Analysis

  • max time kernel
    358s
  • max time network
    371s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22-12-2024 16:09

Errors

Reason
Machine shutdown

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    41c6413a76f8b505545680879c38175c

  • SHA1

    a6269b7b62a50ab43b498d20b9c2a3b5f3530013

  • SHA256

    fb15e77decec4da1825309c787978ab7a86003b7bc973697cf8338d560b93798

  • SHA512

    933f37ef2be92464b18631aeab619860bbad20f90427784568b9572a682c405bb5306759f50e6ed8d9344451f02ca85709899e09700c0e47657af77363bf49c2

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyMDQyMjc2NDc2MjM3MDA2OA.GZYyYW.zpYp_zgxGk9hDC_oq1XNVF8hXzUTTzoorEi9JQ

  • server_id

    1320420510445736086

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 54 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{1fe85244-e71a-4991-91b2-19e130295d0b}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
    • C:\Windows\system32\lsass.exe
      C:\Windows\system32\lsass.exe
      1⤵
        PID:680
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:968
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
          1⤵
            PID:416
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            1⤵
              PID:712
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
              1⤵
                PID:644
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                1⤵
                  PID:876
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                  1⤵
                    PID:1164
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                    1⤵
                      PID:1228
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                      1⤵
                        PID:1360
                        • C:\Windows\system32\taskhostw.exe
                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                          2⤵
                            PID:2632
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                          1⤵
                            PID:1376
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                            1⤵
                              PID:1400
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                              1⤵
                                PID:1428
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                1⤵
                                  PID:1588
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1596
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1668
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        2⤵
                                          PID:2976
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1680
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                          1⤵
                                            PID:1772
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                            1⤵
                                              PID:1800
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1880
                                                • C:\Windows\system32\AUDIODG.EXE
                                                  C:\Windows\system32\AUDIODG.EXE 0x4a4 0x2f8
                                                  2⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2428
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:1948
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1960
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1972
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:1080
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:1580
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:2132
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2280
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                              1⤵
                                                                PID:2408
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                1⤵
                                                                  PID:2432
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2528
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2544
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                      1⤵
                                                                        PID:2580
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                        1⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2612
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2700
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                          1⤵
                                                                            PID:2736
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                            1⤵
                                                                              PID:2748
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:392
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:2336
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  1⤵
                                                                                    PID:3188
                                                                                  • C:\Windows\Explorer.EXE
                                                                                    C:\Windows\Explorer.EXE
                                                                                    1⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of UnmapMainImage
                                                                                    PID:3508
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
                                                                                      2⤵
                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1708
                                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                                        "cmd.exe" /C whoami
                                                                                        3⤵
                                                                                          PID:5680
                                                                                          • C:\Windows\system32\whoami.exe
                                                                                            whoami
                                                                                            4⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:400
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:3800
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                          3⤵
                                                                                          • Checks processor information in registry
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:4172
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe51da04-c45e-476d-a524-b37370683287} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu
                                                                                            4⤵
                                                                                              PID:4876
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb1eb4d-f33b-4833-98bc-414956af99d5} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket
                                                                                              4⤵
                                                                                                PID:3952
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3252 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cfa892-b20e-4793-941d-589e65be0929} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                4⤵
                                                                                                  PID:4304
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 2736 -prefsLen 24783 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa3ebd4-ff32-453f-b374-a785ae9a3a57} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                  4⤵
                                                                                                    PID:4456
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1db00fa-fc74-4c7f-9d85-e1f8db9da62a} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                    4⤵
                                                                                                      PID:2928
                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4800 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb72936f-42de-4bf7-8266-fe3d905f0080} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
                                                                                                      4⤵
                                                                                                      • Checks processor information in registry
                                                                                                      PID:324
                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5764 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9c9df2-c3e2-445d-a035-f1e8ad1991b2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                      4⤵
                                                                                                        PID:2080
                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5960 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22bcdc42-a093-4f39-9c92-d8cb7b4b4bc9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                        4⤵
                                                                                                          PID:3588
                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6152 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {030e6f20-8874-46d1-adb6-2f3150928120} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                          4⤵
                                                                                                            PID:4072
                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -parentBuildID 20240401114208 -prefsHandle 6608 -prefMapHandle 6532 -prefsLen 29358 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da4c627-8803-4898-ae8b-4cb37d71a303} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd
                                                                                                            4⤵
                                                                                                              PID:3652
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6616 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6464 -prefMapHandle 6576 -prefsLen 29358 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc824d26-d9cc-4b23-b46d-b9cc6528a1e5} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
                                                                                                              4⤵
                                                                                                              • Checks processor information in registry
                                                                                                              PID:3640
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6864 -childID 7 -isForBrowser -prefsHandle 6848 -prefMapHandle 6844 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cfcc2e4-2a68-41f1-9a72-6af2772eb373} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                              4⤵
                                                                                                                PID:3496
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7044 -childID 8 -isForBrowser -prefsHandle 7112 -prefMapHandle 7140 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0320a376-93b8-4ea7-aa11-b111ed7caa33} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                                4⤵
                                                                                                                  PID:5304
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7260 -childID 9 -isForBrowser -prefsHandle 7268 -prefMapHandle 7272 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {135914d5-f42d-4545-8b8e-e961d04fb3ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                                  4⤵
                                                                                                                    PID:5316
                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 10 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f3e534-ed6d-4af1-939f-ddb8b7919e6d} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                                    4⤵
                                                                                                                      PID:728
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7616 -childID 11 -isForBrowser -prefsHandle 6236 -prefMapHandle 6116 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c5e675-0496-4d89-9526-81f176cd5650} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                                      4⤵
                                                                                                                        PID:652
                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7992 -childID 12 -isForBrowser -prefsHandle 7964 -prefMapHandle 7968 -prefsLen 28292 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {333973f8-802b-4cb5-b304-51a3ee11c080} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                                                                                                                        4⤵
                                                                                                                          PID:5272
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                      2⤵
                                                                                                                        PID:2592
                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                          3⤵
                                                                                                                          • Checks processor information in registry
                                                                                                                          PID:3384
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                      1⤵
                                                                                                                        PID:3516
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                        1⤵
                                                                                                                          PID:3660
                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                          1⤵
                                                                                                                            PID:4000
                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:4148
                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                              1⤵
                                                                                                                                PID:4348
                                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:4988
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:5116
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                    1⤵
                                                                                                                                      PID:528
                                                                                                                                    • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                        PID:4828
                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                        1⤵
                                                                                                                                          PID:1756
                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                          1⤵
                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                          PID:2064
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                          1⤵
                                                                                                                                            PID:4932
                                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                            1⤵
                                                                                                                                              PID:916
                                                                                                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
                                                                                                                                              1⤵
                                                                                                                                              • Suspicious use of UnmapMainImage
                                                                                                                                              PID:2840
                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                              1⤵
                                                                                                                                                PID:2896
                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                1⤵
                                                                                                                                                  PID:3996
                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                  1⤵
                                                                                                                                                    PID:60
                                                                                                                                                  • C:\Windows\System32\smartscreen.exe
                                                                                                                                                    C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2448
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                      1⤵
                                                                                                                                                        PID:1984

