orcus | 4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

Resubmissions

03-10-2024 21:19

241003-z6m9fsxcjn 10

03-10-2024 21:14

241003-z3g82azhmb 10

03-10-2024 21:10

241003-z1h3jszglg 10

03-10-2024 21:03

241003-zv1emszeje 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

snos.exe
Size

916KB
MD5

defc2abbed64bb0a53c7b9fa04d9d114
SHA1

926cbb5e1d9ea1249aa034afa5d0e510322b5ee6
SHA256

4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580
SHA512

00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842
SSDEEP

24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

45.200.148.205:10134

Mutex

2857e61aa1024db89df5be17078af5ab

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\sistemwinhost\winhost1235.exe
reconnect_delay
10000
registry_keyname
registry
taskscheduler_taskname
registre
watchdog_path
AppData\Servicemanagaer.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\sistemwinhost\winhost1235.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3484-1-0x00000000003F0000-0x00000000004DA000-memory.dmp	orcus
C:\Program Files (x86)\sistemwinhost\winhost1235.exe	orcus

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exewinhost1235.exewinhost1235.exeServicemanagaer.exeServicemanagaer.exe

pid process

1400 WindowsInput.exe
1648 WindowsInput.exe
4584 winhost1235.exe
2880 winhost1235.exe
1716 Servicemanagaer.exe
4968 Servicemanagaer.exe

pid	process
1400	WindowsInput.exe
1648	WindowsInput.exe
4584	winhost1235.exe
2880	winhost1235.exe
1716	Servicemanagaer.exe
4968	Servicemanagaer.exe

Loads dropped DLL 15 IoCs

Processes:

winhost1235.exe

pid	process
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe

Drops file in System32 directory 3 IoCs

Processes:

WindowsInput.exesnos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	snos.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	snos.exe

Drops file in Program Files directory 3 IoCs

Processes:

snos.exe

description	ioc	process
File created	C:\Program Files (x86)\sistemwinhost\winhost1235.exe	snos.exe
File opened for modification	C:\Program Files (x86)\sistemwinhost\winhost1235.exe	snos.exe
File created	C:\Program Files (x86)\sistemwinhost\winhost1235.exe.config	snos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Servicemanagaer.exeServicemanagaer.exesnos.exewinhost1235.exewinhost1235.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Servicemanagaer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Servicemanagaer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost1235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost1235.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winhost1235.exeServicemanagaer.exe

pid	process
4584	winhost1235.exe
4584	winhost1235.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4968	Servicemanagaer.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe
4584	winhost1235.exe
4968	Servicemanagaer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Servicemanagaer.exewinhost1235.exeServicemanagaer.exefirefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1716	Servicemanagaer.exe
Token: SeDebugPrivilege	4584	winhost1235.exe
Token: SeDebugPrivilege	4968	Servicemanagaer.exe
Token: SeDebugPrivilege	1600	firefox.exe
Token: SeDebugPrivilege	1600	firefox.exe
Token: 33	5784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5784	AUDIODG.EXE
Token: SeDebugPrivilege	1600	firefox.exe
Token: SeDebugPrivilege	1600	firefox.exe
Token: SeDebugPrivilege	1600	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

winhost1235.exefirefox.exe

pid process

4584 winhost1235.exe
1600 firefox.exe
1600 firefox.exe
1600 firefox.exe
1600 firefox.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

winhost1235.exefirefox.exe

pid process

4584 winhost1235.exe
1600 firefox.exe
1600 firefox.exe
1600 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1600 firefox.exe

pid	process
1600	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

snos.exewinhost1235.exeServicemanagaer.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3484 wrote to memory of 1400	3484	snos.exe	WindowsInput.exe
PID 3484 wrote to memory of 1400	3484	snos.exe	WindowsInput.exe
PID 3484 wrote to memory of 4584	3484	snos.exe	winhost1235.exe
PID 3484 wrote to memory of 4584	3484	snos.exe	winhost1235.exe
PID 3484 wrote to memory of 4584	3484	snos.exe	winhost1235.exe
PID 4584 wrote to memory of 1716	4584	winhost1235.exe	Servicemanagaer.exe
PID 4584 wrote to memory of 1716	4584	winhost1235.exe	Servicemanagaer.exe
PID 4584 wrote to memory of 1716	4584	winhost1235.exe	Servicemanagaer.exe
PID 1716 wrote to memory of 4968	1716	Servicemanagaer.exe	Servicemanagaer.exe
PID 1716 wrote to memory of 4968	1716	Servicemanagaer.exe	Servicemanagaer.exe
PID 1716 wrote to memory of 4968	1716	Servicemanagaer.exe	Servicemanagaer.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 5092 wrote to memory of 1600	5092	firefox.exe	firefox.exe
PID 1600 wrote to memory of 2008	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 2008	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe
PID 1600 wrote to memory of 4700	1600	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\snos.exe
"C:\Users\Admin\AppData\Local\Temp\snos.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1400
- C:\Program Files (x86)\sistemwinhost\winhost1235.exe
  "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
    "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /launchSelfAndExit "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4584 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
      "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /watchProcess "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4584 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1648

