df44f1ee0fadc7d5e669a94d09fe1faed7074aaac4cdab026d47440ad818fb7f

Analysis

max time kernel
259s
max time network
268s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

1.3MB
MD5

ff724c99d04438e9163cfed49c8666d9
SHA1

ba58e5b1e7ef2155f80df7ccd0cc1cd53bea44f2
SHA256

df44f1ee0fadc7d5e669a94d09fe1faed7074aaac4cdab026d47440ad818fb7f
SHA512

fab2d6b818075b133bc1417e2ec40e9205d9873c2904826f7387b975cfdcd647a49074402d7219fcf8a7ebd3f03b2d33ccbd601efaaa59a73d374ce8f7cd9c78
SSDEEP

24576:iT4A/dbjFU6VYaKg6grhKuleUgVVGFIk8kr/1tY6v/87xaVUhf4pE02wIcm:iMA1bjF/Kg9KuleUeGFV8kr9tY6WhfDn

Score

8^/10

defense_evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
5080	powershell.exe
2372	powershell.exe
4716	powershell.exe
5956	powershell.exe
3596	powershell.exe
3892	powershell.exe
1476	powershell.exe
1740	powershell.exe
2868	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AnyDesk.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AnyDesk.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsHosts = "C:\\Windows\\WindowsUpdate\\wshosts.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsHosts = "C:\\Windows\\WindowsUpdate\\wshosts.exe"	AnyDesk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
65	pastebin.com
66	pastebin.com
67	pastebin.com
68	pastebin.com

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	66	https://pastebin.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90b0363d2e38948d	17

