Analysis
-
max time kernel
358s -
max time network
371s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22-12-2024 16:09
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10ltsc2021-20241211-en
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
41c6413a76f8b505545680879c38175c
-
SHA1
a6269b7b62a50ab43b498d20b9c2a3b5f3530013
-
SHA256
fb15e77decec4da1825309c787978ab7a86003b7bc973697cf8338d560b93798
-
SHA512
933f37ef2be92464b18631aeab619860bbad20f90427784568b9572a682c405bb5306759f50e6ed8d9344451f02ca85709899e09700c0e47657af77363bf49c2
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC
Malware Config
Extracted
discordrat
-
discord_token
MTMyMDQyMjc2NDc2MjM3MDA2OA.GZYyYW.zpYp_zgxGk9hDC_oq1XNVF8hXzUTTzoorEi9JQ
-
server_id
1320420510445736086
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1708 created 604 1708 Client-built.exe 5 -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 54 IoCs
flow ioc 402 discord.com 67 discord.com 275 raw.githubusercontent.com 276 discord.com 60 discord.com 65 discord.com 225 discord.com 268 discord.com 26 discord.com 273 discord.com 293 discord.com 42 discord.com 59 discord.com 351 discord.com 406 discord.com 272 discord.com 291 discord.com 367 discord.com 410 discord.com 24 discord.com 36 raw.githubusercontent.com 54 discord.com 403 discord.com 315 discord.com 63 discord.com 226 discord.com 266 discord.com 292 discord.com 408 discord.com 39 discord.com 41 discord.com 11 discord.com 28 discord.com 366 discord.com 407 discord.com 10 discord.com 37 raw.githubusercontent.com 69 discord.com 274 discord.com 269 discord.com 66 discord.com 271 discord.com 277 discord.com 278 discord.com 27 discord.com 29 discord.com 267 discord.com 270 raw.githubusercontent.com 38 discord.com 53 discord.com 64 discord.com 68 discord.com 265 discord.com 409 discord.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1708 set thread context of 3492 1708 Client-built.exe 117 -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 Client-built.exe 1708 Client-built.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 3492 dllhost.exe 1708 Client-built.exe 3492 dllhost.exe 3492 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1708 Client-built.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: 33 2428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2428 AUDIODG.EXE Token: SeDebugPrivilege 400 whoami.exe Token: SeDebugPrivilege 1708 Client-built.exe Token: SeDebugPrivilege 3492 dllhost.exe Token: SeShutdownPrivilege 1092 dwm.exe Token: SeCreatePagefilePrivilege 1092 dwm.exe Token: SeShutdownPrivilege 3508 Explorer.EXE Token: SeCreatePagefilePrivilege 3508 Explorer.EXE Token: SeAuditPrivilege 2612 svchost.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeDebugPrivilege 4172 firefox.exe Token: SeShutdownPrivilege 1092 dwm.exe Token: SeCreatePagefilePrivilege 1092 dwm.exe Token: SeShutdownPrivilege 3508 Explorer.EXE Token: SeCreatePagefilePrivilege 3508 Explorer.EXE Token: SeShutdownPrivilege 1708 Client-built.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe 4172 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4172 firefox.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3508 Explorer.EXE 2840 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 3800 wrote to memory of 4172 3800 firefox.exe 96 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 4876 4172 firefox.exe 97 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 PID 4172 wrote to memory of 3952 4172 firefox.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1fe85244-e71a-4991-91b2-19e130295d0b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1360
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2632
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1668
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1880
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a4 0x2f82⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1580
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:392
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C whoami3⤵PID:5680
-
C:\Windows\system32\whoami.exewhoami4⤵