C:\Program Files (x86)\sistemwinhost\winhost1235.exe
"C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.0.1632624955\483508849" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a82d571-38a5-4dcc-8086-ce131be603a3} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 1760 2c41c8d8858 gpu
    3⤵
    PID:2008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.1.1570188460\650869411" -parentBuildID 20221007134813 -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {475e0515-0955-44cb-87a9-8b22962d4016} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 2116 2c411971958 socket
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.2.1852245876\407905546" -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 2692 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f8fe92f-80a5-4393-b88d-76d8013ea9b6} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 2996 2c41c85d858 tab
    3⤵
    PID:1112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.3.2001898414\1243409698" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2306706e-f7d1-41a8-9872-a663c1c7946c} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 3480 2c421915058 tab
    3⤵
    PID:4804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.4.137431843\1596428661" -childID 3 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {627d4d1f-bb7c-418d-ac45-3e504aed2a92} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 4068 2c421e23858 tab
    3⤵
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.5.1274062201\1839136808" -childID 4 -isForBrowser -prefsHandle 4760 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6454efc6-3e60-433f-928c-873d802473b5} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 4784 2c421e70258 tab
    3⤵
    PID:2688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.6.1317320862\1315118994" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cf46e84-dce8-4437-8320-c8ce338a4eb0} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 4928 2c422f15058 tab
    3⤵
    PID:1284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.7.1934197932\2038925543" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ceac0d-382c-41f3-8b7b-f0909e0ca9db} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 4784 2c423a2e258 tab
    3⤵
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.8.1501507129\788697122" -childID 7 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb40542e-cf9e-47ab-a606-3879c507d44a} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 5744 2c424d2c658 tab
    3⤵
    PID:320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.9.2019535928\382594377" -childID 8 -isForBrowser -prefsHandle 5332 -prefMapHandle 4580 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2c4191f-f4a6-4061-9fad-3a64ed7baf38} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 2596 2c41f1b6458 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.10.1393539849\197810116" -parentBuildID 20221007134813 -prefsHandle 2644 -prefMapHandle 3012 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdef9ad7-66b3-4cbf-a057-1e70c09d0876} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 2672 2c42536b158 rdd
    3⤵
    PID:428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.11.743898336\598080415" -childID 9 -isForBrowser -prefsHandle 6132 -prefMapHandle 4172 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {330a67e9-bf38-4796-bcd9-b46d6c8a5795} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 9968 2c4254c8558 tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.12.383161793\1653562312" -childID 10 -isForBrowser -prefsHandle 9704 -prefMapHandle 9708 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f33d489-eab3-4587-acf2-8f52e1fe3343} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 9692 2c4219dbb58 tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.13.1909531729\1384945807" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5184 -prefMapHandle 5176 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f87e556-8774-412e-a69b-b18be5d3d081} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 5128 2c423b13f58 utility
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.14.1323539375\2065634160" -childID 11 -isForBrowser -prefsHandle 9476 -prefMapHandle 9444 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad170f1-150d-4d82-8e56-c70afa5975d0} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 9464 2c425935958 tab
    3⤵
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.15.659310277\1161505973" -childID 12 -isForBrowser -prefsHandle 5956 -prefMapHandle 4300 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {322e627a-6301-4633-8c48-3d487dde112b} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 6016 2c426eb2b58 tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1600.16.28350985\1622473566" -childID 13 -isForBrowser -prefsHandle 2656 -prefMapHandle 9424 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4585ff79-e64f-460e-80fe-ab178f0318df} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" 5224 2c425b7d258 tab
    3⤵
    PID:5980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sistemwinhost\winhost1235.exe

Filesize
916KB

MD5
defc2abbed64bb0a53c7b9fa04d9d114

SHA1
926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

SHA256
4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

SHA512
00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Servicemanagaer.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1001

Filesize
7KB

MD5
b0b79d1907f404a234e33f8f02b7e0e6

SHA1
d088794ec765042b8251293c6d88d8a0a5a62fc3

SHA256
c016b271d51a860a2e8cb56250526e64d14ad6f3f142dc4eb315b9a932e1c918

SHA512
30b5a3a774f0ddda49d908dac2a64fe053f36822dc4ee579a5c144310e30c270a2def708bb34031b1141ed28f37a77ce1aad28f5f440e622567335ad092c489e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\111602F8D77AF6E5F05BE1FE3F565839E71702B6