                                                                                                                                                      Network

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg4xad17.default-release\activity-stream.discovery_stream.json

                                                                                                                                                        Filesize

                                                                                                                                                        18KB

                                                                                                                                                        MD5

                                                                                                                                                        30782227fee970540d38a3a8900cdb1d

                                                                                                                                                        SHA1

                                                                                                                                                        d06659cf0965c8a956681d58959b68eb745b686c

                                                                                                                                                        SHA256

                                                                                                                                                        50d2dccc795eb00aab73089b89f7e8b45c45080ebc9310730a9f8eadf3934899

                                                                                                                                                        SHA512

                                                                                                                                                        e02892942036733b1f28a10ccd11374ac0c4b7d2d6441992d0f37a43ca765e3f098d22dcb9710e3f4e6e5f2f2cce17f1f017b84dd905124e214aff30e169e149

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                                                                                                                        Filesize

                                                                                                                                                        479KB

                                                                                                                                                        MD5

                                                                                                                                                        09372174e83dbbf696ee732fd2e875bb

                                                                                                                                                        SHA1

                                                                                                                                                        ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                                                                                                        SHA256

                                                                                                                                                        c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                                                                                                        SHA512

                                                                                                                                                        b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                                                                                                                        Filesize

                                                                                                                                                        13.8MB

                                                                                                                                                        MD5

                                                                                                                                                        0a8747a2ac9ac08ae9508f36c6d75692

                                                                                                                                                        SHA1

                                                                                                                                                        b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                                                                                                        SHA256