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe51da04-c45e-476d-a524-b37370683287} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu4⤵PID:4876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb1eb4d-f33b-4833-98bc-414956af99d5} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket4⤵PID:3952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3252 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cfa892-b20e-4793-941d-589e65be0929} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:4304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 2736 -prefsLen 24783 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa3ebd4-ff32-453f-b374-a785ae9a3a57} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:4456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1db00fa-fc74-4c7f-9d85-e1f8db9da62a} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:2928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4800 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb72936f-42de-4bf7-8266-fe3d905f0080} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility4⤵
- Checks processor information in registry
PID:324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5764 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9c9df2-c3e2-445d-a035-f1e8ad1991b2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:2080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5960 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22bcdc42-a093-4f39-9c92-d8cb7b4b4bc9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:3588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6152 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {030e6f20-8874-46d1-adb6-2f3150928120} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:4072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -parentBuildID 20240401114208 -prefsHandle 6608 -prefMapHandle 6532 -prefsLen 29358 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da4c627-8803-4898-ae8b-4cb37d71a303} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd4⤵PID:3652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6616 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6464 -prefMapHandle 6576 -prefsLen 29358 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc824d26-d9cc-4b23-b46d-b9cc6528a1e5} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility4⤵
- Checks processor information in registry
PID:3640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6864 -childID 7 -isForBrowser -prefsHandle 6848 -prefMapHandle 6844 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cfcc2e4-2a68-41f1-9a72-6af2772eb373} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:3496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7044 -childID 8 -isForBrowser -prefsHandle 7112 -prefMapHandle 7140 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0320a376-93b8-4ea7-aa11-b111ed7caa33} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:5304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7260 -childID 9 -isForBrowser -prefsHandle 7268 -prefMapHandle 7272 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {135914d5-f42d-4545-8b8e-e961d04fb3ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:5316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 10 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f3e534-ed6d-4af1-939f-ddb8b7919e6d} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7616 -childID 11 -isForBrowser -prefsHandle 6236 -prefMapHandle 6116 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c5e675-0496-4d89-9526-81f176cd5650} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7992 -childID 12 -isForBrowser -prefsHandle 7964 -prefMapHandle 7968 -prefsLen 28292 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {333973f8-802b-4cb5-b304-51a3ee11c080} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab4⤵PID:5272
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:2592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
PID:3384
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4348
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:528
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1756
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:2064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4932
