b32cfa2c536bfc631f37621471e23d3b05dffa1c94ef1c88e8136fd07c389105

Analysis

max time kernel
590s
max time network
592s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-12-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w.zip
Size

443KB
MD5

7abde2d9d772212f690e1657e66e4863
SHA1

ce9629c02dbd6953ff5ab9ebc910409a4ebc488b
SHA256

b32cfa2c536bfc631f37621471e23d3b05dffa1c94ef1c88e8136fd07c389105
SHA512

9f6e4bae303120161c98063a0049504dc09f74690ce81c65c8afbc5dfc3788b4058cac0527cda449707e2a79aeb9db695f27e6269bc23442c3b1455d87d51ffe
SSDEEP

12288:ShJL3yGgLoSdDilX+F2ramKbYgMLj7llsLQn:kUGg8Uil/ramJhNn

Score

8^/10

defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Discord.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeUpdate.exeDiscordSetup.exeDiscord.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	DiscordSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Discord.exe

Executes dropped EXE 40 IoCs

Processes:

builder.exebuilder.exeDiscordSetup.exeUpdate.exeDiscordSetup.exeUpdate.exeDiscordSetup.exeUpdate.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exebuilder.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

pid	Process
2084	builder.exe
3304	builder.exe
5984	DiscordSetup.exe
6092	Update.exe
2136	DiscordSetup.exe
5344	Update.exe
1316	DiscordSetup.exe
5892	Update.exe
1036	Discord.exe
5632	Discord.exe
3212	Update.exe
5036	Discord.exe
4344	Discord.exe
4520	Update.exe
2964	Discord.exe
5328	Discord.exe
2244	Discord.exe
1996	Discord.exe
5816	Discord.exe
5488	Discord.exe
4856	Discord.exe
5508	Update.exe
3376	Discord.exe
5192	Discord.exe
4856	Discord.exe
6140	Discord.exe
844	Discord.exe
4976	builder.exe
220	Update.exe
5488	Discord.exe
2440	Discord.exe
2588	Discord.exe
5560	Discord.exe
6116	Discord.exe
5884	Update.exe
464	Discord.exe
3804	Discord.exe
5792	Discord.exe
3212	Discord.exe
5036	Discord.exe

Loads dropped DLL 50 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

pid	Process
1036	Discord.exe
5632	Discord.exe
5036	Discord.exe
4344	Discord.exe
5036	Discord.exe
5036	Discord.exe
5036	Discord.exe
5036	Discord.exe
2964	Discord.exe
5328	Discord.exe
2964	Discord.exe
2244	Discord.exe
1996	Discord.exe
2244	Discord.exe
2244	Discord.exe
2244	Discord.exe
2244	Discord.exe
5816	Discord.exe
5488	Discord.exe
4856	Discord.exe
3376	Discord.exe
5192	Discord.exe
3376	Discord.exe
4856	Discord.exe
6140	Discord.exe
844	Discord.exe
4856	Discord.exe
4856	Discord.exe
4856	Discord.exe
4856	Discord.exe
5488	Discord.exe
2440	Discord.exe
5488	Discord.exe
2588	Discord.exe
5560	Discord.exe
6116	Discord.exe
5560	Discord.exe
5560	Discord.exe
5560	Discord.exe
5560	Discord.exe
464	Discord.exe
3804	Discord.exe
464	Discord.exe
5792	Discord.exe
3212	Discord.exe
5036	Discord.exe
5792	Discord.exe
5792	Discord.exe
5792	Discord.exe
5792	Discord.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
205	discord.com
206	discord.com
207	discord.com
208	discord.com
209	discord.com
271	discord.com

Drops file in Windows directory 16 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exe

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2964_1424980111\neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1440090406\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\_metadata\verified_contents.json	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1440090406\Google.Widevine.CDM.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1440090406\manifest.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1440090406\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\LICENSE	Discord.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2964_514325241\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2964_1400243954\manifest.json	Discord.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Update.exeUpdate.exeUpdate.exebuilder.exeDiscordSetup.exeDiscordSetup.exeUpdate.exeUpdate.exebuilder.exebuilder.exeNOTEPAD.EXEUpdate.exeDiscordSetup.exeUpdate.exeUpdate.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeDiscord.exefirefox.exefirefox.exefirefox.exefirefox.exeEXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 22 IoCs

Processes:

DiscordSetup.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	DiscordSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9172\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9172\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\URL Protocol	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9172\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9172\\Discord.exe\" --url -- \"%1\""	reg.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	Process
1664	reg.exe
3208	reg.exe
2136	reg.exe
3760	reg.exe
5088	reg.exe
2924	reg.exe
6076	reg.exe
2968	reg.exe
2224	reg.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2372	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
4788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid	Process
3188	7zFM.exe
3188	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
3188	7zFM.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

7zFM.exefirefox.exefirefox.exeUpdate.exeUpdate.exeNOTEPAD.EXEUpdate.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

description	pid	Process
Token: SeRestorePrivilege	3188	7zFM.exe
Token: 35	3188	7zFM.exe
Token: SeSecurityPrivilege	3188	7zFM.exe
Token: SeSecurityPrivilege	3188	7zFM.exe
Token: SeSecurityPrivilege	3188	7zFM.exe
Token: SeSecurityPrivilege	3188	7zFM.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeDebugPrivilege	5344	Update.exe
Token: SeDebugPrivilege	5344	Update.exe
Token: SeDebugPrivilege	5344	Update.exe
Token: SeDebugPrivilege	6092	Update.exe
Token: SeDebugPrivilege	6092	Update.exe
Token: SeDebugPrivilege	6092	Update.exe
Token: SeDebugPrivilege	2372	NOTEPAD.EXE
Token: SeDebugPrivilege	5892	Update.exe
Token: SeDebugPrivilege	5892	Update.exe
Token: SeDebugPrivilege	5892	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeShutdownPrivilege	1036	Discord.exe
Token: SeCreatePagefilePrivilege	1036	Discord.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeDebugPrivilege	3212	Update.exe
Token: SeShutdownPrivilege	2964	Discord.exe
Token: SeCreatePagefilePrivilege	2964	Discord.exe
Token: SeShutdownPrivilege	2964	Discord.exe
Token: SeCreatePagefilePrivilege	2964	Discord.exe
Token: SeShutdownPrivilege	2964	Discord.exe
Token: SeCreatePagefilePrivilege	2964	Discord.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeShutdownPrivilege	3376	Discord.exe
Token: SeCreatePagefilePrivilege	3376	Discord.exe
Token: SeShutdownPrivilege	3376	Discord.exe
Token: SeCreatePagefilePrivilege	3376	Discord.exe
Token: SeShutdownPrivilege	3376	Discord.exe
Token: SeCreatePagefilePrivilege	3376	Discord.exe
Token: SeShutdownPrivilege	3376	Discord.exe
Token: SeCreatePagefilePrivilege	3376	Discord.exe
Token: SeShutdownPrivilege	5488	Discord.exe
Token: SeCreatePagefilePrivilege	5488	Discord.exe
Token: SeShutdownPrivilege	5488	Discord.exe
Token: SeCreatePagefilePrivilege	5488	Discord.exe
Token: SeShutdownPrivilege	5488	Discord.exe
Token: SeCreatePagefilePrivilege	5488	Discord.exe
Token: SeShutdownPrivilege	464	Discord.exe
Token: SeCreatePagefilePrivilege	464	Discord.exe
Token: SeShutdownPrivilege	464	Discord.exe
Token: SeCreatePagefilePrivilege	464	Discord.exe
Token: SeDebugPrivilege	2604	firefox.exe
Token: SeDebugPrivilege	2604	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