                                                                                                                                                        32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                                                                                                        SHA512

                                                                                                                                                        59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\AlternateServices.bin

                                                                                                                                                        Filesize

                                                                                                                                                        7KB

                                                                                                                                                        MD5

                                                                                                                                                        cdaf88c4329b2ed7d4b15fe2540e4f94

                                                                                                                                                        SHA1

                                                                                                                                                        091940d1e3a06de35912be2f6331692a7bff5376

                                                                                                                                                        SHA256

                                                                                                                                                        9a2b3433ccd65e2013c22f0fb0389426826e35a5e43559a4ebebb8aed173383a

                                                                                                                                                        SHA512

                                                                                                                                                        820f472514066b769a5c5dccb1eceaef07844f18866b4ac8268165770141ed4fd7824d985ad8a37b87384c13b97ad1fd7e3f383a591ed6a79b90f4ae2caaee60

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\AlternateServices.bin

                                                                                                                                                        Filesize

                                                                                                                                                        16KB

                                                                                                                                                        MD5

                                                                                                                                                        d1ca84d4d741bc004933865911e43761

                                                                                                                                                        SHA1

                                                                                                                                                        5ce99293e77642cd410ddafb0fef0d2972766b82

                                                                                                                                                        SHA256

                                                                                                                                                        8580907cadd63e8f6fad7c5df343f98b84694f88630b1fb56a1bc4123ebd74fd

                                                                                                                                                        SHA512

                                                                                                                                                        0e1baf5883e1ebebc0dca763319490f1809cae7b534e97d7e1f8057ecb327584c260c5b3ca97d45bc31a1ab8ae9cbdda0df38b41e7b2ffe51a5ac74e8ad75468

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        5KB

                                                                                                                                                        MD5

                                                                                                                                                        693c54f60f5487d6042a7f218a8a5798

                                                                                                                                                        SHA1

                                                                                                                                                        4a4c128e84424b4b466a166f467eedb0e77baf89

                                                                                                                                                        SHA256

                                                                                                                                                        f75b50d1d6c77ff65f3f2c032a2379749989ad710b1b7ccb489707ad1041faba

                                                                                                                                                        SHA512

                                                                                                                                                        4329c858e6c83a1913e91caad0686d5fbd302edf2bf365507d30b40a8e8ddc861a392d3ae56c39cf121da67a7e98987ac14a7e7519006ee22a1badca32b6a06f

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        6KB

                                                                                                                                                        MD5

                                                                                                                                                        84976ea0941ccae0f15d96e6566ab2bb

                                                                                                                                                        SHA1

                                                                                                                                                        efbf719586037878ba0a92136e24daba2dde4b3d

                                                                                                                                                        SHA256

                                                                                                                                                        6e567a59c35e4a6b15b40eaa0162608ffd702d24bdf1d441f85fa5b91d3d1eb7

                                                                                                                                                        SHA512

                                                                                                                                                        1e92d679849b7087e636520db26f5bff7e28a1a27423f3caebc868c8c7d2a287972fd811610a0981ed9b83e0be6ebb3b0e0937d2607e5cf50c384c30a2a089b6

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        17KB

                                                                                                                                                        MD5

                                                                                                                                                        6d4a2cbf3d2d83659af855dc84c950d4

                                                                                                                                                        SHA1

                                                                                                                                                        49ef1ac387b569dc1ea3222872d6cf06f8892eea

                                                                                                                                                        SHA256

                                                                                                                                                        0a215fd3434a15b86cce7ac0617b9da97503b5004b4ce24d8b963d452a432964

                                                                                                                                                        SHA512

                                                                                                                                                        f7ad760200b5a908b8905524ef761571ffd8ce02ec62575918ef0c0dda9f463c59f834c63afd5d559afa3c359b84618bff907dad0b511854348d15501ffc326a

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\94f79f5e-e63a-48b3-8931-6d7050b4c1d8

