899404bf69efe497bdb63c691b5f31d07380d9901642b6211e956f8d386ebb62

Analysis

max time kernel
149s
max time network
153s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

1.3MB
MD5

806f512c8fbf611cfb89eb37b9456918
SHA1

509da795dd604002a3046a3902354aa9c0ca4218
SHA256

899404bf69efe497bdb63c691b5f31d07380d9901642b6211e956f8d386ebb62
SHA512

db526dd96c738845b9dbe2ba7062467288ccae82931750a03285d6b4fd85a5259b49c390fa247119f65d12f3631647d8dab295054463147ab6dc91c2c921987f
SSDEEP

24576:fT4A/d6wF5q6Yh2JoaCmWJZopqgHCl8jpU/KkwtY6v/87xaVUhf4pE0TwIDm:fMA16wFdjC7JZop5il8juNwtY6WhfD0M

Score

8^/10

defense_evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe
4960	powershell.exe
5068	powershell.exe
4060	powershell.exe
2516	powershell.exe
3320	powershell.exe
4696	powershell.exe
1432	powershell.exe
3272	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AnyDesk.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AnyDesk.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsHosts = "C:\\Windows\\WindowsUpdate\\wshosts.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsHosts = "C:\\Windows\\WindowsUpdate\\wshosts.exe"	AnyDesk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	pastebin.com
60	pastebin.com
61	pastebin.com
62	pastebin.com

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	62	https://pastebin.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90b046172ff9cd5f	17

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WindowsUpdate\wshosts.exe	AnyDesk.exe
File created	C:\Windows\WindowsUpdate\wshosts.exe	AnyDesk.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4360	sc.exe
460	sc.exe
4680	sc.exe
5700	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-590766166-4003350121-2036565200-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4960	powershell.exe
1432	powershell.exe
1432	powershell.exe
5068	powershell.exe
4060	powershell.exe
3272	powershell.exe
3272	powershell.exe
2516	powershell.exe
2516	powershell.exe
3272	powershell.exe
3320	powershell.exe
3320	powershell.exe
4696	powershell.exe
4696	powershell.exe
1644	powershell.exe
1644	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2392	firefox.exe
Token: SeDebugPrivilege	2392	firefox.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe
2392	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1432	3564	AnyDesk.exe	84
PID 3564 wrote to memory of 1432	3564	AnyDesk.exe	84
PID 3564 wrote to memory of 4360	3564	AnyDesk.exe	85
PID 3564 wrote to memory of 4360	3564	AnyDesk.exe	85
PID 3564 wrote to memory of 4960	3564	AnyDesk.exe	86
PID 3564 wrote to memory of 4960	3564	AnyDesk.exe	86
PID 3564 wrote to memory of 5068	3564	AnyDesk.exe	87
PID 3564 wrote to memory of 5068	3564	AnyDesk.exe	87
PID 3564 wrote to memory of 4060	3564	AnyDesk.exe	88
PID 3564 wrote to memory of 4060	3564	AnyDesk.exe	88
PID 3564 wrote to memory of 460	3564	AnyDesk.exe	89
PID 3564 wrote to memory of 460	3564	AnyDesk.exe	89
PID 3112 wrote to memory of 2060	3112	cmd.exe	96
PID 3112 wrote to memory of 2060	3112	cmd.exe	96
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 60 wrote to memory of 2392	60	firefox.exe	100
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102
PID 2392 wrote to memory of 4360	2392	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\Windows\WindowsUpdate\322852\st.ps1\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\system32\sc.exe
  "sc" create WsHosts "binPath= \"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe\"" "start= auto"
  2⤵
  - Launches sc.exe
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\svhosts.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\WindowsUpdate.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\system32\sc.exe
  "sc" delete WsHosts
  2⤵
  - Launches sc.exe
  PID:460