7zFM.exefirefox.exefirefox.exeUpdate.exeUpdate.exeUpdate.exe

pid	Process
3188	7zFM.exe
3188	7zFM.exe
3188	7zFM.exe
3188	7zFM.exe
3188	7zFM.exe
3188	7zFM.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
5344	Update.exe
6092	Update.exe
5892	Update.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

firefox.exefirefox.exe

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

OpenWith.exefirefox.exeOpenWith.exeEXCEL.EXEfirefox.exe

pid	Process
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2392	OpenWith.exe
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe
2604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exeOpenWith.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 3188 wrote to memory of 2084	3188	7zFM.exe	89
PID 3188 wrote to memory of 2084	3188	7zFM.exe	89
PID 3188 wrote to memory of 2084	3188	7zFM.exe	89
PID 2392 wrote to memory of 4476	2392	OpenWith.exe	98
PID 2392 wrote to memory of 4476	2392	OpenWith.exe	98
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 4476 wrote to memory of 2548	4476	firefox.exe	99
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 4136	2548	firefox.exe	100
PID 2548 wrote to memory of 2896	2548	firefox.exe	101
PID 2548 wrote to memory of 2896	2548	firefox.exe	101
PID 2548 wrote to memory of 2896	2548	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\w.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\7zO47CD2A08\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO47CD2A08\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MTE3NzIyNzU5NjQ4MDY0MzA5Mg GgUtay DoJsOOKRElteARhE.txt
1⤵
PID:2844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MTE3NzIyNzU5NjQ4MDY0MzA5Mg GgUtay DoJsOOKRElteARhE.txt
1⤵
PID:3628

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MTE3NzIyNzU5NjQ4MDY0MzA5Mg GgUtay DoJsOOKRElteARhE.txt
1⤵
PID:1760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Obekräftade 445796.crdownload"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Obekräftade 445796.crdownload"
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1896 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cb5245-5229-487f-b29a-bac558c3365b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" gpu
      4⤵
      PID:4136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c9c010-15d5-4dfa-befe-eebbfeb86a18} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" socket
      4⤵
      Checks processor information in registry
      PID:2896
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 3304 -prefsLen 24742 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e7e3b9d-bb62-425a-ad2d-920b5d3fc93d} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
      4⤵
      PID:4004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3df5a95b-e2af-4c8f-88a6-3c2d0cb732a7} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
      4⤵
      PID:1580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5112 -prefMapHandle 5016 -prefsLen 33111 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e193766-3280-476d-83fe-163e8cb546b5} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" utility
      4⤵
      Checks processor information in registry
      PID:3600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 5440 -prefMapHandle 5504 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03ec3571-0b16-47b2-a2f0-b364a440f2d6} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
      4⤵
      PID:188
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5720 -prefMapHandle 5728 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d67926d-91a3-4e97-8092-964efad13b9b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
      4⤵
      PID:3040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5884 -prefMapHandle 5888 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e78b7d-9d39-4e26-8462-cfa9afa8eb9b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" tab
      4⤵
      PID:1308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\InvokeUninstall.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3192
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1836 -prefsLen 27594 -prefMapSize 244694 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e7675a-b2be-48a2-94ad-16aac09fdf39} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" gpu
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20240401114208 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 27594 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b5cd4a0-393c-4e6e-a7bb-85bb1e5510a5} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" socket
    3⤵
    PID:748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3300 -prefsLen 28093 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {334148bf-5a4f-4cc0-90a7-01695aca8f5d} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3760 -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 33326 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da871aa2-00b7-47b1-8784-fffb16c71c07} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 33380 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d033fb6a-e5ee-4782-aa0c-b0c2f0cb77b1} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" utility
    3⤵
    - Checks processor information in registry
    PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5172 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3227df49-bcd4-4456-b3e4-6262c7b29a15} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3133983-41be-4cfb-bb7f-d2aecbf602e8} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:5432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a4d87f-4cb0-4c1b-b71f-1393fb85ddc8} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -childID 6 -isForBrowser -prefsHandle 6020 -prefMapHandle 6016 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffc6c46d-27fa-42fb-9656-44d8040b2264} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -parentBuildID 20240401114208 -prefsHandle 3740 -prefMapHandle 3748 -prefsLen 34555 -prefMapSize 244694 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47e17e5b-cafa-4cc7-aade-8bdd80f08e3b} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" rdd
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 4084 -prefMapHandle 3752 -prefsLen 34555 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bc9de82-8961-45b0-b264-10dd3389368d} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" utility
    3⤵
    - Checks processor information in registry
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 7 -isForBrowser -prefsHandle 6520 -prefMapHandle 6516 -prefsLen 28153 -prefMapSize 244694 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f76a51f-517b-4447-836c-fbc3f0c9f1cd} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab
    3⤵
    PID:2016
- - C:\Users\Admin\Downloads\DiscordSetup.exe
    "C:\Users\Admin\Downloads\DiscordSetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5984
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:6092
- - C:\Users\Admin\Downloads\DiscordSetup.exe
    "C:\Users\Admin\Downloads\DiscordSetup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2136
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5344
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log
      4⤵
      System Location Discovery: System Language Discovery
      Opens file in notepad (likely ransom note)
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Users\Admin\Downloads\DiscordSetup.exe
    "C:\Users\Admin\Downloads\DiscordSetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1316
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5892
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --squirrel-install 1.0.9172
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9172 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.2 --initial-client-data=0x518,0x51c,0x520,0x50c,0x524,0x7ff61e0b2bb0,0x7ff61e0b2bbc,0x7ff61e0b2bc8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,7950430270064973166,6140950855113192735,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2136,i,7950430270064973166,6140950855113192735,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4344
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6076
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:2968
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:2224
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe\",-1" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:1664
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe\" --url -- \"%1\"" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:3760

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9172 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.2 --initial-client-data=0x538,0x53c,0x540,0x52c,0x544,0x7ff61e0b2bb0,0x7ff61e0b2bbc,0x7ff61e0b2bc8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5328
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,9498381486340105882,7085050133677942392,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2244
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2252,i,9498381486340105882,7085050133677942392,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:3208
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2908,i,9498381486340105882,7085050133677942392,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5816
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:5088
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe\",-1" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2136
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe\" --url -- \"%1\"" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2924
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4260,i,9498381486340105882,7085050133677942392,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5488
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4276,i,9498381486340105882,7085050133677942392,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4856

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5508
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9172 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.2 --initial-client-data=0x518,0x51c,0x520,0x50c,0x524,0x7ff61e0b2bb0,0x7ff61e0b2bbc,0x7ff61e0b2bc8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5192
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,13208659711879761127,1136442348229243171,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4856
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2212,i,13208659711879761127,1136442348229243171,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6140
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2652,i,13208659711879761127,1136442348229243171,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:844

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5488
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9172 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.2 --initial-client-data=0x518,0x51c,0x520,0x50c,0x524,0x7ff61e0b2bb0,0x7ff61e0b2bbc,0x7ff61e0b2bc8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2440
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2232,i,1491322145573697454,3691542230322285124,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5560
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2416,i,1491322145573697454,3691542230322285124,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6116
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2616,i,1491322145573697454,3691542230322285124,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2588

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5884
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9172 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.2 --initial-client-data=0x51c,0x520,0x524,0x510,0x528,0x7ff61e0b2bb0,0x7ff61e0b2bbc,0x7ff61e0b2bc8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3804
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,18301095732312802367,12083082178751524157,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5792
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2296,i,18301095732312802367,12083082178751524157,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3212
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2540,i,18301095732312802367,12083082178751524157,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\Discord.exe.sig

Filesize
1KB

MD5
affff7f0e0b116b9221259aa445fc8ce

SHA1
7d9240df96880443f1d398c81da6e75f9a4e3b9c

SHA256
7a5e48c15e09d8e2ae011327b11173eb0ea0b27b8a752a62ba616d610e3d1045

SHA512
5d1db91d122b87e7e1a9a3c14a6558135a8bb1fbcc88cf4bce2839394af1cf6c60c1bc0259f7711637521ff7a6075e953cab138ae38a424160f337bc532a949e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\d3dcompiler_47.dll