                                                                                                                                                        Filesize

                                                                                                                                                        671B

                                                                                                                                                        MD5

                                                                                                                                                        ca5bf26af4a72e6a7686d6924783aa4f

                                                                                                                                                        SHA1

                                                                                                                                                        59a2e4e34e38bba0f57a1f468b587cbcbd74b876

                                                                                                                                                        SHA256

                                                                                                                                                        16e3dc95d7fc5a0016a8a5825ced9b1a8dd235b13b07531bcb0c4ea1994e5ba9

                                                                                                                                                        SHA512

                                                                                                                                                        38ebfefad5b61b7a1074bdffe7516da185a492dc10179499b8c9ddf83d9658eac8028c36e6b5d66fc2895a07cedc2928d3848973c0b2e6ab8ac394a45ca8df8e

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\b989cd12-906b-46e9-a4e5-7d4ce60c2c77

                                                                                                                                                        Filesize

                                                                                                                                                        982B

                                                                                                                                                        MD5

                                                                                                                                                        e12ea0024e5c8b499e730a60d5ca79db

                                                                                                                                                        SHA1

                                                                                                                                                        8da65c856064ffc12322b6e32af2c507a7642e78

                                                                                                                                                        SHA256

                                                                                                                                                        1c1740b5f84b33bcff8ddd4696d100cd5026c7829e57dd5bf4145d8442353d36

                                                                                                                                                        SHA512

                                                                                                                                                        2288c50c64bb8c65e2f95939141348b7e948cb0cbc03ac0bcc1b5fa8fa8d9ec18f0f226b328a808b7db6aea3c4156c6d4cff5486a1e61dd57ccd4c243d19ef46

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\dcec09be-3892-418e-b749-77cc80de0b1e

                                                                                                                                                        Filesize

                                                                                                                                                        23KB

                                                                                                                                                        MD5

                                                                                                                                                        e9b6aea6bf975847fef1b4e62744843b

                                                                                                                                                        SHA1

                                                                                                                                                        6d4d408f5a93bb8ca9d9a5bb19b153226195aa9d

                                                                                                                                                        SHA256

                                                                                                                                                        7235c2296d60c4d442ec71240c559c7a3347e35c4727a910f65ab20f4fef4062

                                                                                                                                                        SHA512

                                                                                                                                                        d63e2682f9cd8b82f087aa5496365c775a5887f52344207cc5bd28e0f765cc36031cb5a8a13546f5ee24499edb2471df14bc34829cc6468f9c4429dc5cf5ec68

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                                                                                                                                                        Filesize

                                                                                                                                                        1.1MB

                                                                                                                                                        MD5

                                                                                                                                                        842039753bf41fa5e11b3a1383061a87

                                                                                                                                                        SHA1

                                                                                                                                                        3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                                                                                                        SHA256

                                                                                                                                                        d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                                                                                                        SHA512

                                                                                                                                                        d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                                                                                                                                                        Filesize

                                                                                                                                                        116B

                                                                                                                                                        MD5

                                                                                                                                                        2a461e9eb87fd1955cea740a3444ee7a

                                                                                                                                                        SHA1

                                                                                                                                                        b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                                                                                                        SHA256

                                                                                                                                                        4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                                                                                                        SHA512

                                                                                                                                                        34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                                                                                                                                                        Filesize

                                                                                                                                                        372B

                                                                                                                                                        MD5

                                                                                                                                                        bf957ad58b55f64219ab3f793e374316

                                                                                                                                                        SHA1

                                                                                                                                                        a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                                                                                                        SHA256

                                                                                                                                                        bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                                                                                                        SHA512

                                                                                                                                                        79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                                                                                                                                                        Filesize

                                                                                                                                                        17.8MB

                                                                                                                                                        MD5

                                                                                                                                                        daf7ef3acccab478aaa7d6dc1c60f865

                                                                                                                                                        SHA1

                                                                                                                                                        f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                                                                                                        SHA256

                                                                                                                                                        bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                                                                                                        SHA512

                                                                                                                                                        5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs.js

                                                                                                                                                        Filesize

                                                                                                                                                        10KB

                                                                                                                                                        MD5

                                                                                                                                                        41de34c40bb536e1c1a17740b67d6a93

                                                                                                                                                        SHA1

                                                                                                                                                        07554369b8af0eff7147163c778484cc7af8531b

                                                                                                                                                        SHA256

                                                                                                                                                        01b0e53d36e6041f84d1ac817d97d5368aaa0a3cbdb9cc21335340801108c437

                                                                                                                                                        SHA512

                                                                                                                                                        69cb854b17f620c1ee7f70edf08dd02c84f48a2250fb053bcfb9cac33f737a6541ab5b707451996afd3019df419ec62e919a76610ba2163bb240eb27be0fdfbd

