Analysis

  • max time kernel
    219s
  • max time network
    216s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-05-2024 16:26

General

  • Target

    New Text Document.txt

  • Size

    24B

  • MD5

    91561aacb9fc2e708028dbaaa64de308

  • SHA1

    56b61342e3ff19c455b5f78b645a5c4402c1ea6f

  • SHA256

    6668bc4691a6691ad316b338a5829e7de3612765c50ebe4e63344bf177332721

  • SHA512

    1f3866af4a4f36ea8e367ebf9fd760cae9d27ac55fa1091de02ccf2436a304a0d3379b659d2c8ab616d6f18a0858c3eca5d11325d2ba8e6e208fc2f734831f89

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 44 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
    1⤵
      PID:2456
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.0.879002232\1864441663" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {298fe8ef-23aa-4164-a5a4-e5fa0ebd1d06} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 1764 1b3c1bb6b58 gpu
          3⤵
            PID:4176
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.1.1602092645\1497421186" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18fb154-bdd6-4fef-9c90-2414dc29aa6a} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 2120 1b3b696f858 socket
            3⤵
              PID:220
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.2.1093486964\2073790665" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2828 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18ea10e-dfd9-426c-b759-51149263bdb3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 2712 1b3c5a9f458 tab
              3⤵
                PID:4792
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.3.139370399\1247811031" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {089b125f-a1d1-428c-9d75-a6a370bc1699} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3468 1b3c6812858 tab
                3⤵
                  PID:4292
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.4.994785636\1387813223" -childID 3 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18399ab2-6e40-4805-9896-ab767b456a10} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3972 1b3c41dfe58 tab
                  3⤵
                    PID:232
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.5.1673545831\902324264" -childID 4 -isForBrowser -prefsHandle 4516 -prefMapHandle 4500 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {658f3958-c1e0-4c23-8138-fe27a3d0bad3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 4552 1b3c41e0458 tab
                    3⤵
                      PID:2272
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.6.109747258\1223570093" -childID 5 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb10e55-32e5-4f54-b389-b88d09e74de9} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 4900 1b3c7ccce58 tab
                      3⤵
                        PID:2440
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.7.830854621\1679214566" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f434e6f1-2b41-4003-9a75-76f70ec9e6eb} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5080 1b3c7ef2458 tab
                        3⤵
                          PID:2792
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.8.1361581615\1145923346" -childID 7 -isForBrowser -prefsHandle 5484 -prefMapHandle 5504 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04581c3d-5f95-45a8-9d8d-57a878c90217} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5516 1b3b695be58 tab
                          3⤵
                            PID:2060
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.9.1026752147\1997710702" -childID 8 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffd17a7-2118-4df3-96ca-8cbfc7a3101b} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5768 1b3c9873858 tab
                            3⤵
                              PID:396
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.10.857247456\1359565228" -childID 9 -isForBrowser -prefsHandle 4920 -prefMapHandle 4488 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea7629da-6bf1-4209-80c6-4f9cac8b58f3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3752 1b3c78d3558 tab
                              3⤵
                                PID:2496
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:4340
                            • C:\Windows\system32\mmc.exe
                              "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
                              1⤵
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:4596
                            • C:\Windows\system32\taskmgr.exe
                              "C:\Windows\system32\taskmgr.exe" /4
                              1⤵
                              • Drops file in Windows directory
                              • Checks SCSI registry key(s)
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:420
                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                              1⤵
                              • Suspicious use of SetThreadContext
                              PID:3132
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                2⤵
                                  PID:5004
                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                1⤵
                                • Suspicious use of SetThreadContext
                                PID:444
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  2⤵
                                    PID:1080
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                    2⤵
                                      PID:4172
                                  • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                    "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                    1⤵
                                    • Suspicious use of SetThreadContext
                                    PID:2432
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                      2⤵
                                        PID:912
                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                      1⤵
                                      • Suspicious use of SetThreadContext
                                      PID:3164
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                        2⤵
                                          PID:3168
                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                        1⤵
                                        • Suspicious use of SetThreadContext
                                        PID:4804
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                          2⤵
                                            PID:4424
                                        • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                          "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                          1⤵
                                          • Suspicious use of SetThreadContext
                                          PID:2832
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            2⤵
                                              PID:2288
                                          • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                            "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                            1⤵
                                            • Suspicious use of SetThreadContext
                                            PID:2704
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              2⤵
                                                PID:3164
                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                              1⤵
                                              • Suspicious use of SetThreadContext
                                              PID:1852
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                2⤵
                                                  PID:4504
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                  2⤵
                                                    PID:2168
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    2⤵
                                                      PID:3940
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      2⤵
                                                        PID:2380
                                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                      1⤵
                                                      • Suspicious use of SetThreadContext
                                                      PID:4804
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                        2⤵
                                                          PID:5188
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                          2⤵
                                                            PID:5248
                                                        • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                          "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                          1⤵
                                                          • Suspicious use of SetThreadContext
                                                          PID:2832
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            2⤵
                                                              PID:5384
                                                          • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                            "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                            1⤵
                                                            • Suspicious use of SetThreadContext
                                                            PID:4196
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                              2⤵
                                                                PID:5256
                                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                              1⤵
                                                              • Suspicious use of SetThreadContext
                                                              PID:5152
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                2⤵
                                                                  PID:5412
                                                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                1⤵
                                                                • Suspicious use of SetThreadContext
                                                                PID:5240
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                  2⤵
                                                                    PID:5424
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                    2⤵
                                                                      PID:5472
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                      2⤵
                                                                        PID:5552
                                                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                      1⤵
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:5276
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                        2⤵
                                                                          PID:5636
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                          2⤵
                                                                            PID:5704
                                                                        • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                          "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                          1⤵
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:5288
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                            2⤵
                                                                              PID:5664
                                                                          • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                            "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                            1⤵
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:5324
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                              2⤵
                                                                                PID:5624
                                                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                              1⤵
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:5352
                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                2⤵
                                                                                  PID:5644
                                                                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                1⤵
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:5400
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                  2⤵
                                                                                    PID:5744
                                                                                • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                  "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                  1⤵
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:5460
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                    2⤵
                                                                                      PID:5828
                                                                                  • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                    "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                    1⤵
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:5488
                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                      2⤵
                                                                                        PID:5868
                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                        2⤵
                                                                                          PID:5960
                                                                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                        1⤵
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:5496
                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                          2⤵
                                                                                            PID:5860
                                                                                        • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                          "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                          1⤵
                                                                                          • Suspicious use of SetThreadContext