Filesize
4.5MB

MD5
58b825ee07c40b7e8a9ce930ff212e04

SHA1
af94d34221c19458c0da1ee98ab10ecad2d4c2b9

SHA256
3e64d99cde651491afb4cbdfbb2ba5fda38c7e70b211cf8d3f022b8cfee8f9b8

SHA512
a3c051461a633ea912f8a09c27776d468f9c3f075345af97cf3c5d35b570f447e3ac9c01ba22f5c8220672b85d32acfb6b811044c663afe9de8c2e8678e3a592

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\discord_wer.dll

Filesize
444KB

MD5
c967d6fa6eb15bed7788c344726fc6b4

SHA1
a9eebcb569dc2ddd0a4239d9fb3be1fb834fabc4

SHA256
eed9715eb68fd97f26a312b0ef86d6eee48adddb52a68527fcc895e7e162343f

SHA512
415e286d883aecb96c17e75440716764d418170db0a42226e9b0bab51e6aefd46be34d32553264badb583850e89aef9b1d238a0df8cd74745835b49de6ae3be0

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\ffmpeg.dll

Filesize
4.2MB

MD5
fb99c35cce8c52a0d705b4eb3fcb9b9d

SHA1
789493972550be8f94328f18689b837c4c91b8d8

SHA256
b8b820e36b209668c6c93fd21727a109c333c225388064486ba59a2fd1378748

SHA512
6176fcf1410242fad4e188027d6017b373aabfe367d932f58cad11dc887b28440fe8b15b8f4014447f21e93d74c403542e82915a83f1153d0c307409281e914f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\installer.db

Filesize
20KB

MD5
baadf4d328f23a951a718d12dc8ea14f

SHA1
62af802ffe39b94335a32ee34282f531928f1450

SHA256
37d2a4dcbd5096db62c69579fb10ab0b59c69af7316edac209c212b3b6be55e8

SHA512
f0206fbe660822c61e45ee23b50705d669165ffc954ae5a0b203ad77bd7d71e50920c1b8a69317a431e946c0839e8b59e49170cae21b70adbf26881740462704

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\libEGL.dll

Filesize
479KB

MD5
f0744eac4a0e704f5e0103e6aaeca280

SHA1
38a548c566e2ac6beb70dbecc908f9edfd7f434e

SHA256
c235b94f41b501734575b5f060cac43f6ffec9a822a02bbbb963a1ad925bea7d

SHA512
a32f89c43522eec16ae0879e8168ac01df2601a242e61419a958296aa492f886cff7b408fe83592b48d06779d9b97764c4cf6aed84be1ed0dadcea831b8f49f8

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\libGLESv2.dll

Filesize
8.0MB

MD5
352bdb960d5a031aec6ecc0415a4b895

SHA1
fa8d34665c186e88f92b135ea0231238c71384d3

SHA256
30e0b81e4e5b1a2e8d7918e5c76c6ca9c7ef661bb2df6735c638b4cfe04e28d8

SHA512
10dae2de8f6d810f74a1ca7c3530c3d8d224fe079da37a56bf118e7f3f9e9dadb010f2aa7ff299155d854eac7f50e875b1b2ca3b10478b32384719acb439a8e6

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\resources.pak

Filesize
5.2MB

MD5
67bdb0b49deeddc7ff6b20b1d0832b34

SHA1
e31638ce61d6557b22d720512c09fee5826cfba8

SHA256
c86ecb841e248270a5456589d953209ace93cd253b336d57447e07e66d7f8a44

SHA512
72e1a26df130627ed08de365b592052e73098f6b2ba8fe0c12ebbe8564b2b657254c645506f9b653dfc121930cc37959b64ee1208f7e8e09b388f99e48d72f9e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\snapshot_blob.bin

Filesize
306KB

MD5
41a4e7070733f20097218576f6484fa9

SHA1
495a36f4d85946a8e95d8f0ba85c8b2a400e1670

SHA256
318c99695b76079bc82378d5bf38dc9f8bc2d28fe4fbb487a1eda03170af233e

SHA512
e644a726d26d887305018f337c91db8d7f207f3a9d75e71f531cd58e62fbeb0a4b2ffe6d14b4e16c8b791ca05d249573ea04964df46f597bd295eb17c2b493df

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\updater.node

Filesize
4.3MB

MD5
68507fd7898ed2c3c75f3d792f43b8d1

SHA1
5d6d86f1b9ce6500c46f97153ef86ba23dee1856

SHA256
dcb70b99e97c1edb6f7dd5cea8f792d3d0e96819692e229e3761f7bd1145149c

SHA512
40470cb3d79e578021f74f92a6dd32e6e60a7b2614b82c6cc2e3dbb1e43c64adb572afabb66805e3fe70c759a0a4a5eafd8b836220974d3602ea194336dd3f2a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\v8_context_snapshot.bin

Filesize
650KB

MD5
c3048304913b58e1f8e0df23f15bc864

SHA1
241013fabc2e905dbcd8f02af4d008676db421b6

SHA256
8ac45d2ee2705bab53e3ff9564936455301ff722c3b0af0680fabb83d3c27bae

SHA512
a9a1e2b3af0fee8eafede606594b4f934ee4f0c34ed288b6366897cd42042a1ce3fa9d55029f9a87e6e692ae7f7d5e83d007bcb8e6bd685d84ef0df0fdffa9e1

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\vk_swiftshader.dll

Filesize
5.2MB

MD5
a7deb9d913db3507e04e75e765a7a0db

SHA1
4575051db36c2c68cda7f67836fd9baf7bedeae0

SHA256
f481f18b22b2a3302c3b029304f7f4d062137db282f39435bdf510eef19063f5

SHA512
dc829ea412b755bd5b03aa49f02b45af7335619620e42ab7a4859acc6a510fb3b1131166308a9defe66868b12c160c4e8d19d61187275cb922edfcd0792dd01d

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9172\vulkan-1.dll

Filesize
880KB

MD5
13e6e6ae3d25b2b3ee218a1b00c5483c

SHA1
b4b8de825167fc4dacf6634ee3a0eec8c8c6091a

SHA256
af0c1fd2506fb0834974a9767238319304010e67b513b19f045b5df921498d5e

SHA512
3360ed7e3e4841649f275c498925e1bdd02ceaa756d7a348f715e71893c89bb521ec4f2246ec7da9a918f801e08cb231001992f5a3608dc8e6b2aef593fb9ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
2KB

MD5
5e975ad3f48e5633cd14b5113ca3ab7b

SHA1
42b7647f992980b36ff36c6d20760c5c280a79c9

SHA256
2ee119758721afd4dab0805892beea4d1ee2fbad6a7fda0d6623256b08cd804c

SHA512
3397fb54fdb9ad4c3f51cb3ecd9d89fa5ad582ccbf55c26dc4b289f97584fe5e6e497a31d2a424ac8bde64fb8822a5587aa62b6bc742e4915218174e6cf25cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
d4416b6bdae28d02f58ee6b2e5d7bbb7

SHA1
27d5896a0bc9b990a408e54a7d2a5a64d71e9e93

SHA256
ac6e8331d48bd24244597a326a3973f4d7b3328ecfec4e765f92c64967041689

SHA512
d86a7900137ec23e2e330a61843d0bc67f3f657a701ae3a8380ed324dcbeab3d26ece8264dfff2c2670e0b2c90fb6715d9959ae08f2ed4f574e45dc84d4e0e6c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
012653a3339545cba96402664a7d0e42

SHA1
e56e706834dc76e17ea128a52a6c311a4f6988f3

SHA256
1bfaedfe1474c31f697d94cf55b09cff98e8f03ecb09f5b61b591a2806dbcf5b

SHA512
3a70604e5d2775b887b46aeaaf87e8b7b665283f02b3e03ddf40220ab318a00db5b21efdd8d676031611299c1351f486d4a2b72b2e9f1e7c5a309fa4c306b3bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\02048C6BD7125E4D5D34439922FCB3D203CDBC5C