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs.js

                                                                                                                                                        Filesize

                                                                                                                                                        10KB

                                                                                                                                                        MD5

                                                                                                                                                        9a86f3b55223a2764781b6bc5a0cbd6f

                                                                                                                                                        SHA1

                                                                                                                                                        20aa9263ce4b490dddeaca2c296ff09295646346

                                                                                                                                                        SHA256

                                                                                                                                                        43602c3c1a471cffb0070dcdc05290e6185e4c136e16ea5455d7fd95e112bf7b

                                                                                                                                                        SHA512

                                                                                                                                                        283a84f5aa1b480e9c926f6c62b5b1b063842d41858065e5678bad743137ce01c9363b773686c7a67a1b3e92800f8e4e43b9f73d88661eabdee851b3b57d972e

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs.js

                                                                                                                                                        Filesize

                                                                                                                                                        11KB

                                                                                                                                                        MD5

                                                                                                                                                        9a9c36d52395bb14ee67d58e05a867fa

                                                                                                                                                        SHA1

                                                                                                                                                        7cc726501535abd2d49d4896670518ac4d15d865

                                                                                                                                                        SHA256

                                                                                                                                                        9916cb1c44d93407a30fd7d03e02e72a1cf76e88cd6c7a8e565ef32db3ea7769

                                                                                                                                                        SHA512

                                                                                                                                                        c276deca9d4dfa5c5173ebaced94f810cef8b55d327f9f3e1481423bc20c297bf59d56865684bcc13131ab8fa8d8d7cba94a9c3a767dcc4cafdd165e670f4eb6

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        15KB

                                                                                                                                                        MD5

                                                                                                                                                        a4a6aaa53928073cddde1118f9322843

                                                                                                                                                        SHA1

                                                                                                                                                        2770fd1c7b6006c889b973bfcebeea0023dce695

                                                                                                                                                        SHA256

                                                                                                                                                        8af92664a4a422e0308b0d18183c9869cc1357034c3f58ef4ef4f5132e58ded6

                                                                                                                                                        SHA512

                                                                                                                                                        f944307d45ea3f8127889fa45fe8f53675dde0bd1999e965653ee69cdc549bd7c85e9766ec047389dae19cb8b4c68265065175ed323a56132c5e510ca633b1dd

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        15KB

                                                                                                                                                        MD5

                                                                                                                                                        1a036f452dd3860a0787b044b5dddc31

                                                                                                                                                        SHA1

                                                                                                                                                        0036f28d19d95130e4dc8a4491ba81d725b6e66e

                                                                                                                                                        SHA256

                                                                                                                                                        2006f0e9e754f91bf5c82ab83cc0714f61cbdb0375d9ef8a65ec61acdf5e6ae7

                                                                                                                                                        SHA512

                                                                                                                                                        51f92edcb64263a663d2f6c00477ccefd0aa34ea8b1fb9892910ace6def99f9fc73eb0d55f86fc54deecc036ccab014b31e5fa1e33d0d4d7e2c7739d54fb5fbb

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        39KB

                                                                                                                                                        MD5

                                                                                                                                                        6929f006fffcae5cc83fdf3b5b4aa1bb

                                                                                                                                                        SHA1

                                                                                                                                                        9972b1a0abc1d2462548cc3e9d7b03375d13bd4c

                                                                                                                                                        SHA256

                                                                                                                                                        8c810f7d80de905365bfed95ebb8f6a6610e285b1f5e2608dbf7603fa545363a

                                                                                                                                                        SHA512

                                                                                                                                                        530c65c0b3d18a4529785c2473206c75c866731138515359c9c9f42e91cd45249422cd546c2967025e6fc5332a923ffde1c44875e23f9edca145468cd98c8f57

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        36KB

                                                                                                                                                        MD5

                                                                                                                                                        7d7ead0093c03d1bfbd14784203a26a9

                                                                                                                                                        SHA1

                                                                                                                                                        c7de952efbcf6e8ebdf1597f675f9d9951e37ff6

                                                                                                                                                        SHA256

                                                                                                                                                        b2464a720ee3b4443b8de65e8cc8e87292c8c16e22c981c79fb613abbe5cdb13

                                                                                                                                                        SHA512

                                                                                                                                                        e8657d0def302b7faedb0dc010b6397f40d91dd1ad9ec851131fc08e9b711bb9788ccba2172ae49f27cecf40aaa64b6c8c632ca781b7ac65f4b545460415b4cc