                                                                                          PID:5516
                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                            2⤵
                                                                                              PID:5788
                                                                                          • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                            "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                            1⤵
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:5584
                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              2⤵
                                                                                                PID:5996
                                                                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                              1⤵
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:6068
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                2⤵
                                                                                                  PID:4340
                                                                                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                1⤵
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:1852
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                  2⤵
                                                                                                    PID:5212
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                    2⤵
                                                                                                      PID:5232
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      2⤵
                                                                                                        PID:5268
                                                                                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                      1⤵
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      PID:5116
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                        2⤵
                                                                                                          PID:5164
                                                                                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                        1⤵
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:5244
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                          2⤵
                                                                                                            PID:5564
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                            2⤵
                                                                                                              PID:5620
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                              2⤵
                                                                                                                PID:5444
                                                                                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                              1⤵
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              PID:5580
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                2⤵
                                                                                                                  PID:5616
                                                                                                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                1⤵
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:5524
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                  2⤵
                                                                                                                    PID:5288
                                                                                                                • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                  "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                  1⤵
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  PID:5700
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                    2⤵
                                                                                                                      PID:5736
                                                                                                                  • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                    "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                    1⤵
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:5660
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                      2⤵
                                                                                                                        PID:5716
                                                                                                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                      1⤵
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      PID:5884
                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                        2⤵
                                                                                                                          PID:5952
                                                                                                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                        1⤵
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        PID:5492
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                          2⤵
                                                                                                                            PID:5976
                                                                                                                        • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                          "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                          1⤵
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          PID:5912
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                            2⤵
                                                                                                                              PID:6080
                                                                                                                          • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                            "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                            1⤵
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:5208
                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                              2⤵
                                                                                                                                PID:5192
                                                                                                                            • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                              "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                              1⤵
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              PID:5216
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                2⤵
                                                                                                                                  PID:5376
                                                                                                                              • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                1⤵
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:5676
                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                  2⤵
                                                                                                                                    PID:5688
                                                                                                                                • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                  "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                  1⤵
                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                  PID:5548
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:5352
                                                                                                                                  • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                    "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:5692
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                      2⤵
                                                                                                                                        PID:5868
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                        2⤵
                                                                                                                                          PID:5936
                                                                                                                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:5872
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                          2⤵
                                                                                                                                            PID:6028
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                            2⤵
                                                                                                                                              PID:96
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                              2⤵
                                                                                                                                                PID:5228
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                2⤵
                                                                                                                                                  PID:5308
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5152
                                                                                                                                                • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                                  "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                                  1⤵
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  PID:5608
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:5564
                                                                                                                                                  • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                                    "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                                    1⤵
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    PID:5676
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1256
                                                                                                                                                    • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                                      "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                                      1⤵
                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                      PID:5904
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:5596
                                                                                                                                                      • C:\Users\Admin\Desktop\Insomnia\Insomnia.exe
                                                                                                                                                        "C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"
                                                                                                                                                        1⤵
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        PID:788
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:5576
                                                                                                                                                        • C:\Windows\system32\mmc.exe
                                                                                                                                                          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
                                                                                                                                                          1⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                          • Suspicious behavior: SetClipboardViewer
                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                          PID:6384
                                                                                                                                                        • C:\Windows\system32\mmc.exe
                                                                                                                                                          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
                                                                                                                                                          1⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                          • Suspicious behavior: SetClipboardViewer
                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                          PID:6920
                                                                                                                                                        • C:\Windows\system32\OpenWith.exe
                                                                                                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                          1⤵
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                          PID:5772
                                                                                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Insomnia\Themes\Insomnia.json
                                                                                                                                                            2⤵
                                                                                                                                                            • Opens file in notepad (likely ransom note)
                                                                                                                                                            PID:1096