Filesize
61KB

MD5
75a885fe8dc8fe4340bc80ba39e65b21

SHA1
a0a1397bcb2e39ace684e70644c32d956c248301

SHA256
cabf11ff82351ab7968784834192c786a84dc5de97fbbf686a2c2efb74e7fefa

SHA512
b414166bc75d688612d4b10eed0d7b8b19ae268ec30b41569b5347c4f17662b6cfcd040aa9f57e28a058f4d5a9aa69def1d3d9445559b800bfd598d14115079a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
374c54f71d99bd7da487515b1b86ad5d

SHA1
1cad3fbb302c766d53cc823eb5d8cfdfec66a4a8

SHA256
5df9636c559f492393499f895ce9181e9ee75381bbaa306b8572bc6d4ad32db5

SHA512
a59bfa2cad994cd5fa531b43318137661248614cf46b7b4352a532bc507837c1270e8ae4802dbcaca4138abafcb498e07a27c7ce63539cb7f35df3de8fa21610

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
e168a061d91541ad52fe7ed98418c7a9

SHA1
4abdf4aa4359486de876c9d897bab6176656da04

SHA256
8e9311331c1f0bae31d3363d438556588f62a3b576029d6256f4d69d56c9beb3

SHA512
b20b3ac00ac61899904bdab0900d29936f4055fa283b711b87613225d161976c9dc63cbdd9ffe711f1c0e3e9d418f5ad3ede9d27deb12ec2edd52cf1c75ce9eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460

Filesize
24KB

MD5
5081a504f80db66f21cd83f8e252aa82

SHA1
c9564a56369efe7d17c6159810b68c410de08e12

SHA256
e3165f25d3c302de797ac9fa29e7c62a8489e315c6f5ce14a4c9f12f69a3ee41

SHA512
7d2c02f4dda6ac7afa6e9bb969e87a3f8712776e755be49a17d85a3b5d28bec2a4b0e9afb3a9fdd16826e9154130234a4bdd05a9eb3e28e296151a200c091aa1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
d76a0380d4270130e74d450ea838ba2b

SHA1
80ca30e1fb9980a71c5f8e7966784d90bac88819

SHA256
8aaf4091d3a3f69e8a0dab94ba944116af4aa377f9048f1a85deb5e9437d007b

SHA512
aefb8e42939cc603949ec347d782107f7708a5243e6be4d5e8ff86dbcd074bd61fb61038037af47cd5c25b1132b8e60d908086df2c6db98a22b35e0a188e662a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\6DD602494FE4EDE4190953FCD85D3D1E413E2327

Filesize
9KB

MD5
3e14fbb0ae5b3329fcc1c3ba87fca319

SHA1
501e9e0f8e54c7f732317f2d833cbc9e4610e054

SHA256
3bab9229d1d336dd2ecdeffd7e01d4e5219c1d1a34b808999f748f22f817e607

SHA512
ad5651b30d3ff7937c8e1d5a5588fca141d70bdc685b34dae3f5e635544d6ea798f8f125d5ce451c61664160d2fcb3d926fa0873b69bb0a74ba572d20dfe62cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F

Filesize
16KB

MD5
177423acabf45577fb933a0d698808f4

SHA1
eb5652be6307f9cba3f1bbe3ee2d01abd279811f

SHA256
e13327a3d0a5785a9202452392db5b3346135030fedf5d7be017589e34d46190

SHA512
3de0156c2fe560ba435aaabbd2615da6f08ccaf65520d16fa234f03de20e2ef4296e20f2468f34ce3c60d231b4935888e4da65a1327b2ccc9a6f84362c5f24f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
176d9e529e7ae3cb8b1a5bd9e6ba8d6c

SHA1
80d536fd1722f660aefefa270445ff55d4ee8d5a

SHA256
84122fc71afd72e44f05f403ee5993face8c6373dc7e67794b6f776ffe953cb5

SHA512
98304e53095074ede1da524c0005a81b6cc7d2e7751a667b12519130246aeb102c64fa1b7b330c06a8f37ffce332437f9255bf9a7a68a4354c19fdf6c34e5417

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\startupCache\scriptCache-child.bin

Filesize
479KB

MD5
0855c7d08fec744aecdba12f3d841475

SHA1
ccbb699f95e0facee98ba71f59b8a654111df21a

SHA256
2a7474f3e141c135ae792c015f8a9fbd8313ab53ac8c69f3bac65ab8f945adf5

SHA512
c6ac5080a555adfcab4f09b0a011095d190ffe27af60c22520b075a8cc8d20ba26df76927aae1ad1e2159f4cdcdf05df4514aa8dfc49223970084141a3f81091

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\startupCache\scriptCache.bin

Filesize
8.9MB

MD5
8e2d2681f63f499c002daa9c1d308b00

SHA1
3479349bead123f049c6d6d30c55e9e191fa74b4

SHA256
5a243345dad07619b0c47cdc00befb438789710e36eb69acbe25540361075fe2

SHA512
8815d2006fce5ae587de348b10d6e2436fa78e033f240516f08d974605785d30e2965f9b2135689b7d7da70d011db442530f28dae7c697f779b4e761945d9890

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
7ad55d323e945d029bff84b1b9a6100a

SHA1
b6a0d7a50ab17d2477ad986c8eac87f0ef8a39e9

SHA256
0ecabff8de53e1ad5759006ed8b8db44347dc202138018003e1f0ac28302d3bf

SHA512
e93801e61a25d7eead188ce49444d880b8b7a72fa02d22978add385e3c1e2aff65637d6a5deaf1a65d43cdaeabb60d1a67a5c54779ff2f6ece334349e403cf5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
64d80e96c4f63cac9999c7f3af42e300

SHA1
84a7f000ee9abcf6ab2871a5b1a28033890dbe81

SHA256
635aff13ee9736051bf87f28f275414b7208420d45c88ba7d0817db23ebbac5f

SHA512
5b64011bfba7093c35a1fb1526c96720ca89a2171f3e45995b303a538968bb7caf1e652b6dc3b1bd5dcb13f651e847c6d6c08ebc5d8e12f84e2f335eb227fb25

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
068feb84f8431a4f815b8eb47c24872e

SHA1
1c6e9e5f8982b069d6bd808a6eafdf4314b86d24

SHA256
9b16db56c7e14c4cdb22c39f4f8e426fd85fe29bf3f0b67c37a2458401feef66

SHA512
73a7d12788b4c1e593393196dce45a13ed02087c3781709a97fdd6b39bf51c2475d04f14fea3ab3e326f228aec2517eca24d73671b084cf31012728a96dfa289

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
10KB

MD5
02869d693c9770ce220ab5a887309dac

SHA1
3e57762ea4f3cb9889ed7b3df85771c0a58fdd3a

SHA256
9cdbacf74b56c1d70af608389f03ed62409df1cd5b032da3390ca2efa881986f

SHA512
5ade95441d817f8acbcb7744acd6e0176e0ea30797ad74bea38d979238bc6e71dc69c3b4f534aac6d9ff9627b38a135436bd968d3a979950854306193b6f17dd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.4MB

MD5
6c8b5aefae84b2a3eea0075e6b2f5cb9

SHA1
a423e69ec32a99f89b1880547da6fab1e8d34aaf

SHA256
29b002ac9c578f790038ddaeabe37121b14975d34a347697ddba0b17381fbab3

SHA512
90fcf6b41484e40df50a01803eb32102c86efa0b5f98781826cfc20b8240efb8221fd3fc72b40fe338a752a1af3857048a89f1f022ca10e93fec0321fe0f78ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO47CD2A08\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
90B

MD5
212fce42ece3bc8d35fe98676053ae02

SHA1
cddb5572e9f88a2b889b03ee3089fedeadb9dc52

SHA256
27c408a49271e9a5d8630cdd3a691fb0e547135bdb98d01c4dbfb04dab75f325

SHA512
a1d93ea888ad7c2218aadd9a25ad9c9d4d8f6e1fdbb744f34a52d29fd4428a1079ac3aba7cef96f5dbc3ee90b8ce860846df4bc301acf940bfa60d130814b4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
112B