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        36KB

                                                                                                                                                        MD5

                                                                                                                                                        4d66cd7b82940943ad946c21ae1fe933

                                                                                                                                                        SHA1

                                                                                                                                                        30bef54d2b3e9fc19a26337ed536a7d4d4d924bf

                                                                                                                                                        SHA256

                                                                                                                                                        1cef2dcac40e54426810e1fbf777ac49be63c3b0edb4549a0751e893651160d0

                                                                                                                                                        SHA512

                                                                                                                                                        b96f227410630d542952b1d6fb5e9f8c50d12d7552496327d833e5f58c866367b05d3bce098c1e13fc335377ad271e7c4fbd805efa118004644bba02a3d054fb

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        15KB

                                                                                                                                                        MD5

                                                                                                                                                        73872d8eedb3cf133405b98995d0ddf6

                                                                                                                                                        SHA1

                                                                                                                                                        29b6225b97985ace13461923cb33aa1c63ec997f

                                                                                                                                                        SHA256

                                                                                                                                                        c70f8314c677f949356337af51fc2ecc98dc3008a426b7d1b5190c96a9c59525

                                                                                                                                                        SHA512

                                                                                                                                                        4587cfe7eb6ffb11fea139afe513198a3ccc96f6ba306cb36a7bd27287dca6bbbeed4ee32c73570b0a437971c65be4682eb8f38d9243d599565a25356d907227

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        16KB

                                                                                                                                                        MD5

                                                                                                                                                        2e0ec11fada344d84aa27700ce020c6e

                                                                                                                                                        SHA1

                                                                                                                                                        b9362c9761541edda520e709e2ca36c028b76ba3

                                                                                                                                                        SHA256

                                                                                                                                                        7371aaecab6752edc6e80cff354c6ed70ed00b7b8c4c48007a79b77dfa4ca0b0

                                                                                                                                                        SHA512

                                                                                                                                                        b2619f916838efcc34f9e3b10ca6424028f622ec825e305d435c38b8c7eae3041a49c6684fddcfd7440bfe7aa7e39708d0463ed69fd1e65a590087414cf962be

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        36KB

                                                                                                                                                        MD5

                                                                                                                                                        adee26085d02176c35d960eef5782fcf

                                                                                                                                                        SHA1

                                                                                                                                                        fb6bf1d71a1291a315c6f78dc604b78410268d54

                                                                                                                                                        SHA256

                                                                                                                                                        217443b874db7801aac9a2b2095cc14e0c55f8967b92f389b68db15cb5fda656

                                                                                                                                                        SHA512

                                                                                                                                                        38171c85e2eeaff4394bcefb114ed448e8116d8a6b24517a0a8bd2870f365bcd8bd6def9c82b31893a568af227cd1e2cb2897c8ba126e3ab4951adb829d89f9c

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        36KB

                                                                                                                                                        MD5

                                                                                                                                                        76ec377719528bd4335acef2e5d99289

                                                                                                                                                        SHA1

                                                                                                                                                        30b0da54bbe9a0734c3596c870a7d4345387e1b7

                                                                                                                                                        SHA256

                                                                                                                                                        4b44a8ee0fe4e641a33fbf3e5417bc6122c6393c22eddd470b683472b6ea9763

                                                                                                                                                        SHA512

                                                                                                                                                        d7644af1d1c2a62c49b4f57051d513b22374ad67ed2a7e852fb211a909f76ebd58b5c7ebfea18ab741fe88b9f83fb4c465e1ff042c4591d88b80facb7f79ad9d

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

                                                                                                                                                        Filesize

                                                                                                                                                        38KB

                                                                                                                                                        MD5

                                                                                                                                                        d59faa67d9a25fe541e843e37fc47f71

                                                                                                                                                        SHA1

                                                                                                                                                        e4649ceccadfac57c137c0acf08493bbbf542c88

                                                                                                                                                        SHA256

                                                                                                                                                        9610270833629ad11dfd95ea87a4ff9b59b46676941ef6ed5de456cc75d912eb

                                                                                                                                                        SHA512

                                                                                                                                                        2b25ff39df80078d8ee7e1838627423a4ff36432917a5eb1a29ce5178c6edff1614ef5034a79a6614828683e22e336aa395ddec40ff9b9a8b479c3bdaaf1fe2e