Filesize
32KB

MD5
eb03ed7590401aae4f8a12dcf70f0534

SHA1
2e4d996b5edd564974872ab8fe632ebeea6a920d

SHA256
cabe4f7148ae794fee8b5b5faecca63ef52cf372f82d37e972c1511d2b4406c0

SHA512
1bafdf762030da3230453cd6fb11ceb7e2747d0b83a413a32b8d9c1ae94ec23cc74e2885872a16a4c667f49b787c46532afe01314304acb409d981af055310a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\3B06052DA2E011BD3398C7FD3918E2781E08A2DF

Filesize
221KB

MD5
dba3738e2c1e0eef8d55a2a2b7a539f3

SHA1
e536e9dfc41925a289edf5b2f57bb51f6c0610fe

SHA256
07c8ca63a1a2b306a0be54efee99c90554aba97d9317702bcd286d7e35427a31

SHA512
f12cbb5422672cd563c6532cbe4d346318357960a9f7a46c3c0ff043b3ec7b85a5f4cbf6f871e7b1ecba35d3e204f6e4250b076e561c173e3387b68f3b83d5e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\6B7133A2748157E96BC5BE91739F45B5F1122DAE

Filesize
91KB

MD5
a3cbdefd5ea6f53cbafbecc6d950bf0c

SHA1
34bb5420a16ef95b609aaff215b2cee991e47919

SHA256
80ade4900cd6426b07f8ee5bec6e56bf66501bec513884c5961263874502b28b

SHA512
da07bff2ef3e11510005eed6b80f78b30f18caa07a14b7260e128b4708f01fc443a17b5c09f59e956725d0592e9c7d9c291cb469467f174054df28bd40871306

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
80eb5aaed17f7dc1193ff8d6a0d671e9

SHA1
2a9ba85e997e8e7b9598b271e2aaace20cf4fd7b

SHA256
1f48800cf4c847ec82ea695c10fd234e58625da4da209ac971a6a2d7a3cc4926

SHA512
9a46ff90711c3a15d3fb580cb858a3946a5090dd695531690fa897eb81473708c8d026ac896fb42e359c3bdaf97b6022e64e972885d63882c0cd0705028b05ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\events\events

Filesize
819B

MD5
ab7282c06612c2ad3e9a6732ca3cdeb6

SHA1
00dd83d35dc4984fc0c7853cf7531a0fff6a79dd

SHA256
11b557ca8f5117fce94d5bd4f0075e92aea28c3d68e6e4dd5b5085f890efa715

SHA512
accc1a0d0c2dee17fb607e4dea1d5423e9b6e6e2e8cb73047f6984eb5f38254ef5f23cabba13cdffc7e6832ad04fdef12f37d819dfece33dbc8d2c4eb7e3f516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\32ce94e3-ca4b-4883-83f5-f0beb33185e4

Filesize
746B

MD5
ceaee03838b055210a8993b206858721

SHA1
e79189ea210ecca3ffd0359f7b3ddca6b77ba443

SHA256
ca178f21f59f6e8cece5bbe7ba8005c71a5c73321e949fc4844cbc66fb706dea

SHA512
3d0300adcd5bfac08ae25c146113854eae86e9e62b050140bfed175042b9424e5aeef157b327915e3a41de43edfe0a9ef97f420a2657186f5e762f58fe7246ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\4ce076ca-7386-44db-8196-4de3ca1ce82b

Filesize
11KB

MD5
1c5ce00d3b0b2ceb33bd3644600626e0

SHA1
d19c04d6e835aa7d2c566817fb44269a680b03f5

SHA256
35b748306805ad6905f889df63a5ca9409ab72d62d7e96b992c0f47974bdca32

SHA512
db15f0ffcecb0b19dad09bdc6b25702618fe29312fb3371b7ba5fa7aa240592a1434392b3b08a0495bcc113be0564e2d944dd7580ab943a95cf843976e8d78ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
1af5c83d8ae77e7e978a44f6631cd99c

SHA1
567b2fb3711a8e352845b98e336a17057898cd1a

SHA256
5c216e1865c82b321e7b054df37758fed9704b93fc7a81406cded55d524a4b4d

SHA512
5b06f36a39a47e2d1d0055a91393fe0c45a0e445effd4966dd9b1518e7a043fb80c47347c73b91fc5702c79aaf6ca1910eb4be288114c309bd3db2bd6c1a5e9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
7KB