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:916
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of UnmapMainImage
PID:2840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:60
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg4xad17.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD530782227fee970540d38a3a8900cdb1d
SHA1d06659cf0965c8a956681d58959b68eb745b686c
SHA25650d2dccc795eb00aab73089b89f7e8b45c45080ebc9310730a9f8eadf3934899
SHA512e02892942036733b1f28a10ccd11374ac0c4b7d2d6441992d0f37a43ca765e3f098d22dcb9710e3f4e6e5f2f2cce17f1f017b84dd905124e214aff30e169e149
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\AlternateServices.bin
Filesize7KB
MD5cdaf88c4329b2ed7d4b15fe2540e4f94
SHA1091940d1e3a06de35912be2f6331692a7bff5376
SHA2569a2b3433ccd65e2013c22f0fb0389426826e35a5e43559a4ebebb8aed173383a
SHA512820f472514066b769a5c5dccb1eceaef07844f18866b4ac8268165770141ed4fd7824d985ad8a37b87384c13b97ad1fd7e3f383a591ed6a79b90f4ae2caaee60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\AlternateServices.bin
Filesize16KB
MD5d1ca84d4d741bc004933865911e43761
SHA15ce99293e77642cd410ddafb0fef0d2972766b82
SHA2568580907cadd63e8f6fad7c5df343f98b84694f88630b1fb56a1bc4123ebd74fd
SHA5120e1baf5883e1ebebc0dca763319490f1809cae7b534e97d7e1f8057ecb327584c260c5b3ca97d45bc31a1ab8ae9cbdda0df38b41e7b2ffe51a5ac74e8ad75468
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5693c54f60f5487d6042a7f218a8a5798
SHA14a4c128e84424b4b466a166f467eedb0e77baf89
SHA256f75b50d1d6c77ff65f3f2c032a2379749989ad710b1b7ccb489707ad1041faba
SHA5124329c858e6c83a1913e91caad0686d5fbd302edf2bf365507d30b40a8e8ddc861a392d3ae56c39cf121da67a7e98987ac14a7e7519006ee22a1badca32b6a06f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD584976ea0941ccae0f15d96e6566ab2bb
SHA1efbf719586037878ba0a92136e24daba2dde4b3d
SHA2566e567a59c35e4a6b15b40eaa0162608ffd702d24bdf1d441f85fa5b91d3d1eb7
SHA5121e92d679849b7087e636520db26f5bff7e28a1a27423f3caebc868c8c7d2a287972fd811610a0981ed9b83e0be6ebb3b0e0937d2607e5cf50c384c30a2a089b6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp
Filesize17KB
MD56d4a2cbf3d2d83659af855dc84c950d4
SHA149ef1ac387b569dc1ea3222872d6cf06f8892eea
SHA2560a215fd3434a15b86cce7ac0617b9da97503b5004b4ce24d8b963d452a432964
SHA512f7ad760200b5a908b8905524ef761571ffd8ce02ec62575918ef0c0dda9f463c59f834c63afd5d559afa3c359b84618bff907dad0b511854348d15501ffc326a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\94f79f5e-e63a-48b3-8931-6d7050b4c1d8
Filesize671B
MD5ca5bf26af4a72e6a7686d6924783aa4f
SHA159a2e4e34e38bba0f57a1f468b587cbcbd74b876
SHA25616e3dc95d7fc5a0016a8a5825ced9b1a8dd235b13b07531bcb0c4ea1994e5ba9
SHA51238ebfefad5b61b7a1074bdffe7516da185a492dc10179499b8c9ddf83d9658eac8028c36e6b5d66fc2895a07cedc2928d3848973c0b2e6ab8ac394a45ca8df8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\b989cd12-906b-46e9-a4e5-7d4ce60c2c77
Filesize982B
MD5e12ea0024e5c8b499e730a60d5ca79db
SHA18da65c856064ffc12322b6e32af2c507a7642e78
SHA2561c1740b5f84b33bcff8ddd4696d100cd5026c7829e57dd5bf4145d8442353d36
SHA5122288c50c64bb8c65e2f95939141348b7e948cb0cbc03ac0bcc1b5fa8fa8d9ec18f0f226b328a808b7db6aea3c4156c6d4cff5486a1e61dd57ccd4c243d19ef46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\dcec09be-3892-418e-b749-77cc80de0b1e
Filesize23KB
MD5e9b6aea6bf975847fef1b4e62744843b
SHA16d4d408f5a93bb8ca9d9a5bb19b153226195aa9d
SHA2567235c2296d60c4d442ec71240c559c7a3347e35c4727a910f65ab20f4fef4062
SHA512d63e2682f9cd8b82f087aa5496365c775a5887f52344207cc5bd28e0f765cc36031cb5a8a13546f5ee24499edb2471df14bc34829cc6468f9c4429dc5cf5ec68
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD541de34c40bb536e1c1a17740b67d6a93
SHA107554369b8af0eff7147163c778484cc7af8531b
SHA25601b0e53d36e6041f84d1ac817d97d5368aaa0a3cbdb9cc21335340801108c437
SHA51269cb854b17f620c1ee7f70edf08dd02c84f48a2250fb053bcfb9cac33f737a6541ab5b707451996afd3019df419ec62e919a76610ba2163bb240eb27be0fdfbd
-
Filesize
10KB
MD59a86f3b55223a2764781b6bc5a0cbd6f
SHA120aa9263ce4b490dddeaca2c296ff09295646346
SHA25643602c3c1a471cffb0070dcdc05290e6185e4c136e16ea5455d7fd95e112bf7b
SHA512283a84f5aa1b480e9c926f6c62b5b1b063842d41858065e5678bad743137ce01c9363b773686c7a67a1b3e92800f8e4e43b9f73d88661eabdee851b3b57d972e