                                                                                                                                                        Network

                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                        Replay Monitor

                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                        Downloads

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          ca52aa53b6dc75b565896128eed64ae4

                                                                                                                                                          SHA1

                                                                                                                                                          2348a96b879c03a785e56379abfec1fb9bdbb6ac

                                                                                                                                                          SHA256

                                                                                                                                                          3b47c96e926dc843f5b52e8d88ab3fa80f4d4689f217c5e8e07ccd7d26ef005c

                                                                                                                                                          SHA512

                                                                                                                                                          653ab06fb2a81fd297a438aa22f0eccaea78a500d360d94fa62b2a75075b47263f76eb0ddc4494591c80a4f5d8e5ece38734290924ca47ca0b692a3be7d69a94

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\16FC9DCFDAE3F84629A75E7FC24C2D2BD5E10A6A

                                                                                                                                                          Filesize

                                                                                                                                                          15KB

                                                                                                                                                          MD5

                                                                                                                                                          b50ba5d642824c12fad56aa46b02ccb4

                                                                                                                                                          SHA1

                                                                                                                                                          1eaf2656f32ac8a4eed8b2feaed2bc524a5f69af

                                                                                                                                                          SHA256

                                                                                                                                                          f32d0851ce5fb9b4bd23dc057158670bc059cb9c49466d3a36a43e936441b8f4

                                                                                                                                                          SHA512

                                                                                                                                                          4a406a0b465697afd2e2d71b8aeba799367b670ee0fc2df25816e2f8d687fdeeab279da5b2516467f7d288425cc444a84328884b0196e76143ca9c1dc99a5e75

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          c460716b62456449360b23cf5663f275