MD5
553751c8667bafc18a9021c7853a0d2c

SHA1
358b65e3f2f1b99ef3dd2086596e438c336bdc37

SHA256
88a3dc392a6f7753c29d265b393b36a4083ee4ff8f86f2f916d7055c3b0456e1

SHA512
b7eab4a66d94620ac19a7922a7bc2d1fc3e8f5690d2b645cdab2be2ce389eeba72edfb95db51ffbad4d9ec0a3250b3c63c8d28bbe646b0e7297be3afc17fa5aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
b4cc56d95ab859333da756edccba76ef

SHA1
e0e885c2671623222d999a13d850e2a934278744

SHA256
b857e4d59f595039bf501ff5500ce4bc05c4a7c125b4e7e31adf395d1be146db

SHA512
5dd07a5667cec2174e126b13b878742a72492c60df1048508655b04e11bd26785625e672e99de2d6d2ae64ab66eb8f9e2200fe329163765eaf78cc0047ab07b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c8e9dfa7ec576775bb628da7c03bb00c

SHA1
83be81a80d31f7bef4827bbabed116cb45c39f96

SHA256
1b3b0bd667cfdeb509be99d60f63182782b31219a73ac7165d69927ccb69aba5

SHA512
3bd9010c38ba6d1ad3377ae5f66eb6ebe67d04a8268353445bf65f31958244284c1381408448f66f95b0ca926d7dc45a45f8bc7786b260ef5adf6f6a5fe5fc46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ee2929d31ba578adf81f92639a09f999

SHA1
1f4f3d93105ab27d3b70c0457b5123cb10214bac

SHA256
e810f412c29644df8924b0c5df3b86cd5a87ba5b938fab7b766e609824b853e7

SHA512
807e9ca010ffe0cbe9b88e2c01629b4b5c4606ce80690d75231e6b3d1400dabca6627014d0feaa196b5b6f345f96e158c3d79541c44e7ef5fcaf8d645f7f3ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
903c5e8b92d44d6d63c13ac207b23394

SHA1
b88ba8e24dadb43270d60a5cf314e2ed23ca1637

SHA256
f7477e39de8cf231caacc08a199bc5c7d451555afd5d2f688a6d2f7974f3a63d

SHA512
a3bf8bbe96a36c12f497285ce0458816aa8512be9ee4e2a40eb0a0ba73c5bd05f6832bb5c611f1d6173c8f4b469292d0b67c271f9b1cdfac1abba29a6e175ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
a2b81586a72988e65e6a67a7def0bc62

SHA1
d58561ac56b55b402540de05c0d3b5854672422d

SHA256
2a058b49c6678339f3800f7a0f5951fe6c575b1dce6385e2bb2f334a30950111

SHA512
2a013294970ea5ee8d0a0b190377e8013820c0c96042b5e7b0d4fd334f95a3558d94bc2048b78dbb0f11b85791f4c4c860134a792992b8871172e213c67eae9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
33ae44b322012bf6861f7451d530bf7d

SHA1
63a28ac4303b40313534279f56fd2a36731da2a2

SHA256
2d4135cc7d8f28dd452a103a748ffbefcc79f308004ffbaebcba23dbd654643b

SHA512
5a671875b51248edafa26898c88069399e642783a29c2a3417f74d38e9e095e254a70c2161d570da989c920f703574e7330bf5766e6fa39b267dd1feb9a5fca9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0c07ba8a01d0bfe9d8d636ae4a62c2d1

SHA1
755da699eb9ca40a92e5f80791045a89bc7f89c3

SHA256
24de8594ce5a74ce5c418709b52a21251e4e60882091749d81a36930b2a82107

SHA512
25c71b2ada97de3f1f84b4b04865c5e01c16873e8f8ec3ae7e7fca0eec664072e597ad95e4e9e13e2187bc80e1d8b13ef94e7198cca2c5471f3de6bec720a8a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
093f9add69ed716618a1e9c4f0107ecb

SHA1
db1f08e4e15b0922f114bb6ba1865cd2188bf861

SHA256
7baad0794e74c7b085ea1961019468d134c76545a33fafc271f04ceba2ee34b7

SHA512
a10e80134adbfb80b28994d044ed85622decbf66a3ecec2a122a07d39b06ddb9899e3eea65d1a427617a5b13a60796b3e2f836e869c63c20b5857aa5a25ba3c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.pornhub.com\cache\morgue\21\{90eae297-2bc1-455c-a87d-aba4ea92c315}.final

Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.pornhub.com\cache\morgue\62\{d6143477-6f5d-4a83-b21f-0f411786ce3e}.final

