Malware Analysis Report

2024-09-11 09:26

Sample ID 240526-cl3gbabb4z
Target Roblox_Player.exe
SHA256 d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19
Tags
discordrat persistence rat rootkit stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19

Threat Level: Known bad

The file Roblox_Player.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer evasion

Discord RAT

Discordrat family

Disables Task Manager via registry modification

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 02:10

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 02:10

Reported

2024-05-26 02:13

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe C:\Windows\system32\WerFault.exe
PID 1832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe C:\Windows\system32\WerFault.exe
PID 1832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1832 -s 596

Network

N/A

Files

memory/1832-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

memory/1832-1-0x000000013F720000-0x000000013F738000-memory.dmp

memory/1832-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 02:10

Reported

2024-05-26 02:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Disables Task Manager via registry modification

evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 852 wrote to memory of 2408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.0.1281884394\2085032673" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a64a8ec-946d-4583-98b9-38aa9e47dd8b} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 1884 21c5e415e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.1.1199134785\176550371" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc540a14-457b-402d-9929-bcf2ba9f273e} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 2452 21c51689c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.2.982014343\746236937" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3bf3d80-928b-4963-968c-f3081c07fa04} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3068 21c6120cd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.3.1604073116\898437497" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede40ddd-8a5d-4575-8cd4-e0976fd2a16a} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3684 21c5163ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.4.929410822\726607294" -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 1484 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe20b9e-932e-4aeb-b6f5-66460fffe531} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5148 21c64fba158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.5.1304333975\2143469418" -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36d56e5e-d258-4f1e-92fa-8cbcb5262d19} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5288 21c65756d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.6.1759278322\705279434" -childID 5 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8cf0290-69aa-474c-99d0-3a4589bcb830} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5480 21c65757358 tab

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C whoami

C:\Windows\system32\whoami.exe

whoami

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.7.507960043\1565659530" -childID 6 -isForBrowser -prefsHandle 4176 -prefMapHandle 4416 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a779003-e3e5-4e7a-b7aa-37e84ec0eb4e} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 4204 21c63a67058 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:64464 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 35.164.250.149:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 149.250.164.35.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:64471 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/5088-0-0x000001E1AD330000-0x000001E1AD348000-memory.dmp

memory/5088-1-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

memory/5088-2-0x000001E1C7AB0000-0x000001E1C7C72000-memory.dmp

memory/5088-3-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

memory/5088-4-0x000001E1C82F0000-0x000001E1C8818000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp

MD5 676f6ff585a4b2e50de58399f4a0290b
SHA1 76e07e574943e09f6e9085756a5c4c9f73ea1a7b
SHA256 f0ab6f9b13a58bce301853fe67452bae2253c0cb98a7a435fbe2e186cdcf6d54
SHA512 430b1f54aed5d08116a8ec0315129b6d0f72aef208423d2fd414ac44c32abea68dfa0e37032cfe552ecc970041a8ec6522c291f3dc13c4738a3a2e62fba76f09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js

MD5 6c6181257cb28296c8864935bdcce9ae
SHA1 d2c8521ebbe6c713aceca7dd82d98735dc66e455
SHA256 9fba475d7c8da016a77135f3ee60c10cee4098c0bb0c4f312aa4e66fdc1e5ee6
SHA512 a1021677bcd6171e595ca2eddccc00e3fd9b3e5864036f9a1a6b83fb0c06809f8383906a134dfe6362eee13ba4436d880f19e247346d99206c8009111c526c2f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

MD5 85de7ab771d0a16db3ad71503d5aff06
SHA1 4bf0b6f7ff6dc37834a09cdee2d0862da3770d1e
SHA256 7f804e90509fb77d2b5029e27372182acaf6349806e02abbf04cfdfdc42fad17
SHA512 d00a5a15145d056ee5f42b17dadc0fdb05b818aa084f6b18964612373be1e7087dbee7a0d32b4080eee4630cfedf1eee2280205db4af01c21411c213ff031abd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8df4c837d84076ffe8feca8089e30c2e
SHA1 3b1f94248f745d2af48957f5823d17b86faf7f7e
SHA256 55dcd5b0aa286d43f0c7dd3571f0e44d28051b433f81bad72836d0c3923b1585
SHA512 87a76e6f41753baddd0c67d76946ad6f73ee728219b71cdfec6d93c4fbeab4860f27c3f5baef8def00b33309ab9fae63e7dd82a360916cad73636dd90a9ef849

memory/5088-70-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

memory/5088-71-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

MD5 f60435a457c73b8151fbab362cd13415
SHA1 6c0b0100a97e16dbafe8777d3fd72872040ad389
SHA256 ef3ab503ccbb748ea630594a45ec971af65d8a724a4c388eafefa31c82935f2a
SHA512 f38ac407ba14c67104de1a79c456b978a0f21e673f11e59c9a7bb8cfcbf2b5af1371f3af855fdba796a726c8a318c834cbee4db957aec393e330329ec6c680b8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ec1b768e332078b9433ee9126f8dce12
SHA1 ddeaedf351bbfa3bb0f819ef81a8c858f77b8101
SHA256 746593a6933d217ada0a208fde952bc322cb436648562d6356f586976d8a205f
SHA512 7185630541616b768a3f7d994b9fa896ba9028767430c206aadf5276b3f5ce75a63e48073ec6bd2bbf3a623fba822405be82f1e5b90a906b5a853cd3154b6728

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ccb3d6c65887112c7ad96fed72f2102e
SHA1 8ecd532a1f064c9ba38efb0c79902a6428e86967
SHA256 3ea1208ce3c82f57c12a2b39a787b1c120c28981a57303026d3e282c8ce379c0
SHA512 2db9d25de42d0310f2635050abc3a5a60cff5acc7c664ab891ad00df988d406b026c26ced3accf63c23295cb677d2797e2360b11768716db584e19b1cd87b978

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

MD5 21e0ef6686ba45ada38dd755c29716a2
SHA1 92843559735e4979b9bab76f180e37216f8301e3
SHA256 495d03d4ce2a20a96bb3bc0c95438044a1dceddf731ed024157d11368eb8e090
SHA512 26fd21b2e7ed6599d0ca43be3d8821022a7cdb6081e97180d226e70e7caf97220b59117b28024a6a8992a30b5a27637a62ffdd111e07d2383b936493a04b33ed