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WindowsUpdate\wshosts.exe	AnyDesk.exe
File created	C:\Windows\WindowsUpdate\wshosts.exe	AnyDesk.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2120	sc.exe
3668	sc.exe
5212	sc.exe
4320	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5956	powershell.exe
1740	powershell.exe
1740	powershell.exe
3596	powershell.exe
3892	powershell.exe
1476	powershell.exe
2868	powershell.exe
1964	powershell.exe
2868	powershell.exe
5080	powershell.exe
2372	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5956	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4304	firefox.exe
Token: SeDebugPrivilege	4304	firefox.exe
Token: SeDebugPrivilege	4304	firefox.exe
Token: SeDebugPrivilege	4304	firefox.exe
Token: SeDebugPrivilege	4304	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe
4304	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4304	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5196 wrote to memory of 1740	5196	AnyDesk.exe	84
PID 5196 wrote to memory of 1740	5196	AnyDesk.exe	84
PID 5196 wrote to memory of 2120	5196	AnyDesk.exe	85
PID 5196 wrote to memory of 2120	5196	AnyDesk.exe	85
PID 5196 wrote to memory of 5956	5196	AnyDesk.exe	86
PID 5196 wrote to memory of 5956	5196	AnyDesk.exe	86
PID 5196 wrote to memory of 3596	5196	AnyDesk.exe	87
PID 5196 wrote to memory of 3596	5196	AnyDesk.exe	87
PID 5196 wrote to memory of 3892	5196	AnyDesk.exe	88
PID 5196 wrote to memory of 3892	5196	AnyDesk.exe	88
PID 5196 wrote to memory of 1476	5196	AnyDesk.exe	89
PID 5196 wrote to memory of 1476	5196	AnyDesk.exe	89
PID 5196 wrote to memory of 3668	5196	AnyDesk.exe	90
PID 5196 wrote to memory of 3668	5196	AnyDesk.exe	90
PID 3176 wrote to memory of 1256	3176	cmd.exe	99
PID 3176 wrote to memory of 1256	3176	cmd.exe	99
PID 1256 wrote to memory of 2868	1256	AnyDesk.exe	100
PID 1256 wrote to memory of 2868	1256	AnyDesk.exe	100
PID 1256 wrote to memory of 5212	1256	AnyDesk.exe	101
PID 1256 wrote to memory of 5212	1256	AnyDesk.exe	101
PID 1256 wrote to memory of 1964	1256	AnyDesk.exe	102
PID 1256 wrote to memory of 1964	1256	AnyDesk.exe	102
PID 1256 wrote to memory of 5080	1256	AnyDesk.exe	103
PID 1256 wrote to memory of 5080	1256	AnyDesk.exe	103
PID 1256 wrote to memory of 2372	1256	AnyDesk.exe	104
PID 1256 wrote to memory of 2372	1256	AnyDesk.exe	104
PID 1256 wrote to memory of 4716	1256	AnyDesk.exe	105
PID 1256 wrote to memory of 4716	1256	AnyDesk.exe	105
PID 1256 wrote to memory of 4320	1256	AnyDesk.exe	106
PID 1256 wrote to memory of 4320	1256	AnyDesk.exe	106
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 1200 wrote to memory of 4304	1200	firefox.exe	109
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110
PID 4304 wrote to memory of 3000	4304	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\Windows\WindowsUpdate\239391\st.ps1\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\sc.exe
  "sc" create WsHosts "binPath= \"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe\"" "start= auto"
  2⤵
  - Launches sc.exe
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\svhosts.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\WindowsUpdate.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\wins32bugfix.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\sc.exe
  "sc" delete WsHosts
  2⤵
  - Launches sc.exe
  PID:3668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  AnyDesk.exe
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" "-WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\Windows\WindowsUpdate\517220\st.ps1\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\sc.exe
    "sc" create WsHosts "binPath= \"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe\"" "start= auto"
    3⤵
    - Launches sc.exe
    PID:5212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\svhosts.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\WindowsUpdate.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\wins32bugfix.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- - C:\Windows\system32\sc.exe
    "sc" delete WsHosts
    3⤵
    - Launches sc.exe
    PID:4320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 27205 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {926c8b68-11d2-4da0-bdd8-7889c53ee914} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" gpu
    3⤵
    PID:3000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 27083 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a00d1966-cc4a-4f7a-9e1e-62a88aeacaa7} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" socket
    3⤵
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3076 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f915184-a62d-4749-af1c-def1ebfee446} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -childID 2 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 32457 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {174f4811-b70d-410f-825a-57729ac59ac5} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:3880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 32457 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c01fde6-f2e5-4641-8ec1-da016bc4b85b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" utility
    3⤵
    - Checks processor information in registry
    PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 4828 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3547a269-8c48-4a92-a7b6-6c3f07671062} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5236 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0352bbf2-a72c-4cb8-a066-0c62e07caddc} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:5852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b6e833-f257-41c2-81ba-d6ccb7446726} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6180 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {874abd4c-f3ca-49ba-becf-b235e6912d5d} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6312 -childID 7 -isForBrowser -prefsHandle 6356 -prefMapHandle 6364 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a2779e8-1232-44c4-8da3-28e24fc0863e} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:1972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -parentBuildID 20240401114208 -prefsHandle 5544 -prefMapHandle 5556 -prefsLen 32714 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {deb48e5a-b64d-47db-a39c-78281fb84a16} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" rdd
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 8 -isForBrowser -prefsHandle 4256 -prefMapHandle 6396 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb19661-01af-4b83-a01a-f9cddf9ad57c} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:3260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6676 -childID 9 -isForBrowser -prefsHandle 7256 -prefMapHandle 7280 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be1aab2e-a796-40fa-a48b-261be2300d34} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:3352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7416 -childID 10 -isForBrowser -prefsHandle 7424 -prefMapHandle 7428 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {143f12ae-be6f-4eec-9f2a-0e223b5219a8} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:3984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7512 -childID 11 -isForBrowser -prefsHandle 7628 -prefMapHandle 7632 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8372f45b-cd06-4f50-9cb3-ec1b425b1ab1} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 12 -isForBrowser -prefsHandle 6464 -prefMapHandle 6448 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60c99300-76b6-49cc-8dd5-cf5fc923a098} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 13 -isForBrowser -prefsHandle 7856 -prefMapHandle 7852 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {593da8b5-e0ce-43a8-8514-481fba4d8c36} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -childID 14 -isForBrowser -prefsHandle 7604 -prefMapHandle 7428 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe71eac-e4e9-4d7f-b0da-19ed220f7482} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8024 -childID 15 -isForBrowser -prefsHandle 8032 -prefMapHandle 8040 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae4fad91-4ecd-4150-9318-705980d4f334} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 16 -isForBrowser -prefsHandle 8256 -prefMapHandle 8252 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5700bf86-f3a9-4988-a65a-564f767258f6} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
    3⤵
    PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
a94e0a262fe8ab5c0ec0872d36fcbd48