                                                                                                                                                          SHA1

                                                                                                                                                          06573a83d88286153066bae7062cc9300e567d92

                                                                                                                                                          SHA256

                                                                                                                                                          0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                                                                                                                                                          SHA512

                                                                                                                                                          476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                                                                                                                          Filesize

                                                                                                                                                          442KB

                                                                                                                                                          MD5

                                                                                                                                                          85430baed3398695717b0263807cf97c

                                                                                                                                                          SHA1

                                                                                                                                                          fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                          SHA256

                                                                                                                                                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                          SHA512

                                                                                                                                                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                                                                                                                          Filesize

                                                                                                                                                          8.0MB

                                                                                                                                                          MD5

                                                                                                                                                          a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                          SHA1

                                                                                                                                                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                          SHA256

                                                                                                                                                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                          SHA512

                                                                                                                                                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\MMC\taskschd

                                                                                                                                                          Filesize

                                                                                                                                                          141KB

                                                                                                                                                          MD5

                                                                                                                                                          9048685615ad760b4f9b63d376161515

                                                                                                                                                          SHA1

                                                                                                                                                          a4a6ce977bcbfe363fefe07fa799a8887c49287a

                                                                                                                                                          SHA256

                                                                                                                                                          15ef6191e18d72a490c3ccb3d4845cd253c0d727690d7fb3b96bd7e5da7c1db8

                                                                                                                                                          SHA512

                                                                                                                                                          7058423ae9b7b0a106057dd51e5158dae395a3dbfd46fe59e8744877723edcc953a5cee77500f86efaf71fa3e81071da0b086a81a4d1cbea8a65c4f6275b2e20

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

                                                                                                                                                          Filesize

                                                                                                                                                          2KB

                                                                                                                                                          MD5

                                                                                                                                                          0e02fe88f7e951adb6a05114461e6f36

                                                                                                                                                          SHA1

                                                                                                                                                          f90b30df8ca363d1562cad7cb1e70eb036653676

                                                                                                                                                          SHA256

                                                                                                                                                          432c6b7f51e4ee12fbe5451d9d1e31af349110b7105b0628cce53615f2415a03

                                                                                                                                                          SHA512

                                                                                                                                                          690840fb3c18cb1dcb96a59524d7249726a272e1fb0b2ab875413c0ad9ac2cc58688bb92fb53afb8b49141c0e3955fd197e15c8f47489ff3abff1eeb4b07a256

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\abbc7540-50c5-4783-8cfa-e568e0d978a4

                                                                                                                                                          Filesize

                                                                                                                                                          746B

                                                                                                                                                          MD5

                                                                                                                                                          30510b02e99c62f8cf2cb9fc329e0593

                                                                                                                                                          SHA1

                                                                                                                                                          51f00e28bb2e32c943f376b0bcc48a1ad68bf96e

                                                                                                                                                          SHA256

                                                                                                                                                          14da09cea431d67fa6bcf37e885d61d3a1eab97bb9a3ee408d8d6a5dfcdea873

                                                                                                                                                          SHA512

                                                                                                                                                          4c05c1fb6651ff7616fcd3275a2adbb73b965c63b8adad2b0c0cca6f58748d91f9836dbece8a2ab8d6674ec29695fa77dd1000034c79a64bc8ef9fac32f429e7

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\b2342834-33bc-4dcd-bb8e-3a251471d157

                                                                                                                                                          Filesize

                                                                                                                                                          10KB

                                                                                                                                                          MD5

                                                                                                                                                          95eaca144ba4ee867fdf1a5126e3f6a1

                                                                                                                                                          SHA1

                                                                                                                                                          cb9c102eee71913adda4a0a6f176e3c9ec48323a

                                                                                                                                                          SHA256

                                                                                                                                                          31d7c4d16ebd5c876a0c0b6ec52bfdb1e209cb9b28dc8e1100f9f469efa6a2e8

                                                                                                                                                          SHA512

                                                                                                                                                          a5ec6ab5cf9ed398025b070c641cabe85374023f30e165e59f7b03e0b49cf694c916e5f258f2f6393a8b29279cad53f8e5d33401ae75d10110a1d348ebcaebbd

