Analysis Overview
SHA256
d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19
Threat Level: Known bad
The file Roblox_Player.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Discordrat family
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-26 01:55
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 01:55
Reported
2024-05-26 01:58
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Discord RAT
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1548 wrote to memory of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe | C:\Windows\system32\WerFault.exe |
| PID 1548 wrote to memory of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe | C:\Windows\system32\WerFault.exe |
| PID 1548 wrote to memory of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1548 -s 596
Network
Files
memory/1548-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp
memory/1548-1-0x000000013F0B0000-0x000000013F0C8000-memory.dmp
memory/1548-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp
memory/1548-3-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 01:55
Reported
2024-05-26 01:57
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
90s
Command Line
Signatures
Discord RAT
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.812847443\391642696" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76573fb8-dc08-4b40-a211-765e86edded7} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1864 2282200f358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.1009662055\1250891115" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08181120-d5fe-4ef9-809d-67345d6cd1d5} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2436 2280dc87e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.1113357240\426961179" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5319df9e-5cd3-44e7-8884-245ebcc28b6d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3040 22824f0c758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.1603646585\1294974818" -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 2776 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55a91f6-742e-447a-9905-d2a9f1c6e915} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3888 228269e8858 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.1348610274\1275005946" -childID 3 -isForBrowser -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23ef4a0b-507a-4ed4-996a-89ab8ccffd3c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5056 22828797f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.879069292\608113738" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcfe6fae-efed-45a0-8b80-b3ecee5c473c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5192 228293af658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.1790575598\1321436996" -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15c9a9d-7668-4845-b42c-0af3ef36af01} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5368 228293aea58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.1365149616\1803517942" -childID 6 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e9f910-b561-4326-bd3b-20cfed0cb8e8} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5832 2282904c958 tab
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77RobloxPlayer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe'" /sc onlogon /rl HIGHEST
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.8.26852645\1554519528" -parentBuildID 20230214051806 -prefsHandle 4744 -prefMapHandle 4796 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {414f0524-512f-44aa-8304-bd1a30b60241} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4880 2282a89d558 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.9.200443719\261598553" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5792 -prefMapHandle 4816 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d85b1d0-31bc-469c-9d0e-6fb93f56b054} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4828 2282a89e158 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.10.1250681009\1018295916" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 5848 -prefMapHandle 4744 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee94cf2-c413-4c1d-a3ff-1c0816700a02} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4176 2282a8a0e58 utility
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x41c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:49833 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 35.164.250.149:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49840 | tcp | |
| US | 8.8.8.8:53 | 149.250.164.35.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/4744-0-0x0000014D5CB00000-0x0000014D5CB18000-memory.dmp
memory/4744-1-0x00007FF939B93000-0x00007FF939B95000-memory.dmp
memory/4744-2-0x0000014D771B0000-0x0000014D77372000-memory.dmp
memory/4744-3-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/4744-4-0x0000014D77AF0000-0x0000014D78018000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | ecca7c11c01b1ac61ba7a802efd9c37a |
| SHA1 | d1790c4e168bb7e0100338780c3029bdac9963c7 |
| SHA256 | 1af9c55ebe334e3c8ea053a13ace6c0f804686ca33a3af501a832333a3ad33f9 |
| SHA512 | 31edee9d59a29342411a0073bcbe5d6e719f2540f0fb464eba8217f2549e907c7fd9d3f34e9cc2b948865ca696b3e88b1a4d21e23599a0b6ba192030f887ef45 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js
| MD5 | a64683bde01f18cc76e3a4b4087a2001 |
| SHA1 | c7e362a6882df5d7743d1ceb363d55b02e41f910 |
| SHA256 | f89679f99b9b00bf39c397a9fcdb902d8d0aabb4d0b4fee1a15a2375816913dc |
| SHA512 | 5961608b251683ead0062a68570f193d7c7e75f8a853d98655f5d53a4fd625851604224ea76069f3304b03f9f78e6540251b352ef79d567fe1c718fefd731a7b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 474b4847c828697653b5ee9a24f00c26 |
| SHA1 | d35c7cfec613b0df8e24902b33ade3490572f9d8 |
| SHA256 | 1a54ce3a35d2d90cee8805694e4d0e7c4e5f8d0679e273817d34675706c246ab |
| SHA512 | 579db2235f2e6939d37d2fb06175c339a8a0cf3ce221142ba0a2595f6057f529c5dd7731f40477246faa74d83a05b402b4a46970521b3b98baeccdd145e20e2b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f12a68678be19a34cce7988fa8b42aa6 |
| SHA1 | d157addac9a60055a400cae085753902d571281d |
| SHA256 | 2f9aa4f917b85f94627577fc57826c54cb1fc43ba2715b7da55c86f515948b0b |
| SHA512 | f7ef7ec03ebfe4cc5d822391f34e4bba053331ce4b61bc6d6c5308736eaf989a84b10bf3a47ff7860135cfb3fd048d87435bbd6da45a34a203fb9099effd7453 |
memory/4744-123-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f35e7100f4abfceb1d258dc797917c79 |
| SHA1 | 12319f017894e95d98496c1c9423a6cfdc2890b8 |
| SHA256 | 6716e07098c90bc73e19161fef6b9e381de583ae9e3fdef553f18e50c44ba08b |
| SHA512 | d27836f71b7fdc95e9bef624897d26f6cf7ebfd6df135ce80c26ec2e26d4c36ae2c7b0ee91b0d99d4b4127625edba83dfac182c08b79473dc90a8517aef67aa8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 6ee9c29873cd9437443beeb53a263c20 |
| SHA1 | 93514d294af4108535e7ad03603982aee614c8bf |
| SHA256 | 79c69be02948e9de7b048dc19aa0bb984b803ffb099608643b2639dfa1357a96 |
| SHA512 | 1ba25225031837dd767f6e615bec28764f5d49a72442fc58acef95df7a1c3f9708daa6e40c66dc82d0c16e021c82cd7e0f88707d820b009387ad5168918936cb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\1BD06364B17F941101FCC95275213BEB65016BDA
| MD5 | 36688869efcc9a99957c41d29e33c769 |
| SHA1 | efc7bf8eea12712417d149a9f7bde7c47425a0bb |
| SHA256 | 5ff9e29681a3a0ffa7fa1988982e699b03205a6fcb512067f53837a7b5c7b9af |
| SHA512 | 903226bbafa9adaa3651a9a7385c0d435b8a75a7acb3fc27f6b44cf2c2420a2f69a05b1894ff7ead0936a3d9482d06dc85fbb25ddb582fb06cac7064d6841171 |
memory/4744-165-0x0000014D79060000-0x0000014D7910A000-memory.dmp
memory/4744-166-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d54738166389ee40c6971d6b58cbf94f |
| SHA1 | 13e93c723663986dc629d2890f85a28ec085cdcc |
| SHA256 | a67b64a8fecb1cd9bd33f8d4edde93eb2a86340f1cfbb666732f53e5a3b867a2 |
| SHA512 | d931b83fb8542b74068fc0c41db0da0d74f5d86a072f265794c00931a7fbb83ede99ddc716bd9f545d982a979efcba258a6ca986d7d4543e01b326804092cdea |
memory/4744-196-0x00007FF939B90000-0x00007FF93A651000-memory.dmp