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  AnyDesk.exe
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" "-WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\Windows\WindowsUpdate\754222\st.ps1\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\system32\sc.exe
    "sc" create WsHosts "binPath= \"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe\"" "start= auto"
    3⤵
    - Launches sc.exe
    PID:4680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\svhosts.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\WindowsUpdate.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File C:\Windows\System32\wins32bugfix.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\sc.exe
    "sc" delete WsHosts
    3⤵
    - Launches sc.exe
    PID:5700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:60
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 27199 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2275e7ba-f1e7-4f4d-9736-ffbe3c808044} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" gpu
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 27077 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd4a3f50-23c3-4c01-8712-ca249e520bbc} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" socket
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3352 -childID 1 -isForBrowser -prefsHandle 3344 -prefMapHandle 3224 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf84fcd4-ddac-4441-9f26-6aeeb58b20e0} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 32451 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bf3eafe-82e7-4516-b689-a8f3c522d872} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4348 -prefsLen 32451 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d65a9266-f7fd-4ed1-8c02-44e533b05c7f} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" utility
    3⤵
    - Checks processor information in registry
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0650a68-1953-464a-9e9c-6d51593d1eef} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7261f51-626d-43f3-81a5-7de50399bd6d} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd967ee6-f3d8-4de5-8f75-23d3631b11df} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 6 -isForBrowser -prefsHandle 6268 -prefMapHandle 6264 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9900445-c2fc-4eb2-b273-0fa6886eb560} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6468 -childID 7 -isForBrowser -prefsHandle 2768 -prefMapHandle 2788 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb1b604a-bd4f-486a-bc22-ab10a990a848} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -parentBuildID 20240401114208 -prefsHandle 5448 -prefMapHandle 5460 -prefsLen 32714 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b128b29f-eba2-4733-8049-dd97e4c12011} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" rdd
    3⤵
    PID:348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 8 -isForBrowser -prefsHandle 6724 -prefMapHandle 6716 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e568c3d-9df9-4198-9fac-58aca6ff9865} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7092 -childID 9 -isForBrowser -prefsHandle 7104 -prefMapHandle 6972 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d506174e-2e9a-4ad7-92c2-4e1c34c012c4} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7436 -childID 10 -isForBrowser -prefsHandle 7424 -prefMapHandle 7420 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db749bf9-330f-4c8b-99a8-3df4df136240} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7560 -childID 11 -isForBrowser -prefsHandle 7568 -prefMapHandle 7572 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4aa607d-4c33-42b4-b1a1-f2b18fa96194} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7832 -childID 12 -isForBrowser -prefsHandle 7752 -prefMapHandle 7756 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0966a4-f4bc-4971-bd76-d04af4e2f75c} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7448 -childID 13 -isForBrowser -prefsHandle 8052 -prefMapHandle 8044 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57ec460e-bc28-4d4d-a66c-77b04dd40723} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7212 -childID 14 -isForBrowser -prefsHandle 6844 -prefMapHandle 6980 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d118090-0e00-4f0d-91f8-0235cf5a28b4} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6792 -childID 15 -isForBrowser -prefsHandle 7256 -prefMapHandle 7632 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bb8084-f8ae-40f6-ba7e-0b295ce38c39} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:3264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7496 -childID 16 -isForBrowser -prefsHandle 6960 -prefMapHandle 8040 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab61204-433a-47c5-92c9-df685dac7783} 2392 "\\.\pipe\gecko-crash-server-pipe.2392" tab
    3⤵
    PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
a94e0a262fe8ab5c0ec0872d36fcbd48

SHA1
877a5ed6269746fe8827f715ef95136ea81c5374

SHA256
4e689eb0bbeab4759a79c590a4d06d520a12974cf6cb79753832a5582a1ff0c9

SHA512
92a1ebcb2e4e4279e6cb0ff9407ba363ecb27c47b8cd4441655d9ecf811b990d066856f4738f23f8d9b12d1f3d0de75ef6a101fed056f5392e7140111550ca54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c96ba249c186791a8657f0e87b09c6f0