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                                                                                                                          Filesize

                                                                                                                                                          997KB

                                                                                                                                                          MD5

                                                                                                                                                          fe3355639648c417e8307c6d051e3e37

                                                                                                                                                          SHA1

                                                                                                                                                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                          SHA256

                                                                                                                                                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                          SHA512

                                                                                                                                                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                                                                                                                          Filesize

                                                                                                                                                          116B

                                                                                                                                                          MD5

                                                                                                                                                          3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                          SHA1

                                                                                                                                                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                          SHA256

                                                                                                                                                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                          SHA512

                                                                                                                                                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                                                                                                                          Filesize

                                                                                                                                                          479B

                                                                                                                                                          MD5

                                                                                                                                                          49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                          SHA1

                                                                                                                                                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                          SHA256

                                                                                                                                                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                          SHA512

                                                                                                                                                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                                                                                                                          Filesize

                                                                                                                                                          372B

                                                                                                                                                          MD5

                                                                                                                                                          8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                          SHA1

                                                                                                                                                          7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                          SHA256

                                                                                                                                                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                          SHA512

                                                                                                                                                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                                                                                                                          Filesize

                                                                                                                                                          11.8MB

                                                                                                                                                          MD5

                                                                                                                                                          33bf7b0439480effb9fb212efce87b13

                                                                                                                                                          SHA1

                                                                                                                                                          cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                          SHA256

                                                                                                                                                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                          SHA512

                                                                                                                                                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                          SHA1

                                                                                                                                                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                          SHA256

                                                                                                                                                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                          SHA512

                                                                                                                                                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                          SHA1

                                                                                                                                                          4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                          SHA256

                                                                                                                                                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                          SHA512

                                                                                                                                                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          5e418b84f110e68561b58323fb3ff238

                                                                                                                                                          SHA1

                                                                                                                                                          c641317cd3cb259b4738a0940a852880f35a75b1

                                                                                                                                                          SHA256

                                                                                                                                                          05d9f1d4c528407a53245288d8cf2a752db6a398675f710a4398569b1241c8d7

                                                                                                                                                          SHA512

                                                                                                                                                          2461ce3a31b8d771ab4ba978b05d9dadde3ca477aad7f38118ff65407b2b8d8178235382978b82d6d3ac85697f4afeea217c1556d92e41a797d3bdee4fd63de1

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          73e45e4fdf02cfd9ee940374c1c7529a

                                                                                                                                                          SHA1

                                                                                                                                                          7cbdfc48f2318ec41b6368acfad4e54551c74680

                                                                                                                                                          SHA256

                                                                                                                                                          791b354e89f6c7c96547295c87af8b3c6e1d3b1eb33e09db61c59541aded1b68

                                                                                                                                                          SHA512

                                                                                                                                                          77b1efc8102a0ab7c8994eed09f4427d53c3e4e8056a98718ac83cefd5f6f275f058700c6e62b11748c1259a2bcb1136c63d9276c570ce5c38899c90b001181a

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

                                                                                                                                                          Filesize

                                                                                                                                                          6KB

                                                                                                                                                          MD5

                                                                                                                                                          3bc240d2cc7e4e957823d233a23e2584

                                                                                                                                                          SHA1

                                                                                                                                                          7c8f81f2b1c26fb1c96cc43a7528ad554dc10a78

                                                                                                                                                          SHA256

                                                                                                                                                          da90b7dcb8febabde63d0dc30e91baa31a83c4ff516ab94205b306a312c19a3c

                                                                                                                                                          SHA512

                                                                                                                                                          ac4537ee5b8b25f232eb2b7dd89dfdeb48d66cf6dd86dc8ac61c26fa9174ab4d1227db44b56f23604833618c43ba7914128fedf9750fa0e839eac10782d25163

