download Submit
memory/1232-894-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1232-942-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/1232-975-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/1232-934-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/1232-928-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/1232-899-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1232-914-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1232-913-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/1232-900-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1232-902-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1232-903-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/1232-907-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/1232-912-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/1232-911-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/1232-910-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1232-909-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/1232-908-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/1232-882-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/1232-906-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1232-887-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1232-891-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1232-892-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1232-893-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1232-895-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/1232-896-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/1232-897-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1232-905-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/1232-898-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1232-901-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1232-904-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x00000170C3B70000-0x00000170C3B80000-memory.dmp

Filesize
64KB

Download
memory/2720-5-0x00007FFA26110000-0x00007FFA26BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-1-0x00000170C3C20000-0x00000170C3DE2000-memory.dmp

Filesize
1.8MB

Download
memory/2720-2-0x00007FFA26110000-0x00007FFA26BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-3-0x00000170C3B70000-0x00000170C3B80000-memory.dmp

Filesize
64KB

Download
memory/2720-4-0x00000170C4460000-0x00000170C4988000-memory.dmp

Filesize
5.2MB

Download
memory/2720-0-0x00000170A9520000-0x00000170A9538000-memory.dmp

Filesize
96KB

Download
memory/5136-1009-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-998-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1003-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1004-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1005-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1006-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1007-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-1008-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-997-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5136-999-0x00000263F7E20000-0x00000263F7E21000-memory.dmp

Filesize
4KB

Download
memory/5340-783-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5340-545-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/5340-772-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/5340-526-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/5340-549-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/5340-521-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5340-608-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/5340-519-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5340-603-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/5500-925-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5500-785-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5500-944-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5500-534-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5500-1018-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5500-555-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/5508-926-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5508-786-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5508-542-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5508-535-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5508-1019-0x0000000000110000-0x0000000001855000-memory.dmp

Filesize
23.3MB

Download
memory/5508-553-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download