SHA1
877a5ed6269746fe8827f715ef95136ea81c5374

SHA256
4e689eb0bbeab4759a79c590a4d06d520a12974cf6cb79753832a5582a1ff0c9

SHA512
92a1ebcb2e4e4279e6cb0ff9407ba363ecb27c47b8cd4441655d9ecf811b990d066856f4738f23f8d9b12d1f3d0de75ef6a101fed056f5392e7140111550ca54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ad1581c64934c8b00a5c4f9a3685a2b5

SHA1
6b178e817d878eab54441c9852d88c0ea63be414

SHA256
b9e99eba07099c0847b2a56f5eb65b243b6af79a279f20204a8c5febe9a2ccfb

SHA512
1569b36aff2b88f23049463075c351a6afcc10bee1e62d996e18251b4efa4c8e8a37be7e63c7a057c971b7bc529620f87985c2c6bb89e2d459e52673b5baabec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lsy92t1y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
196d32db80ed6042a2bc1565da8105b7

SHA1
3706d42725833f03b2fb25ad1d53c04f1447bdea

SHA256
9848dfb59f7010fa644774b700124a0ec33a4d5283bd38d071e870115784b1b8

SHA512
50f99ebba037a264a1477e612840d39356195cd0bd735fa96a182889ccf0c5bf0a07fc64873a7e1c5c9ddbd8331689633fbb108e7c7448c4683450d10cc8416e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lsy92t1y.default-release\cache2\entries\AC77862B6F9BA0B734DACE28AC8B020891FC8785

Filesize
10KB

MD5
e6c30c5f7762e21125b17b04fd1d024e

SHA1
604e35770a59fbd599994089795821bd3b9148fe

SHA256
92f6ea95d0222922493d7577aee9a85ddf9b8bf756f60ef6732d980807b4ca6f

SHA512
35e6d2d2cdc0a6e15f38c2f37391dae93ff119691a1391a07aa8825474f64a13cba722f47bbf4e364d922b508433e49d2e87a99ff844c671e83d596837f192b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2m0bzpe.dur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\AlternateServices.bin

Filesize
7KB

MD5
3d29b2558e096970c4678c187432c17b

SHA1
494d9b5156c5f1f18bbcc7fbf5fddfd53d38d389

SHA256
336be965c0e7b0e447be3a43179648c23076c0a93e4f7834eab379a1c20921e2

SHA512
7f47c53e4b6a6c8dae1eec9461c96a6b2368cef028f754d12d44ce5378b67aabb80e923ee2a54a9d6477591bdc2236839fec13bb1a7b5683002c098a207ec5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\AlternateServices.bin

Filesize
40KB

MD5
9501d8ffd7b4557196e7ecded7a19606

SHA1
b09d76d08c9c73823e50f9d269d972ded1cf765a

SHA256
b18bff4da86f66524e10ed11bf3393c9aae1488b12c7c78df80d73967d8955d0

SHA512
e6fb7b00c3d4d8559ec566f95ecbf71c4f0bda57f6f8759603b7a40a54a85548dde7ee2cf34699dc0f36fd6f8d322ecbdb65831f29d96a2f5b2a4f401a4fda17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
6ad2bba67cf53907eff0077a060e85ca

SHA1
d4a99798f3c5b55a742ad7f826379a0c51b70746

SHA256
c4fce8b403c8ddf1ccf9431823ace6e684a7ac6e160249baee66c57fcd136a0a

SHA512
2b5effab2089502a37f25a8b849e34b485e94fcf00b4cbac62b9fd87530197295bad8b57f07fc2ce99e6e2a624d684e16081ef987041acc46bc4eb9634692b69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
147da466eb49e01a13ff3b1c57d81385

SHA1
360771e14516de48285a5fdf491e1703f5f3d11b

SHA256
63ea651e43096aae51ae844e1fcd93af6b60e5edb78d458ae2439ddcc7b8afb7

SHA512
1c64240e15bff34432f704a01b75a30d2ac45919587eebdddb77c989bc574c02a684d91a8a67fef93ba04d5a7e1ee5cbc2879818e488007859196254d152fa04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
63KB

MD5
2e612715b8d68de715a1c06bdce84b76

SHA1
6a9d1c6c826064d9cb6d4d96f8d4bf5a1122040e

SHA256
8782c357ca33609ec914210ea35f4ccf409d73ac7c0ed1afd93992ea7a5b76da

SHA512
9eeea47f4bf53216baf9ab9e9bbc986c29153a17b049b0c0d202149929e147163548e9d03db604c4458f0a686bfba60523f47d1b0d52497d7a729b77f881f638