MD5
4f1f1cce9563d9661ce6e34f55ab5400

SHA1
bea39aa68d9ed6e66689b63b70270a8e2f8a9602

SHA256
f8941ee1123d05ac870766dedfebc7a8275d95044db8879fb5dfa18aaf8d95e1

SHA512
c815c4be4076605b9a72c90d9d0f5b7baa9fd069e9ad6fd45c57806575f6b475fe5c2867e614edb39da18d1782351fad62383eabb42331f855a62c544e2a90fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\chrome_100_percent.pak

Filesize
147KB

MD5
3c72d78266a90ed10dc0b0da7fdc6790

SHA1
6690eb15b179c8790e13956527ebbf3d274eef9b

SHA256
14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7

SHA512
b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\chrome_200_percent.pak

Filesize
222KB

MD5
3969308aae1dc1c2105bbd25901bcd01

SHA1
a32f3c8341944da75e3eed5ef30602a98ec75b48

SHA256
20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6

SHA512
f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\resources\app.asar

Filesize
7.6MB

MD5
6d5a42fcf9a6f5ecdaa5c92a12a8d3ce

SHA1
c3bff67d50c7290996bb02b1db3597c5ae1e2b8d

SHA256
adc6c36b97142a9545d5be67510c4b21678a82ea925d18df64ad4405b3b550d9

SHA512
3457194eda7624c021bfaf41a2d1638fa8205d333384b99fd2a2b24a5f12d09224aa89e33e20a97db0fe60e0e1ac3465f993ce18a7c2f4074421dd4b2119ff12

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\resources\bootstrap\manifest.json

Filesize
154B

MD5
391b9425971060df3776632483bdbb56

SHA1
2eba4a5703f8300c861bdbd3bd11d71a2872ddea

SHA256
6593942b06d0c5df41980828f73b0ea170cbcf7bf5d8944041c893e10326e628

SHA512
9edf550134c9e0275516b499df4fe0c7a82e920307dbb9aafbe4154485c6f52c5c7b8dc628c3d14cdc120056edc3048e6a4600c35ec5cd5834604374dc73e771

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\lib\net45\resources\build_info.json

Filesize
83B

MD5
1949121cf040b8b38e00a0fcb3dd2cdd

SHA1
3093402d54f5ac6c526ab674d7c59edde73dba4f

SHA256
511fa3b88a1ff5018579e2cd2d6e20e111fde7123bb2f182f9cf32a1ca71f307

SHA512
d763731d39b4bc1179f78980bd947e6562aff95b0ce0d5a2ae297c876fa266e7ff9755b9af36b9bfd0037def54d789d3f31f715a13d62446fa054e049e6e67a2

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\locales\af.pak

Filesize
501KB

MD5
7b45380427e70643c7abd3eca13f7f70

SHA1
b80180ef7016f55efe86a71adfd67b9a1b312c3c

SHA256
27f1ef1c854ea965d1265f5458e566f34b46ba4c507fdda4d928dc3bbc3a2d12

SHA512
04b2a138f81a2a50072bf4a9c1ae3b978ee4b2b21603ae58de55c8687f74f63539158e0a9b30331a392236678f2e1e51637210e85baccdd56594596558524135

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\locales\am.pak

Filesize
811KB

MD5
b98942cba6e43e5fdec579ff70a4d4db

SHA1
dad4a7b9f8e00dc20fc7d54a528dbc6d47ce4cce

SHA256
a601c8830921f6af161f9e828d86dfae9e0842f28eed54c04d2ac849809b7878

SHA512
80477c3766f317f2757d9b770a123862ef6e6a173f0279551688483f299567fd71742e28ffc24817c9365ca98b8cf9c9661145ab2286557d47f4e1919a55499d

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\locales\ar.pak

Filesize
889KB

MD5
541e05b77484d478bd7654e12274c81b

SHA1
2fed70abf6726ce70c1260e7b247ed1fee3c4152

SHA256
b34217500f75111ce79fccecaac4cec16f6395473923a3a6d1a79f6ce355d0e2

SHA512
84b91088edf561fc63c0f54944ea385aa8e49e8c2bd4c805955d0d66cef83bbb2752245159d6fd9cba3467d5efac59c2d4122111725c260b97b22eb48100af36

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\locales\bg.pak

Filesize
926KB

MD5
6adfd499d0c7a85d1aaa247f86a6d66b

SHA1
addc491f084a8b3d7e2c7c5bbe885da309e31a2a

SHA256
55b1e30e955c2c073462b6f44ade2ed0628cc99199efb19a11b1f529ab26d624

SHA512
69c01e95243d50d4628dfdaaf3b68ad01ef636545007b67ba62a82f35728302fb6dbbe28ea0792098ab2bb647dab68085114466a993928b118da8fb43c5c2deb

Download Submit
C:\Users\Admin\AppData\Local\tmpzhezun0j.bqm\app-1.0.9172\locales\bn.pak

Filesize
1.2MB

MD5
b1a03e8e4818e6abef97e7741cf7e429

SHA1
4d0720cb108ddf3e8e240fdcf62307b9d5d74cf4

SHA256
e91ecbd5f8638b317d44cab1a225570a9f595bc304c818bd72b2626822c677be

SHA512
fa6350b11894636ec8e0d162d982e7061b79f23bb2e552a4b210b2e8aad51f6f12555d82739ed387504975029655eb53a04781ffaae152f72f48ebecf738b48c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
278B

MD5
597a47ae55d99ff57ed3a7a7b6a58860

SHA1
22ddc02c2756b3cd326ba8338f86965664faa26e

SHA256
328f9570dd0759aa012c61af1e56164ce7a3e18d536b4c85659fa4228038b589

SHA512
07f2526aab611c7c09c9dde167f4931e89fea3960f1f92d3fabdda871d9cf4c57672e337a245b00594f0d02ad0b2c9f45139c1dc37f374866954e4bed90d06a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\285X4DGU71O1B11KAKPS.temp

Filesize
19KB

MD5
e5a6aa63da234afb03e896c38426e796

SHA1
7c0e7ce347e42456d30dd74b390f994ab777ea59

SHA256
79b28c3f713601cc004c453682b67d0492302dc4e2489e599875d0a64775c6ca

SHA512
f0fc93ffdff18c4864b134b6c5ade105048614329964c47858b864ccf7283fc3697786939d44991982187a5847801e7f9b43df8a05222da48a81f4876b252970

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
6KB

MD5
3acb8ae3c5247dbec99a8e22df1edc17

SHA1
32ee716a0bf78e169491a56abc85d928f64226f0

SHA256
a8ed675a1052685918f17ccf5941e93474abd67c855908fbdd97a57c233a4242

SHA512
f5c0e8e4b9d619c1f6bd72092a2cb98ef63459ae90413b7780ae978fc677a8916889384f19d150afa1740e91d8f3f7c19fc8076c592d945014a6664ccd517fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
6KB

MD5
08e7f8f2ed3b4c4b1024abb11949d1f8

SHA1
cee2e702dda442cdf20f3b6128692a2e6b481fea

SHA256
3de7f5b4ce01b6622d339df56d545934a93da9acfca9a1dcd9e14fa3628c9f64

SHA512
f71054beb91e659899cf74b1450817042e3f67276173f7d992b3e3e7380464b63de0d8013ba5ff792c8b66603dfc2254541e96e469f3e142829e541ff6f26ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
12KB

MD5
aa5a13afa21ed5d62353126cc3565a09

SHA1
33c3bda17dae6c3142a3a2ca2c3ad93a159aeb8f

SHA256
cdbd3d1f54fb8164c22537813416cea29d5cd2a2a9b1243820cc9e9f33f81e2f

SHA512
c8974e386738d95f27c06399d1d2c0591463442e7df6aff0ac12b6aa4d240961e18739f475b9c3ed18badbcd133df48988fc8f89086f9095fd2d77054ffa2dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\SiteSecurityServiceState.bin