SHA1
1056a7f5cadc58fd3fad3535a3ddded6233b00a9

SHA256
036f779c35fe1a336d378892d834569d56d2407e299f8fd3b32538866ad15981

SHA512
8a9e2496b720d0a994cdaf678a622fb9c26f507b822f9ba911d66281028ba3740ca4793296ba1e95456824c9e221986b736b0f6b3bcb68b005d7755fea9e62b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ad1581c64934c8b00a5c4f9a3685a2b5

SHA1
6b178e817d878eab54441c9852d88c0ea63be414

SHA256
b9e99eba07099c0847b2a56f5eb65b243b6af79a279f20204a8c5febe9a2ccfb

SHA512
1569b36aff2b88f23049463075c351a6afcc10bee1e62d996e18251b4efa4c8e8a37be7e63c7a057c971b7bc529620f87985c2c6bb89e2d459e52673b5baabec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
3006e66184897ac4acf9539f0c4783df

SHA1
9a9255fdad46a3ea41c339046acd7cb152f74147

SHA256
ad736da6cb24034510f654e90c7441745096523936d4480efdbc3d62d4cb5903

SHA512
5122b48773dfb55df0301b659a95800a68135f3c1554b11d890ceb71fba40a460d2fe0ad680935e59309b3f19b58310476756ee17ebdad2c4d76b8c336dbb83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvurcokp.5zv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\AlternateServices.bin

Filesize
7KB

MD5
8bd8671d01923f4949c9d5e374a0ab47

SHA1
8d7be62dc707674566a7449e3c79d7c43f4a9ef4

SHA256
4c865a8c731bcbf35a7092a8b11f3375e041630b15812cf23091843ca9d897b1

SHA512
6273709bc740d9b2aa0df3b7713802ae7db2082b6460f59e62b8ff61423987f0772413ce6c9e5e7c926fa578cf4c9c3e9dcefb1be8b52a4bf5ab4f7c2d5515dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\AlternateServices.bin

Filesize
40KB

MD5
6796259cc7fb767f71d75372993c569c

SHA1
d309ada6a65b3fb0c06050fb838d2ce791983f2b

SHA256
152c8edca1b6f3ec5d9f8ca13468170aed56dd83ad282b5165de72f894c63f58

SHA512
adbd2e1d4f9f63e4677bdbb61bacca881e7bf62c26bd79eab5ebb56422cf585d1c28ff3487652e8cb82deb111313ecdbd6fe56632b93f62ed174e8e3545dcc9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
805f4b5598bd05d3df0f32cfd6eed252

SHA1
56234586b59c0fbb8ef208554580162e195210a5

SHA256
a94624fa58e1532408b46ad60fbb4a711ae2c6674ebd3773d3ad473ea0d49cbc

SHA512
442f4b42e598f019b3a24e14bf1996ef5ff43d5c3aa05937304b3ae9b35df3d80191f0c80512bbbe5f233349df4a2221994f2a5c64953a7cca8921b9926cb503

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fbefd52db3cf7478b87029e6112dc383

SHA1
d104603ab61c5060e17fbb7be908295d1bfc5871

SHA256
6d08ff6dc6afca6ba007eeb24f00083055b52f344ba69e95a189d64e2871af32

SHA512
a9e55ac78ac2f8fd77e9e2983b076bc22874dd7802d1931a0f86e2241d01a63048936c467cc8ed302f0530b989609dda06b3f45b969b4de76477b78c197b572f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d687b1ae31cf9fffb47c616882a76946

SHA1
e0c01919bca65827ff401cee2e1678a8479ac0d3

SHA256
6be15413000c33c7fe810c445c4cacdd688a2fb6764835e7ca09d084657c985f

SHA512
c255c13a19a5abc39cb06d0fec8e568b627f05506c568ec4d5c91c96a44958f3b51456415c05c8014bd618fbf8f82b78d726cf973af2e3e3741ce9c961e79c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
2fa57d8efa83f93235b7c451d832d8e8