Filesize
1KB

MD5
932479fe19d996a5e8f139bf51085149

SHA1
da374dfebb658802ee62fc8ec320c3442fc93192

SHA256
c57de29d8406c0e2534d96c4c23199b127d8ee9bb86dce5230bf8157894b4f84

SHA512
ddbc216c01474d8ccc4f73fc78d228e68600b2bc148cdf3b7d12108b9fbdce3f2c91fdddce4841e669b1a2a609a8fae927e2a551efd11877e6513f7849edc05a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3fce64c3cf23f070dbe67b544cebc92b

SHA1
84d5104a0aedcb8c73e2ce79598ae97d8190fb8e

SHA256
21679f659e81fa16d78fb675003b34c8cba5d361da34399b1938ab1a86e4590f

SHA512
8f99e44cbc39b256ae6087d962cdc1a31dc674ea3542eb48e55dbcd2ff8c3602ea8940373d8429036e86b2340e3d1cb267dee7bd97890c861601f212f6dde2b3

Download Submit
C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\AForge.Video.DirectShow.dll

Filesize
60KB

MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2857e61aa1024db89df5be17078af5ab\x86\turbojpeg.dll

Filesize
646KB

MD5
82898ed19da89d7d44e280a3ced95e9b

SHA1
eec0af5733c642eac8c5e08479f462d1ec1ed4db

SHA256
5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29

SHA512
ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

Download Submit
memory/1400-16-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp

Filesize
4KB

Download
memory/1400-17-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1400-19-0x000000001AF50000-0x000000001AF8E000-memory.dmp

Filesize
248KB

Download
memory/1400-20-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/1400-24-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/1400-18-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1648-26-0x0000000019FF0000-0x000000001A0FA000-memory.dmp

Filesize
1.0MB

Download
memory/1716-51-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/3484-8-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/3484-3-0x0000000004CC0000-0x0000000004D1C000-memory.dmp

Filesize
368KB

Download
memory/3484-4-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/3484-2-0x0000000002750000-0x000000000275E000-memory.dmp

Filesize
56KB

Download
memory/3484-1-0x00000000003F0000-0x00000000004DA000-memory.dmp

Filesize
936KB

Download
memory/3484-5-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/3484-6-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/3484-7-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/3484-0-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/3484-36-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/4584-214-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download
memory/4584-844-0x00000000087D0000-0x0000000008924000-memory.dmp

Filesize
1.3MB

Download
memory/4584-837-0x0000000006420000-0x0000000006446000-memory.dmp

Filesize
152KB

Download
memory/4584-885-0x00000000660C0000-0x000000006614F000-memory.dmp

Filesize
572KB

Download
memory/4584-830-0x0000000006C80000-0x0000000006CDA000-memory.dmp

Filesize
360KB

Download
memory/4584-823-0x00000000064C0000-0x000000000650A000-memory.dmp

Filesize
296KB

Download
memory/4584-816-0x0000000006470000-0x00000000064B4000-memory.dmp

Filesize
272KB

Download
memory/4584-215-0x0000000008600000-0x00000000087C2000-memory.dmp

Filesize
1.8MB

Download
memory/4584-213-0x0000000007A80000-0x0000000007ACB000-memory.dmp

Filesize
300KB

Download
memory/4584-212-0x0000000007A40000-0x0000000007A7E000-memory.dmp

Filesize
248KB

Download
memory/4584-211-0x00000000079E0000-0x00000000079F2000-memory.dmp

Filesize
72KB

Download
memory/4584-210-0x0000000007FF0000-0x00000000085F6000-memory.dmp

Filesize
6.0MB

Download
memory/4584-198-0x0000000007970000-0x00000000079D6000-memory.dmp

Filesize
408KB

Download
memory/4584-43-0x0000000006840000-0x000000000684A000-memory.dmp

Filesize
40KB

Download
memory/4584-42-0x0000000006570000-0x0000000006580000-memory.dmp

Filesize
64KB

Download
memory/4584-41-0x00000000063A0000-0x00000000063B8000-memory.dmp

Filesize
96KB

Download
memory/4584-39-0x0000000006220000-0x0000000006238000-memory.dmp

Filesize
96KB

Download
memory/4584-1053-0x0000000001460000-0x000000000146C000-memory.dmp

Filesize
48KB

Download
memory/4584-1060-0x00000000017A0000-0x00000000017B6000-memory.dmp

Filesize
88KB

Download
memory/4584-38-0x00000000061A0000-0x00000000061EE000-memory.dmp

Filesize
312KB

Download
memory/4584-37-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download