Filesize
858B

MD5
880443410b28233c1f34af13db161084

SHA1
579f339b7a85674c83cb694235f5a5da74704434

SHA256
8454ee148d6fa9217163b7b658704473d65b6f5838c0c72997c4205d7b8838be

SHA512
02de60249ab8c0da39313d97d0f2bbd9ed8aa53ac834e55e703c66e92f902b4d0d815b8a9f35729437e2e956c3c79136586b9be321caac3dea213e64bb393965

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\bookmarkbackups\bookmarks-2024-12-03_11_QZTX-l8QY2YjjJR0-TbFpg==.jsonlz4

Filesize
1003B

MD5
5162bc93aa3bae67ec12e7a47ea7900c

SHA1
4501f44f1935d490e72b1e769ac271c58fe3f23c

SHA256
d2ccb9bc36dbf01c96204f74c3d9d6777aa3038d2832930e680b71ba739b27d6

SHA512
1be22d3508801d9ee03f31e3a72496de583e061566f789806ba8d47c8e0fcbb81d72a49ee4fd4309e60cd566dd26355a57a491a334d54b60359631212c0361d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
17KB

MD5
809e8419e7a06b21706c0b23764296d0

SHA1
8f4fc59f73cae2c65186c76d64b031b69e5ac3c1

SHA256
93dba2d7ce743215ebb66ea88e78bdd5dfa1badc85edec543cacb328fd68344d

SHA512
4871d8f0bdb0e4b4578181da1d63d8dd29d362032600bb666a20b9d90e5470b8c5330468a2bc3be8184a2dc66b298d6a6ad4e14d6e92868644e02122b2b22cd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
53114c2ce46256aab7bf619a5ca7d916

SHA1
2a43d46ca16eecbd2ec76e4a9dfd14413c9b4640

SHA256
de24317ded338747c94f41ab5dcda40ece08bf1382d3cf5b477a5dbd30be265d

SHA512
3d01fb435468546f4ffad490e00e95216ae0d905d8498b8701cc51705db47236129e2d818b2ceba14b77529def1700e75a0b6a4843d4579d8415ae64385bc8ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
96f7487c35f50fcc072ff8628585cba1

SHA1
cad7044771425589aa91677b7f8ea8ba70ad55ff

SHA256
4fdea38cff0362454dc3f0e474410354db7d0adf0b91cbd3194d7cc94250b285

SHA512
eda3c7fee186e95dbce1933995ee11434679dc0a9c730a4b4862303531eb06e02ced8307c5daad21eedc8c8b2300d1872b1f918b34a5f27f8701bcf0ad841317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
17f94d84145d29d1d34cf6f92fe26847

SHA1
edd13427f77b746f51d42927a6df21f5102f2353

SHA256
ceef43a13c01b7be842005f5ffda1a62a73c6e61197f58da686230c86b42154f

SHA512
4575690e1c0d1948f8351babb68675a6ca89ca61870707cda14eb1291086d6a02073ceb0d0da3c0a2a6bbc8ac16a1e7e0a9c492304c5f7192ee6daceee8d2245

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1f4d6383b366d081eaf4c6600e1ff4aa

SHA1
5a536371ded72da6e8dc626d2f5076979b016b74

SHA256
78e18ba5d0638436fb2b527a6d2506b85d1719ab4735b0d629e38cc3f34675e8

SHA512
4f847bf71e621ffe147fca4258237513fc89a60744fa4dca1d016d7adb151b8d73f2b9d5a2d3d68e93459f72751db61922ae26f0e29fb0dedaf282f9673a0c07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
1223df39704c4126872d664067b151f2

SHA1
cc83f311aa62f2264a3679f6e40f187ff811dcd3

SHA256
e703c3911cacd2d9909001ffa92eefc9635f1c3b60a3591f8dc5a1621da5b6fa

SHA512
a17a0a87aecafd9500b7b4d3f8a2350919291908bd65e5f37dab541bc86424398e063dd6e4feced8484acb18086417fdd12eb2d11c3539e0a51f8459e567eac8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
86KB

MD5
8ae9fc6dbd0103922659b59c06a97d32

SHA1
2622980e4e4142a2468832666eac7dd0e9ecbf15

SHA256
e2590708cbb40df197bb9ad48ead7233dc0a958a5c377758dada4b47506c4afc

SHA512
0a128f4823339cdc1dde1a7957b018d865e231559e565524a66f4e41ae5e2543995aceb546f88d167d12c546b479e4034b8fda90d91bb4eafbea9858ef918b01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\events\events

Filesize
104B

MD5
defbf00981795a992d85fe5a8925f8af

SHA1
796910412264ffafc35a3402f2fc1d24236a7752

SHA256
db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d

SHA512
d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\02e9c456-e658-4b78-bf45-af025e2b1410

Filesize
26KB

MD5
0a650fd5148abd96c8b9e066129e215f

SHA1
fb6ee431b490f241caf8a628135952274e89dcff

SHA256
0303613cb56219172a37ddce33e9afd3610e00490704c95544fc2485389dca87

SHA512
9928451adc920c23a36659d05f8bd75abc958f77ce3b200554c30dd00d749012bcd29a42de1011917876a1bbf1717a6b7a68b6c641158560630c5a23162be631

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\34e9a4ff-3907-41fe-934b-3ad4e3820255

Filesize
905B

MD5
d8bafe6e5d8f68aaf976967292a545b3

SHA1
404b68a0084160213aab990ba5551bb81bdaa774

SHA256
0b45eecb534d98cbcf2e48755c6bcb95de0d84bc3499e48593f93503e02b8fb1

SHA512
e06322105ea5526b7f8f93e377b1a8096a5bd9e4a33b35fdf05e5dde6bc3a5458d4347e0851b9d81e82d4a5737ae177eeb2eb7ea38b30fdefa580155f0e10460

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\c857adf4-c83e-476d-8b2a-2b20868af03a

Filesize
671B

MD5
03179e42fd39ae97ed2383fccb856662

SHA1
0542d17ac42fb2eb906d3684ae6b0ed3f77d5e66

SHA256
d882dd796169ea24c73f1a13a68eef6d8f8fd1d8a8333d85ae11182014e850e4

SHA512
ac351222831d6c6dbca36a9ede164c9ecc8be7453e435147807f474ca7adefec8cefbd0acc599d58246d4371496d6d38640d123785866efd6a59166c65bb25b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\dcdb1c8d-f0e0-499c-9668-104bc0c247bd

Filesize
659B

MD5
8fd25a15618745c0a675f01a23c7f50f

SHA1
ea557359979b93bcada94adc24a17aec964114cd

SHA256
ab53ef83cf7c02c4aca4a6af6fdfeab91294b7091445ca843daae81fc377c421

SHA512
c1a76370961623c1acf898bdc5b56db7342fd84712efeb65a3380e3f9f72f65b891efa4240097ef499ee177fc4acf7b98bb7beb257aa1cf1bc1e39d1098a94fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\f6e874b0-95a9-4007-bbff-16a820a77cf5

Filesize
982B

MD5
dd5fc6a06390ab7f5a5eb6fd28a823e9

SHA1
2d358b419f1f64c9ad97bf529dc2a5daf3978ec6

SHA256
4273a72881ad10612a64292d5bdee98d928ce9934a2c300e4bbf3ad00318ae7d

SHA512
e3a5746a3b4ece1a7bb06bab12a40e11c365576a4d28b749a5393363097c19810912169538fc84fef3047a07e0e9b25b97a3843d9af3bfb9c355bacf3405e277

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\places.sqlite

Filesize
5.0MB

MD5
85dfb2da62409abefb1a0d89188708f7

SHA1
537ef62053ef0496c1fc940ef9b6bd7a94208cd4

SHA256
ab9d489dc06683e8cdd37afba186233c55c7292f4eceecdf207bc0dcd8996824

SHA512
0d92eb65393c228b831bd2126d97312aa031b858e5723392c8a7b5f053ba2871e94801a447165d60074379ab896a1078d9b65f1336966aec5f7c203ba0331851