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b86142aaee1e8511a72b9b5c94469596

SHA1
ffad7d8fc6129116586065df504688db1c786cf1

SHA256
37ad86a6c16e2741cb144604b9ff73a2f56d1352f9738cf6980bb6132f4666d5

SHA512
71b0f9b27ee7e8974542a5ff4241d474c218355c40dd6fac3fdae1a4a92e272e62e00785feb57ea776cf78e12fd90469fe87547574b4a4d81e4762167070fb2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\11181e47-e24c-4a4b-89c0-6bfe250d48ba

Filesize
25KB

MD5
16d6e354615752af147db95f73bd5c8e

SHA1
6a33bdb7732cfc0ec420289df431531a98eed726

SHA256
e99c252cd5c1995e1e04dfa22ad3ef207960de5bce89fffc87cf398ade7ac0d8

SHA512
528d76bca8df4a475f224952fffbcdf94b05c2a81aa982a0e4bd013fbc680227db239c9e733980836d9b93ac32f027c4d97cbcd626ff931eae67b1ba90ee5163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\363c9183-a63f-41e0-a12f-8e6d60f4a78e

Filesize
671B

MD5
4d849271ac96586010aac2aab5de13d5

SHA1
a289c4d5cd4cae038b7f1dbea87f64cee1213e49

SHA256
51b4232095112cafeb951f83bbd813c3ab8d4cd7d6fcd3e4bbb4fb6eb93401a5

SHA512
c8ede282a44f890ff0f7fc7b85357e65d7edb63d830d02ef92215cba0a8ba729e6e6c5ec2e162c4d74fbade4ef4f5aa6d61de2837c229c0e0f74c4f7d4f2f290

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\fb29cb5d-6a0f-4b8a-b320-3738dc183bf1

Filesize
982B

MD5
3e12a4a4f0087f0a31ebd776ec41eec3

SHA1
d2b9bffca117bcdd0a2b46fab09fc2cc8ce1c3ad

SHA256
174e0ab7fb54f63d50b0c0072620c8877239e481cb2ae8711712ac748f7db2b3

SHA512
27a4f5ff0bfc6bb663aad176f7f796b22a29562c168039560648ed6e137f005de025c8fa5631b29e56e543925f28bbf4d392b351ab435ec8db09c90a60e90bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs-1.js

Filesize
9KB

MD5
dab663241366f0d53e54fb045d5a11e7

SHA1
93789cfee94d7cb02405583f4147a994c8b3ee33

SHA256
32f5b68fb33e3b72c354c304c5b4a846c34ebfffc5737e25492acb5b01354623

SHA512
128eafeb1353b0d6be6146cc2b0fe01bd391a0c7bb454be5e9420e623ea50bdee730de1fb7dc40ccc08d79d6ad80a8ead483f4b06a8a3d312cb69303ebf91c76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs.js

Filesize
9KB

MD5
f0294975fc333cc9de120482172e8462

SHA1
16de802fafd4090938f9b64d19f931af93327c2d

SHA256
43130e8e7e5203aa621278f4c2886d18bdae7e050b9c31c4fa4b8b5d2345b82f

SHA512
fbdb6bcd4239964778f6f4ad54ea13f822e5af96e96faa7f64a326c19cb89446c8b6640d05f03924494e74cc9e2b3971aa63255c61f90d501a8d4ac02fb8397d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs.js

Filesize
10KB

MD5
8a175607636a6283f24275a5a6de84c0

SHA1
0b7d64b5ddf4ffe08b3f30cd70cde7a2ebdbd3e4

SHA256
b99670a0a397b279ddfdac55a6049a865d43d6f587f05c6bb888e6e54d43bbb6

SHA512
0387b2517c3632ce545296b02a2e92903832fc2cdfcc15502341470d74a587b238991d215d8aa9df6bfc0e097d460b36a7d471d2b246b0e6803756b7f0be393f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1fc8d4d8a7da8b811ee27cf2f35fcf7c

SHA1
33d2fdbd101d458b341123c5d46cf9f8da9da4a5

SHA256
f13c13ee7ec49c96847619dc0b67466e7da59280f4d3640c7767a7e85e5cf1f4

SHA512
9f67e0b619bc095e2b18a64146f1fce21ab33fbd51e96e213a51cd62392afe206a16c24ab9e7a262b30dec6652caa5c17fe04d118611cd14c4ebf867ff89e21d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
09eb1f510f9d47a39a7cdc8ce6961f98