SHA1
9c36de386a3354586380a68c87cbdf2aaecd2dfe

SHA256
c242cc407f60390dd24157e03beda01511d62192f12e0631c20499d31017545e

SHA512
e68daef3ca5e3058ca0cdb0609d63f7a5a1331ac8ae8cc41a329cbd3eb06f9a0c69afa9e9b144f771e5a05992b30cf973ba95e023111e7f0d9e51c3cbd431683

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\pending_pings\3e574846-3d78-49c8-a89d-477d43917426

Filesize
24KB

MD5
015b34581097adf0befdffc2b79bb67d

SHA1
956b82d6dd7e8cd5010012547198302cc1240707

SHA256
bc79019f59c7188b973c6ebd7c52d9ceadc4814dea5127d796fe6a9e2f873de4

SHA512
6045489ca784d0028320cf666702867a1e4013ae5a7b70764dfd421735fd63fabed5b391b97fffcf46194bc45bca50f339b8f4ed53af0d9bf5027e22dee414eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\pending_pings\5a61ce76-650d-4df2-bed5-36edc67c08d7

Filesize
671B

MD5
8ff26ab730d42dbad4f82656b1ed89af

SHA1
c37cf73030665c712b1ae100ba1f077ab2826f3c

SHA256
69321bc4dd4bac09b41caf919d0da21e14d9521e4d10c490f3feaa2cc2eb9f9d

SHA512
fb44ce9b151709be88a02900dbe2b9bb7e38e32a1095a5df01268f408f0e1704a8eea4bd9344843fee4ad29068a66ddb0f8950aaddb40a7bd8735dc72c82683b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\datareporting\glean\pending_pings\d8998526-4ec6-4191-97d6-0107de73cb09

Filesize
982B

MD5
1b41bf5bfcf55e52ee24d4129574001f

SHA1
7e9c0b77ab47a167894960a4c78bb77a34f72629

SHA256
1dd91b3274c5a78dfaa336428b2a498fc5e5d06bac3e5ffa077ae36493677f13

SHA512
451a5e4e09b450d428f101f690fc1d82e6eae0ee99e2088f556b81bc747f45fa18e22b2c99815fab04e47f311095bae9abcbdb36d879b8a0c379d76a280aacbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\prefs-1.js

Filesize
10KB

MD5
9bef514d5bdcb53d59955b38db714e75

SHA1
2dd98c599e5bd25fe9f6da46ad620b00c1bf9dcf

SHA256
76457bf07e52ca4a6747cf69e7bd4534625a368d6b70051e75ef23a759874876

SHA512
fb46aa39a8263721ec0a20cf5646769b1cd2a24207336539150ddf0fb900389b601d0de01b9324d23c7aca132d654fac5e9f3d24cba965f73185341870c27527

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\prefs.js

Filesize
9KB

MD5
9f44af7400606f327c7ca4a68673ef8f

SHA1
70697e23668935bc7ba4d082d89912952a7474ad

SHA256
27de9a06ced3c9fa0f18507c80cbe1887c374d369f18ab368886e6376ffbdc0a

SHA512
2026f42c1199317583e0b53b60a7baf63099a589fd0c6248fe8fd7470f4d2d04af3416215a8ce464db366ea279bcf9583a7dafea520125eca49d9ecd0f4e30a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\prefs.js

Filesize
9KB

MD5
3345d4ce0c4eab7e151349b6120abf14

SHA1
6fc7891afd30e0cba5940eb9bc1567ac56465643

SHA256
7468058cd7abd00c11e7fb216af591fcb2d1d9b7408b258d6d3ccf478a6c79c8

SHA512
fe4fc231f172675fcfdf2c01cfc887702bacd5fdcbb0cb1b05de412572216336a020517d883778654cc4fb568ac571d62b34c834a302fbb450365d13f42da1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2816036609ebffc0af5a5babb99b0b3b