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
10KB

MD5
9990a20ce33a4caf89e58c0b86d22513

SHA1
f96466d3bfb76ffd76413f1f11900221eacf4ab0

SHA256
e7eea8ca9d5f804ae5fada6075e81fadbdd6acfd47290248e725e3d06678052d

SHA512
2c3917741c0f1bd32b61ee210642d97a80d617594105541e97972cdbf57cc450c65a7be78706f2542b35c679397691dab4887d84478c5e163cc850636188c114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
11KB

MD5
9394b03c0866d6747901d511cdbeeefd

SHA1
04992b68e9cfc8dd1f036ec34014a4fa37f32d7c

SHA256
913f31c2e3afb7dafc8876f53428a289cf166e72be021805cd2f708ad215b19f

SHA512
d16ff92bc6dcc7a3b4c5c2cac4581c47d272cf566d07707983d046f0d1ccdee6bd4acb6d1b5698f0c2c02e5d4a787e59c3eabcf6e67bba0fc10066101bf76bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
12KB

MD5
84ad347adb079f1c36e4a6618a8ec893

SHA1
7a3b63224bf22f1891a0c00910ba7886fff6e1c5

SHA256
dada3cadef98a703e29060078f40cd23f30c6f5690a5749d3740b49579b8ad59

SHA512
251cd1ce755259bb031672a179c2c57fbc86e6af0014a35cf685cb29d7ff5e13789dbbd03a1551aac6e35cad664721bd533e4723a3904c83f0da19b6c42f7f09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
10KB

MD5
39c8438d1b524ae495b512cd7635435d

SHA1
7ae85ba5cd14e626df89fa44f88ffcaa2e006685

SHA256
84d4a6eaca08235a360e8423147cec4d08f0d18713a6d1ffdb443b8f30ed6894

SHA512
fc0a9b092703a620748567b19be8c1de13e968f1248658390507980d4dd55e29b41a05a09a0a43c22d3a23a56e4d0f18a59fd26b325863b1057b16eadc730ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
a1838b6cc54832b43f0e4b40e445db05

SHA1
7b11105f217cd5846f3e02eaa2572ebd415cf360

SHA256
1df4696aec895601bb8169df790d311e973495c1ab672f5150caaef2d05fb24b

SHA512
0024c49ba9dd0dc9540a0f4896102d827327c943bbfc36ecf2abc285560b992b0f8dbdc7f2620b752014f391cb68cb5d5a988249287e8fc1f4d5f606bf067f56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
cacaecf54b809570f8ef6772c3621a66

SHA1
593dd3855db2e935d1b7a1addea1051c4a1451e0

SHA256
08fd2a26baeaec928193c686b825f2383420cafbd2d0cf781c2f6cee5620e30b

SHA512
b0cb1348ffb10acd84e4e6bdd0c9da7786c278473df8c64dde04684e1d4f4beba72d6e26e6234bb872695ae2245af3415ce09af31a4600c9be5623797600b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
54fb689b1b99476b2825ebd311312986

SHA1
e0103d43f7d6e54002a25f351b837139158e1a56

SHA256
d5f861b2b971a81784d54586702b22e8578bb280b36116e4a0097c351360f226

SHA512
da25ad5d1a8f46d5246544188559261ce2aa27971b88d29d85d51dc1fd9dad48f81fd0945dacfe4ec7583f53a9068ed7b8ea69a6be373b4318e0be99729a2798

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
3098a29c221ca9822d911c7d19cb5cc0

SHA1
ecbf01f9e32ba7171ce773b9a8066c6a6e4a3647

SHA256
e5d69fed9f4deb61a7b77bdd4a30e74f9e95257419356375abfe0a0cd4a7403f

SHA512
24e9f15dc39f5f8439a0acce96128dbfdb69ca957940cc6cd7c8755e61aafa0fc42176892db755a5b7a523d2a8490c5315cc05716f52cde5208100789ce2637a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
44aeb9bc461ceb7aefb0856901a4e868

SHA1
d8fe10813020806207339bd17bb1e5f399dedf84

SHA256
9c74a3218b087deea5e7bcfdaba6461faf25826cf91c65594427a5f1772793f9

SHA512
ae844158a4c5b8d5768218390db112abb6f28dd8aa3f8df512b154830e3e6c6afe79dd4bb9ab46276b17d04882e5b0f58449f06941ee97f650da2dd861fc52a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
f80f74aed54e91b2a9c647b88b42a908

SHA1
1508ad667a0bd720d3a3572156325c746a88b4bc

SHA256
ba7770ebb9c0afb3ce876fbdecc3c3f14c8fb7a5bb93f88fe1b9ab80eebb4828

SHA512
553dce6a797e2718228b3374d4d8827504cb7c0b7a42d6f1227b08e75c31ce22b09dad74592410c01b0ea7b1480cc02aa9125ad0245464f3ab9a54642e603928

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
0d882026cd4502832fda7bad91b40845

SHA1
93d7406570e5344d492243d18a2bead192d0852e

SHA256
5572f508053d651b0763700f2f856ff2c1c49731068ea35967115b736c9af7e2

SHA512
fedb55da74f6fa95027dfa85121c30607f3af62a0f6983d06fcd6e6f34b2797a30559bc21c403598dbd356ecde239acceebd53c190ececa5a5f2a7adc7f480f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
37KB

MD5
eded6a41bf3a1070a1be94ec0349385b

SHA1
ec47e7b5fc1558d9f9c72328bb906d27182c2cbc

SHA256
dcf3230c2462d1490a71c024966a8215d96b11364bf0fb90e332660453d19420

SHA512
b9490cf3d1797440f5bf79cc0d3c3adae8398a30189733e2c0594c43832589509290a2df1159f6c77c6641913935d5bdc192090fd10aa3bf875843bd1c3c9f46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
3c5fdae992038411afd701657801bfa6

SHA1
8a8ae567d0818a2679b1a5995daa30edaeb76976

SHA256
9dcf75650f9ad609076397318f4de2d1416184c347b8ffffde0198c70a22c281

SHA512
e6a7e5b5871ae5370cf6c03bacbd4d5c541b726e9debec88b3a94575f21ae9fad3a3ed478ab1523078bf0388bda7096f156c7956b74c013000cd6e466a6fc9e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
0f52e6d21ff4f2dfd11e7171b246f411

SHA1
15b4cbc2603f400599641fc295811c37a1ae4b88

SHA256
a52c57a198a3a9ef86a207c032c7dce42bb9ce8bd3b9a6f53d82fa06967a427c

SHA512
09e264664314892172a2da987c0fbd34d886aa4346a54a76040b6c381b66ae4d79feb0d59144cc6a3bab3e6fcd9af625c69ae2f6cbec130a350d5632f5df5e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
331107572e506b632c09ef421d42bd53

SHA1
2eec0fdff5b0a430f349929c995a8c533fd69c0d

SHA256
6a83083239b13d74ab67ed5bd4a1fd38a17cb11afa636b80f97dde920e610329

SHA512
83ea208b9e0e37adbcfb5c109a6278c3f93fd3fbbbdf4d6f5d7e277adabfcbffa9398d146b17e918aa2aaee11201525fd0757b38cc5c5f65ba830a4c277021a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
ef9c9ff665d7d73ec3cd9d3c16c5b21d

SHA1
f719cc08c03a5863ff3c40901c9758dda6790d4e

SHA256
be868e8697c898c7ab72b531ecf2150a8308740b0ec8abbaffe33a768a683e4e

SHA512
b0d14d954c0395e1d09c67cf03500742f1dae22c70d68a94e8db02df48e8a150b448b8dd74fb1ad1aa34e40053cb8c3897154880ce8248ebafc154ed6d841686