                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\storage\default\https+++www.pornhub.com\cache\morgue\82\{4a5b37f4-ff5f-43f3-8f63-75bdbdbeeb52}.final

                                                                                                                                                        Filesize

                                                                                                                                                        456B

                                                                                                                                                        MD5

                                                                                                                                                        4849126d62348e96de9f534891ee372c

                                                                                                                                                        SHA1

                                                                                                                                                        04208116ad7cb0edcb2c7c754042554104172d10

                                                                                                                                                        SHA256

                                                                                                                                                        92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

                                                                                                                                                        SHA512

                                                                                                                                                        bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

                                                                                                                                                      • memory/416-669-0x0000020EF5BC0000-0x0000020EF5BEA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/416-670-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/604-658-0x0000028FD9310000-0x0000028FD933A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/604-659-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/604-656-0x0000028FD92E0000-0x0000028FD9303000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        140KB

                                                                                                                                                      • memory/644-682-0x0000016837AA0000-0x0000016837ACA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/644-683-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/680-661-0x000002789BC50000-0x000002789BC7A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/680-662-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/712-692-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/712-691-0x000001C98CC60000-0x000001C98CC8A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/876-685-0x000001F532C70000-0x000001F532C9A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/876-686-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/968-666-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/968-665-0x000001D8E13F0000-0x000001D8E141A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1092-680-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1092-679-0x0000019400800000-0x000001940082A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1164-688-0x000001577AEA0000-0x000001577AECA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1164-689-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1228-695-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1228-694-0x0000028B79170000-0x0000028B7919A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1360-698-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1360-697-0x0000015F7F590000-0x0000015F7F5BA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1376-705-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1376-704-0x00000223CB0B0000-0x00000223CB0DA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1400-707-0x0000024035440000-0x000002403546A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1400-708-0x00007FFBA01B0000-0x00007FFBA01C0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                      • memory/1428-710-0x0000023EE21C0000-0x0000023EE21EA000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        168KB

                                                                                                                                                      • memory/1708-643-0x00000245F0170000-0x00000245F018E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        120KB

                                                                                                                                                      • memory/1708-633-0x00000245F01B0000-0x00000245F025A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        680KB

                                                                                                                                                      • memory/1708-647-0x00007FFBDE940000-0x00007FFBDE9FD000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        756KB

                                                                                                                                                      • memory/1708-1-0x00007FFBC1D73000-0x00007FFBC1D75000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        8KB

                                                                                                                                                      • memory/1708-2-0x00000245F0280000-0x00000245F0442000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.8MB

                                                                                                                                                      • memory/1708-644-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        10.8MB

                                                                                                                                                      • memory/1708-645-0x00000245F0790000-0x00000245F07CE000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/1708-0-0x00000245EDBA0000-0x00000245EDBB8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        96KB

                                                                                                                                                      • memory/1708-642-0x00000245EF8A0000-0x00000245EF8B2000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        72KB

                                                                                                                                                      • memory/1708-3-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        10.8MB

                                                                                                                                                      • memory/1708-4-0x00000245F0BC0000-0x00000245F10E8000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        5.2MB

                                                                                                                                                      • memory/1708-5-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        10.8MB

                                                                                                                                                      • memory/1708-6-0x00000245EF800000-0x00000245EF80E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        56KB

                                                                                                                                                      • memory/1708-646-0x00007FFBE0130000-0x00007FFBE0328000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        2.0MB

                                                                                                                                                      • memory/1708-641-0x00000245F12F0000-0x00000245F1366000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        472KB

                                                                                                                                                      • memory/1708-634-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        10.8MB

                                                                                                                                                      • memory/3492-648-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        256KB

                                                                                                                                                      • memory/3492-649-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        256KB

                                                                                                                                                      • memory/3492-650-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        256KB

                                                                                                                                                      • memory/3492-652-0x00007FFBDE940000-0x00007FFBDE9FD000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        756KB

                                                                                                                                                      • memory/3492-654-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        256KB

                                                                                                                                                      • memory/3492-651-0x00007FFBE0130000-0x00007FFBE0328000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        2.0MB

                                                                                                                                                      • memory/3492-653-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        256KB