SHA1
07f1a97780dbe192a2080640cbe06cf633696436

SHA256
b57365d38634d749010a293ab56a0f4d266b46e5f89cc82f18b14bf5c48e6f2f

SHA512
3def059c78649734a336ccf5abb13275d60df6fb695f4e7b29fc7e59c4fcfaf6bda214871daad1ba0c8c4e2d699cd823bcde944e323bb30c81759e37d75f50a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
e4171df6fea81304f9aec2d329f56961

SHA1
d49973413c59a53176a0210b491c68ab6a8e4585

SHA256
71dc08c955d623a4148d5729db426d121b1da399d313a9c05f87776625c0d3cb

SHA512
b383ca45e78b9d1735045a4fdfe1b36424ee031f01e6c1d93ddbd480066f4702299839ace21ad805b4e1a2307966260934700e6d66b0dd937247f7203f4a9597

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
948142f65741f3ce9d926dd09faaaaed

SHA1
ad06c4a2401a1197a774c4a4213da9958124dc2c

SHA256
a36740cf4f2b5c93b71b7d489a41d4c1da77cdcb9eb0abb1fde2506f87b5af72

SHA512
648c4341a6b302307752720dc36835054bc00aa25353c2aeb66c4618da85f1d786d122b3bd97142f47b7b44f2a31b073e8a006d9996b7dafc9373ce4558e033f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5deb857f365022495e2222c6860f7709

SHA1
9f887e3f454c24686352fcf455ea21a96767290a

SHA256
78721cb2154d6a8138a3684bd1e16bb94b75380f02e211cbca5947f0a86c5634

SHA512
a7d8e497f5eedb693b56a21aa19311761461af9db03d5b417386c6bbd197c72a3f9c814bb874d3ddc53cd2de78a3d12bf7d31650b1888749278a510bdcff4a78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
f2a39756f0082d2f1c8f640ec0c41731

SHA1
f614d32207f440ad6e38e871256de5bddf6a26b6

SHA256
002a8e826f50e527166541536f4b73ce2a43fbc0994d4991453dc86ec61b55b7

SHA512
f14c90b937f046785fba5a7affa1b5ef01843ddd11b8ccac937393689a930b3ad8971d982a54a78568e7b625838b30d5bc8b76a331a758b83bca722d81c0e42e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\storage\default\https+++pastebin.com\ls\usage

Filesize
12B

MD5
54ba0ccf26d236c024f1ad905e167bda

SHA1
42d0b852bed6e0bac4e73c2ae3ec1356a8b7c509

SHA256
e5100081ad339ebd68f6f31b52ffaa927d1173d0b46f830a85460d2fd9845455

SHA512
1e946f47536c6b0d69bdf766139bcb2cc5ebcfb8b66445d8326a3e7545b0deb4923253c47521761d6af3a90772cc2b231809002f267ebf92d54ceb7dc2f88c0c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
dec29dcc5fba036816e7fe130a30af9e

SHA1
91796cf55a57676dcaeb2564984ca0b6b9ccc8f6

SHA256
1b8b2924aa7d00598a11c437f2c43e8deb9b138249e15b7ac6783baf810ecdcd

SHA512
833ae7d1af9926706023c8a942e2e8dd51d022dbcf14b59e7f8cfad02174323fde9f95a355b61982050068731584f267704ae4324d5901981e1d53d2019fc3fc

Download Submit
memory/1256-155-0x00007FF7A2E10000-0x00007FF7A2F06000-memory.dmp

Filesize
984KB

Download
memory/1740-52-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/1740-32-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/1740-36-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/1740-33-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/1740-35-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/1740-22-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/5196-82-0x00007FF7A2E10000-0x00007FF7A2F06000-memory.dmp

Filesize
984KB

Download
memory/5956-19-0x00007FFEF6DB0000-0x00007FFEF7872000-memory.dmp

Filesize
10.8MB

Download
memory/5956-6-0x00007FFEF6DB3000-0x00007FFEF6DB5000-memory.dmp

Filesize
8KB

Download
memory/5956-7-0x000001F4E4210000-0x000001F4E4232000-memory.dmp

Filesize
136KB

Download