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\xulstore.json

Filesize
217B

MD5
3c7edbdeecdb47fba617e3d03c36b0d3

SHA1
53628ce8c5170810fabafab8e001bfd971d47825

SHA256
c3db6f2519b071b7441022f9ed508b0da5ba40295be0ee449a27bd6146595d04

SHA512
bbf56ea374114173f7de198cd71ac6e75276b0f30926c6690db512f45ac2e54d099d990c285578f702696494d2884d8550e5dddadeee01077933034ac3817842

Download Submit
C:\Users\Admin\AppData\Roaming\discord\12ab6353-5dfe-4410-9c4b-a32df6e157e9.tmp

Filesize
1023B

MD5
bf82826825c1ce60589edc4fbc64a887

SHA1
097b0678ae01816446738119789c97396af4379c

SHA256
d3a149f8332686010870a80b51e0720700af6a60f14c423f467e99cef3aea510

SHA512
4a725244ab3914607f250dee7aa3fb2be95d94f2de6e823ba685a608bde3eda9103d1746cecb6770610ffdf187d0d1e3ac75c03201e85ea01b375a3758c6b750

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\settings.dat

Filesize
40B

MD5
3c1d3730ebd1686d6ad10e379e44b33c

SHA1
075aa5674fbcbbe06462d26e9fb0b8ea546d34c5

SHA256
85d805ad270e12930d2cc731ac576571708b774e29ae7921ce746bded5b50afe

SHA512
4cfc7c0fbe4de932c03d6f1734e0f2980ee16be43569561aea0780cf5a92cedf124f4f82ffa75e50064e4650e40bd5652c575d3fa9544877ee774442badd5673

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
313B

MD5
5fd0aa19ccf4c5f330425f26be51c09c

SHA1
a27c8c39c3ef9e93ea3427c614227b91a8077789

SHA256
6bb35838ecc594921280bdb8f96971801832ac8c2550d879e84161fc0bf8e365

SHA512
8714a5e8dd511be931f6b09f145c5433ac3ba9b165f3130f2321b687701426ff20c35368cb6f18836933be2e3f743381179824a80d386be0b09c50ec93d30674

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
313B

MD5
f85712d90c252a8440ab54fbd5d755d2

SHA1
8ec311d896cb916599517c5f105582028a49e46c

SHA256
d9b09095a95f125e1d3945034063617d328675d708e1b2a482787a18af833649

SHA512
3cc03b38829189ad636bf2aa050ab8ce4250374f347770ed4084a04d4ebba71d0c9b6bd30ab7b267dda68fff042e0a91c3e4e294c4fb05ab2e3f583472f8525f

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
313B

MD5
fbbf70d36e59f844e7bb7727a764db25

SHA1
6ecbaeffbb071c1ed7a9f9cc080c78f6d7a63abd

SHA256
4d14a00f3202817105702ad22a524ad3d1d5e19633ab5b339427c5a0c62b4b26

SHA512
0c1ae9b35c9b5fbf54920e033742e7418d7a07231c3092a3adb5f328d964909f09e3141f0402467f00d963ce368d394eeb0883214927f9d92f39fe8d12f06a49

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
313B

MD5
bd3b832bfd691d7d941e0484f9ab7d85

SHA1
cfc4b2c2521d4c55e137ef56c3bf710688f62950

SHA256
c33026d5ed8959112869ed754be5352e6bd4c01af2d31af10ad88b6ee7134ad5

SHA512
1aeffa8c85d63f0e6729baedd949825104552180a919efed9b6c50eaa0e85a6143478e6bdc9591a624a556cbba964f6b06932b640b18dbbe38b4282d0bbfe5f1

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
8f5ca1837a46024dbd21149cda2a653f

SHA1
bffe4881bbe32f1a649ae68f0f3db36fd7ed629f

SHA256
3583e2f5fe410683960d69b100b96fe0a1963ab88b248dc1579ce200e5d91f32

SHA512
0aa38d37fb79dd739e2228a6040a70eb55860c65164c2e1753092303be6ef3af732223d8a43ce15e31f037c28894ec578194da4ca8954e1e1788b100ac15e9ff

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
dd5084d210460fc6b6d561091677ee39

SHA1
25b3f660bb1d0283dffef73fffb046dbfa2ce3b6

SHA256
6f65d1955c749a38b1a2fd3e7e6f88ec2dc9a011b8c634e465a7608b0581bf45

SHA512
32b7b0c1fdd2df0fc6f9f8f6d17de8305b37d192a93a20c3ce192c3f0ec7d1cba8afede274e5e1c823d9461f614fd15ba72b05946c3354c38f3968ef48f35800

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
93f886d22a1d59082a713690ef66756d

SHA1
defc6ca35ac5b4dd6023a9b8503c41eca7455723

SHA256
0f76a0eccd0893a61040b19981ae053cceae3f71963d3f3f1ab14ac8deb6334f

SHA512
e4e4256f1096fc18b92e115afa076e2f87ce0f6d01c748bbc6ac779e1d2b97a146bdbb20cd8aa48fe793708d7b248e3ef761d79b73743b69054e3fcd68a237b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\neifaoindggfcjicffkgpmnlppeffabd_1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

Filesize
1.1MB

MD5
f265d47475ffd3884329d92deefae504

SHA1
98c74386481f171b09cb9490281688392eefbfdd

SHA256
c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

SHA512
4fd27594c459fb1cd94a857be10f7d1d6216dbf202cd43e8a3fa395a268c72fc5f5c456c9cb314f2220d766af741db469c8bb106acbed419149a44a3b87619f1

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Roaming\discord\f329e664-fec3-48bc-bd98-4bacbe4267e2.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\Desktop\MTE3NzIyNzU5NjQ4MDY0MzA5Mg GgUtay DoJsOOKRElteARhE.txt

Filesize
92B

MD5
ab5d435aae0ff18e8649655bdde92cc5

SHA1
c57fa02e183271218220cfb63505fb18bce910d5

SHA256
9254aed7ee44478a89b7485c5e6c89bfceb298b0af33aaa0e0fca88211748864

SHA512
f3718287442281398be41b3870a47d005b78e0248c264da623bf13f866e539fab147d7af4f11d35fc37408de46db7e01d7b1f88c072f204c2e2b13486e2e635e

Download Submit
C:\Users\Admin\Desktop\Obekräftade 445796.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/2084-19-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/2084-29-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-27-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-26-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/2084-24-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-23-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/2084-22-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/2084-21-0x0000000005A10000-0x0000000005FB6000-memory.dmp

Filesize
5.6MB

Download
memory/2084-20-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/3212-1797-0x0000000005170000-0x0000000005190000-memory.dmp

Filesize
128KB

Download
memory/4788-414-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-410-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-453-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-454-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-412-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-413-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-415-0x00007FFE52BD0000-0x00007FFE52BE0000-memory.dmp

Filesize
64KB

Download
memory/4788-416-0x00007FFE52BD0000-0x00007FFE52BE0000-memory.dmp

Filesize
64KB

Download
memory/4788-411-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-452-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4788-455-0x00007FFE55270000-0x00007FFE55280000-memory.dmp

Filesize
64KB

Download
memory/4856-1978-0x000001E377740000-0x000001E3777ED000-memory.dmp

Filesize
692KB

Download
memory/5344-1565-0x0000000006560000-0x0000000006568000-memory.dmp

Filesize
32KB

Download
memory/5344-1566-0x00000000065E0000-0x0000000006618000-memory.dmp

Filesize
224KB

Download
memory/5344-1567-0x00000000065C0000-0x00000000065CE000-memory.dmp

Filesize
56KB

Download
memory/5488-1936-0x00007FFE93920000-0x00007FFE93921000-memory.dmp

Filesize
4KB

Download
memory/5488-1949-0x00000164A4850000-0x00000164A48FD000-memory.dmp

Filesize
692KB

Download
memory/5488-1937-0x00007FFE94500000-0x00007FFE94501000-memory.dmp

Filesize
4KB

Download
memory/6092-1370-0x0000000000E50000-0x0000000000FC6000-memory.dmp

Filesize
1.5MB

Download