-
Filesize
11KB
MD59a9c36d52395bb14ee67d58e05a867fa
SHA17cc726501535abd2d49d4896670518ac4d15d865
SHA2569916cb1c44d93407a30fd7d03e02e72a1cf76e88cd6c7a8e565ef32db3ea7769
SHA512c276deca9d4dfa5c5173ebaced94f810cef8b55d327f9f3e1481423bc20c297bf59d56865684bcc13131ab8fa8d8d7cba94a9c3a767dcc4cafdd165e670f4eb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize15KB
MD5a4a6aaa53928073cddde1118f9322843
SHA12770fd1c7b6006c889b973bfcebeea0023dce695
SHA2568af92664a4a422e0308b0d18183c9869cc1357034c3f58ef4ef4f5132e58ded6
SHA512f944307d45ea3f8127889fa45fe8f53675dde0bd1999e965653ee69cdc549bd7c85e9766ec047389dae19cb8b4c68265065175ed323a56132c5e510ca633b1dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize15KB
MD51a036f452dd3860a0787b044b5dddc31
SHA10036f28d19d95130e4dc8a4491ba81d725b6e66e
SHA2562006f0e9e754f91bf5c82ab83cc0714f61cbdb0375d9ef8a65ec61acdf5e6ae7
SHA51251f92edcb64263a663d2f6c00477ccefd0aa34ea8b1fb9892910ace6def99f9fc73eb0d55f86fc54deecc036ccab014b31e5fa1e33d0d4d7e2c7739d54fb5fbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize39KB
MD56929f006fffcae5cc83fdf3b5b4aa1bb
SHA19972b1a0abc1d2462548cc3e9d7b03375d13bd4c
SHA2568c810f7d80de905365bfed95ebb8f6a6610e285b1f5e2608dbf7603fa545363a
SHA512530c65c0b3d18a4529785c2473206c75c866731138515359c9c9f42e91cd45249422cd546c2967025e6fc5332a923ffde1c44875e23f9edca145468cd98c8f57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize36KB
MD57d7ead0093c03d1bfbd14784203a26a9
SHA1c7de952efbcf6e8ebdf1597f675f9d9951e37ff6
SHA256b2464a720ee3b4443b8de65e8cc8e87292c8c16e22c981c79fb613abbe5cdb13
SHA512e8657d0def302b7faedb0dc010b6397f40d91dd1ad9ec851131fc08e9b711bb9788ccba2172ae49f27cecf40aaa64b6c8c632ca781b7ac65f4b545460415b4cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize36KB
MD54d66cd7b82940943ad946c21ae1fe933
SHA130bef54d2b3e9fc19a26337ed536a7d4d4d924bf
SHA2561cef2dcac40e54426810e1fbf777ac49be63c3b0edb4549a0751e893651160d0
SHA512b96f227410630d542952b1d6fb5e9f8c50d12d7552496327d833e5f58c866367b05d3bce098c1e13fc335377ad271e7c4fbd805efa118004644bba02a3d054fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize15KB
MD573872d8eedb3cf133405b98995d0ddf6
SHA129b6225b97985ace13461923cb33aa1c63ec997f
SHA256c70f8314c677f949356337af51fc2ecc98dc3008a426b7d1b5190c96a9c59525
SHA5124587cfe7eb6ffb11fea139afe513198a3ccc96f6ba306cb36a7bd27287dca6bbbeed4ee32c73570b0a437971c65be4682eb8f38d9243d599565a25356d907227
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize16KB
MD52e0ec11fada344d84aa27700ce020c6e
SHA1b9362c9761541edda520e709e2ca36c028b76ba3
SHA2567371aaecab6752edc6e80cff354c6ed70ed00b7b8c4c48007a79b77dfa4ca0b0
SHA512b2619f916838efcc34f9e3b10ca6424028f622ec825e305d435c38b8c7eae3041a49c6684fddcfd7440bfe7aa7e39708d0463ed69fd1e65a590087414cf962be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize36KB
MD5adee26085d02176c35d960eef5782fcf
SHA1fb6bf1d71a1291a315c6f78dc604b78410268d54
SHA256217443b874db7801aac9a2b2095cc14e0c55f8967b92f389b68db15cb5fda656
SHA51238171c85e2eeaff4394bcefb114ed448e8116d8a6b24517a0a8bd2870f365bcd8bd6def9c82b31893a568af227cd1e2cb2897c8ba126e3ab4951adb829d89f9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize36KB
MD576ec377719528bd4335acef2e5d99289
SHA130b0da54bbe9a0734c3596c870a7d4345387e1b7
SHA2564b44a8ee0fe4e641a33fbf3e5417bc6122c6393c22eddd470b683472b6ea9763
SHA512d7644af1d1c2a62c49b4f57051d513b22374ad67ed2a7e852fb211a909f76ebd58b5c7ebfea18ab741fe88b9f83fb4c465e1ff042c4591d88b80facb7f79ad9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4
Filesize38KB
MD5d59faa67d9a25fe541e843e37fc47f71
SHA1e4649ceccadfac57c137c0acf08493bbbf542c88
SHA2569610270833629ad11dfd95ea87a4ff9b59b46676941ef6ed5de456cc75d912eb
SHA5122b25ff39df80078d8ee7e1838627423a4ff36432917a5eb1a29ce5178c6edff1614ef5034a79a6614828683e22e336aa395ddec40ff9b9a8b479c3bdaaf1fe2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\storage\default\https+++www.pornhub.com\cache\morgue\82\{4a5b37f4-ff5f-43f3-8f63-75bdbdbeeb52}.final
Filesize456B
MD54849126d62348e96de9f534891ee372c
SHA104208116ad7cb0edcb2c7c754042554104172d10
SHA25692930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d
SHA512bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25