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

                                                                                                                                                          Filesize

                                                                                                                                                          6KB

                                                                                                                                                          MD5

                                                                                                                                                          c9bda9a9c86979d093c0b92ed2ce2c88

                                                                                                                                                          SHA1

                                                                                                                                                          7fedf8956b6a50969529ed56a7bbdcc71d683336

                                                                                                                                                          SHA256

                                                                                                                                                          6c105230842b332b3e67edb0accedd65e58cfc2e5b698a282fa607d8a3892183

                                                                                                                                                          SHA512

                                                                                                                                                          f5e5152283f1dd9f82a74d66491acfef293857e877a137e249bded670bcbcb9a5eabb1ba994fe3e378b2321e54d507b9cacc9f1cee62618139236ae62297ac81

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          357fb8260fcacb513dae5fd704990192

                                                                                                                                                          SHA1

                                                                                                                                                          31d72dccf9572789ed104ff2558bc41541298013

                                                                                                                                                          SHA256

                                                                                                                                                          e53ee6d1e697cc655fff6e368627f59e33ed993e3634536175928354ffff2276

                                                                                                                                                          SHA512

                                                                                                                                                          629f374c5f7dca969bf2db1d86965ef36922d33769e6d8f572fd417f04198511e006a4a5e466b330b1073ec03ade3df107f458127160e13589968b0d8f3da0e9

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

                                                                                                                                                          Filesize

                                                                                                                                                          6KB

                                                                                                                                                          MD5

                                                                                                                                                          86a095355036624a389abf02117afc56

                                                                                                                                                          SHA1

                                                                                                                                                          b4f3c72ef947e2ee02176ee4e726e451ac974308

                                                                                                                                                          SHA256

                                                                                                                                                          2caa183b5cf94ec8b2035d303b0e6f15de8a43e11bb3db3609088c26a7f36733

                                                                                                                                                          SHA512

                                                                                                                                                          4e915d71c31c4caa5df98204e1275c25f24b29dad9061d6afcb03e5cd91d82931214b1d99a4911a6c85b035f1619ba5ace0e3bdd204c3bfbc5eb75ce5fda0c67

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          7c91e45f5ecad99885347c36d2b52806

                                                                                                                                                          SHA1

                                                                                                                                                          e0720cd8f17c0d7467f1db5efca300d0700fe892

                                                                                                                                                          SHA256

                                                                                                                                                          c4161a2d1791d2a722a94ee66d2d62ea784956b0f1eefdbf4fc64212a41848b3

                                                                                                                                                          SHA512

                                                                                                                                                          49d96add42cd5b5a2e6436080e1546e66f9ddbe23c295102e7d50db7cadd425f1397a7c43bc7c78148f4c5ae6618b918d92a96e76b1b3b0f862b9132005f8dd9

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          439d98f1b9629a4ce41ba6da687d9492

                                                                                                                                                          SHA1

                                                                                                                                                          c61e838cd19d107607a370c16b545385a83361fc

                                                                                                                                                          SHA256

                                                                                                                                                          fbc489e8d6c2a0e5b760525bff150d588a56f3a45ee3cca4e92612687e024481

                                                                                                                                                          SHA512

                                                                                                                                                          86380221701541bf54a5f170963342889430e9e9d7c2b27c56555ea4139839e44dbd7bda397ddcc36522fd3ca6cb93f97463078d4050b11b6a381def02bc3e37

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                          Filesize

                                                                                                                                                          6KB

                                                                                                                                                          MD5

                                                                                                                                                          d27780968cda22d3d849fa8e23d3cdf8

                                                                                                                                                          SHA1

                                                                                                                                                          8b237b126027826cac12f6947dc085824a1d6616

                                                                                                                                                          SHA256

                                                                                                                                                          aea3efe91b7faf7604dea7f2ac70948a9fdd7495311d8b8c4d505073339d0d20

                                                                                                                                                          SHA512

                                                                                                                                                          812d2feac1df82736a2d16b6bf3a938c129a40788154d5fe47391a6160b5400788ca3c41711d14201421f1db2ea63bad59a83f2dfed09df5db9411a6e097a0c3