SHA1
84bdffa475da8d601e75d942e5331fd594efd6b2

SHA256
f669881050023ae83c2b23d91a33d32a02770320050dcf2a2c5f52c10ad7b923

SHA512
74964c054b9dceab114f95ac2e0d415162eec8f2ba9e0d9c56e1baa04b27206290f3fa0311a773c261e181c2c12f5a5d3297c6ae726f5b865c91254692b9e1bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
b2ac6784089eefcb0020bc7e90a0c029

SHA1
a062370409d6073baa0e72b5a1bcfc741998978d

SHA256
a48054b7c768bb143d5bfdc7ca02a3ab7f3a866099672e9350a211e227369625

SHA512
1e6a61ccfcb0d2efd610530ec9e8274f23d50eb8514f5274341ad4394296ad64cc692987370ac57b7a5d55c0d558d755f4bff6d38b47ff552298daab4ef00f11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5358e2a16febeeefa7d706d3cecc54d7

SHA1
15eebd6036f42f5fc7ded327738086457e1bb76f

SHA256
d4485803319affa42ba8a30ffb8dcae098c3b5c1a36efef0f745cc2da52d9537

SHA512
906ea787f881808ffc9ddafd6c7fa0e55854d5b459ba695ff00e4cd37e0999211cfdeaa51249518d616e9a9e8b8c3af46bc516ba2c6a0fdb684422b99e5077b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
3a68eb12627db666d0d7451419d14926

SHA1
c3eaed04fddab7a8380226c4bbac8c07397e034e

SHA256
b26e16f58ef0b9ba112039b79057e7decec94a9c36de583d4727a5007bd44b8e

SHA512
7505d13225fc10f3abba6deea2c2f6c1bac13169c2d2942efad5b7d25d48a24f3d3712a09a58e6c974c1fee94401da3ea6b7e6aed77a21da1f713802f89a86b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
8b0a47b28a537d6126f4a16ddb45ad94

SHA1
92ddc397ff90fac45c7443aafbf3c2b1bc41fe33

SHA256
e03a6876f429d7d79027d040b94f7d35b7cec2b1e51aae5074ded59d7c2b859e

SHA512
8843c4817489f192bb81da96bc107c865c9e2af0303c4f0983ec597bd10c7796e3b5cdf5e0993b4707128c441f3e9a86536c773ed901c0f77a22a72dc1ed8a5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps0kk9ov.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
8ea882e25c5904a53f0770ab17101a5d

SHA1
0f85c3a56e5a28e022f851edffd719815c9679cb

SHA256
d8d32178e90314b4355c2043f71e31bcf018e7d866aa1cdf723ac20730ab56c0

SHA512
55bade13db9791235137590fd3e225bb4b922a29806fc07e0138e5f11432c78b57bd51c1e1cf8d967c5e9ada213ad3ec56293c2b1103950046615960d59551a1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
dec29dcc5fba036816e7fe130a30af9e

SHA1
91796cf55a57676dcaeb2564984ca0b6b9ccc8f6

SHA256
1b8b2924aa7d00598a11c437f2c43e8deb9b138249e15b7ac6783baf810ecdcd

SHA512
833ae7d1af9926706023c8a942e2e8dd51d022dbcf14b59e7f8cfad02174323fde9f95a355b61982050068731584f267704ae4324d5901981e1d53d2019fc3fc

Download Submit
memory/1432-41-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/1432-36-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/1432-31-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/1432-35-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/1432-37-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/1432-19-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/2060-509-0x00007FF61A3C0000-0x00007FF61A4B6000-memory.dmp

Filesize
984KB

Download
memory/3564-71-0x00007FF61A3C0000-0x00007FF61A4B6000-memory.dmp

Filesize
984KB

Download
memory/4960-17-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/4960-18-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/4960-14-0x00000243B7D50000-0x00000243B7D72000-memory.dmp

Filesize
136KB

Download
memory/4960-32-0x00007FFBCE790000-0x00007FFBCF252000-memory.dmp

Filesize
10.8MB

Download
memory/4960-6-0x00007FFBCE793000-0x00007FFBCE795000-memory.dmp

Filesize
8KB

Download