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          eac10ddcbe016fcfa76ee64ef45fe72d

                                                                                                                                                          SHA1

                                                                                                                                                          d0c050c826bd7857035c7e6c20e57b0bfcd248db

                                                                                                                                                          SHA256

                                                                                                                                                          2fededbf236aa4c6b202f07ed55592eb8f8a64594fddd7952cc67d569cca893d

                                                                                                                                                          SHA512

                                                                                                                                                          bbe14511ca66a30cc1314fc71688d1e5704ca5d71b6674a9989bbae57f4d946ed2eeae5b880ae01f1a536bd0c0990f1a7a2b713076870bf5172bc2abb33053e3

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          a5c6771eb3e74469c5867af85e346c6d

                                                                                                                                                          SHA1

                                                                                                                                                          d48bc3f37099f126db890a84d89ea9b0772c63d6

                                                                                                                                                          SHA256

                                                                                                                                                          4d5609f371089b18ad7926aba6901a01eda673e7643fd3bf3003e8effc76ed6e

                                                                                                                                                          SHA512

                                                                                                                                                          70b937121cece9d401ca43e9b7a48fea7d1f44c67fd267bb56372ac853c4b735afd88024369bbbb820f5e9ec244b9756ab09f546b41c5483a51945af87aacbe3

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                                                                                                                          Filesize

                                                                                                                                                          184KB

                                                                                                                                                          MD5

                                                                                                                                                          637e42544bf4e4e5c858d87fceb302a2

                                                                                                                                                          SHA1

                                                                                                                                                          1d747ea0d89437cd39d02c76ed70df3b7c505ee1

                                                                                                                                                          SHA256

                                                                                                                                                          5a519846989ec4eed303d9fe8b5554410b502177bb6b4199c6cf25290a4913c2

                                                                                                                                                          SHA512

                                                                                                                                                          bde691d8015773707c4445155ba1ad419033c335bb11ca325b9c249e8aed83fefd096bab28806213ad368508e2a5be362c4a5a8038dae40246a8bf0a246cb8cb

                                                                                                                                                        • C:\Users\Admin\Downloads\Insomnia.XpE1jcZF.zip.part

                                                                                                                                                          Filesize

                                                                                                                                                          385KB

                                                                                                                                                          MD5

                                                                                                                                                          feebd99c1391865bf83ff4d5ee6559c3

                                                                                                                                                          SHA1

                                                                                                                                                          c527f1e92dcf14dc1905b659b0cae3c305be2e20

                                                                                                                                                          SHA256

                                                                                                                                                          6280581909b1e41fe0130ed982b8cceca1ccc4f16d293983790a0497c2f2a24e

                                                                                                                                                          SHA512

                                                                                                                                                          790fe81dbc88e7284447de6caa0c776434922301dc96f5147be3d9b14640660a0de9e057f47d86d0d6b7801d6693ceb06ee73a4a670c7ce91dfb681bad12b001

                                                                                                                                                        • memory/444-495-0x00000000005C0000-0x00000000005C1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/1852-520-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/2432-499-0x0000000000E30000-0x0000000000E31000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/2704-516-0x0000000000090000-0x0000000000091000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/2832-511-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/2832-538-0x0000000000680000-0x0000000000681000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/3132-489-0x0000000000180000-0x0000000000181000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/3132-491-0x0000000000180000-0x0000000000181000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/3164-503-0x00000000009C0000-0x00000000009C1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/4196-533-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/4804-507-0x0000000000220000-0x0000000000221000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/4804-529-0x0000000000400000-0x0000000000401000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/5004-492-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          336KB

                                                                                                                                                        • memory/5004-490-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          336KB

                                                                                                                                                        • memory/5152-540-0x0000000000710000-0x0000000000711000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/5240-553-0x00000000000C0000-0x00000000000C1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/5288-562-0x0000000000810000-0x0000000000811000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/5324-557-0x00000000005F0000-0x00000000005F1000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/5352-560-0x0000000000630000-0x0000000000631000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB