Analysis Overview
SHA256
4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
Threat Level: Known bad
The file service.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Sets file to hidden
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-15 02:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-15 02:16
Reported
2023-03-15 02:17
Platform
win7-20230220-en
Max time kernel
28s
Max time network
31s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\service.exe
"C:\Users\Admin\AppData\Local\Temp\service.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs
| MD5 | e04e55d2e6cc3d920631fdc5d6dcc1ce |
| SHA1 | 2c4dbcff71f8678623a7c197440ec281804dc5a5 |
| SHA256 | f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb |
| SHA512 | 9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998 |
memory/584-63-0x0000000002770000-0x00000000027B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1
| MD5 | eb9c76ab230c2b8527d504429d7aca20 |
| SHA1 | ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb |
| SHA256 | f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf |
| SHA512 | f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-15 02:16
Reported
2023-03-15 02:17
Platform
win10v2004-20230220-en
Max time kernel
71s
Max time network
91s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\service.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\service.exe
"C:\Users\Admin\AppData\Local\Temp\service.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.0.632713011\1673088192" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a98fc4-5551-49a4-82fc-1e37100ee8eb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 1932 1ad5e6ec258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.1.1654518729\1874500889" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e4a683-8420-4dfa-a304-20befaa509a6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2332 1ad51670758 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.2.1045902809\531703940" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2996 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72650503-f3bf-4997-aff4-245b01766510} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3124 1ad61fd3758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.3.608619865\1424478353" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18e48ff-ef76-4d44-807d-fbcff98fd3c1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3964 1ad6337b558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.4.342650432\480264199" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 4336 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274c9739-175f-410b-86c7-b3abb7ff49ce} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4120 1ad63b57058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.6.542533137\591240270" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {732f8a83-98fa-4f04-a455-12fd2e52338e} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5096 1ad64b91e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.5.5989472\670693918" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4952 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {377b7663-d4a6-4ceb-9ba2-01eb9ddac2c5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4992 1ad64b8eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.7.1337911745\1257909608" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e10d2fe3-6f5e-4dfb-b204-461f32ba10d6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5404 1ad5162f058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.8.1338445598\1344592524" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbf59cb-044b-4ca3-9ad2-bb0b3ed9ec53} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5620 1ad64964258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.9.220620353\675854212" -childID 8 -isForBrowser -prefsHandle 5884 -prefMapHandle 5804 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21122cb0-c6df-40e5-8816-bc2b2240c3bc} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4320 1ad51662e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.10.1427892112\1614766521" -childID 9 -isForBrowser -prefsHandle 2896 -prefMapHandle 5528 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af933ee-9ec2-4ced-8922-89f3fbcf1e8c} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5272 1ad60758858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.11.928876294\482638547" -childID 10 -isForBrowser -prefsHandle 4480 -prefMapHandle 4492 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e97e5c-807e-4ec8-b9f4-49d9d8714431} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4456 1ad63cb2958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.12.1694043196\1372067298" -parentBuildID 20221007134813 -prefsHandle 6016 -prefMapHandle 6104 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d305030f-4d69-4bba-b87b-b9fd61c3d68b} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6096 1ad63caca58 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.13.88034416\46627564" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec2630f8-3221-480a-b88e-28a1034b5de1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6176 1ad66970c58 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.14.861335527\1117332027" -childID 11 -isForBrowser -prefsHandle 6448 -prefMapHandle 6416 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {101d0449-8fae-41b5-9664-b81014617069} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6456 1ad64962158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.15.1020053502\1019942760" -childID 12 -isForBrowser -prefsHandle 6420 -prefMapHandle 6424 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7d2f69-e783-46bc-9411-417d302d8a92} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6588 1ad66eb9e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.16.1102546654\1024827853" -childID 13 -isForBrowser -prefsHandle 6872 -prefMapHandle 6780 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c728a8-e538-4316-ad7b-c4a9c16df1fb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6820 1ad61f82758 tab
Network
| Country | Destination | Domain | Proto |
| DE | 162.19.139.184:2222 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | filebin.net | udp |
| NO | 185.47.40.36:443 | filebin.net | tcp |
| US | 8.8.8.8:53 | situla.bitbit.net | udp |
| NO | 87.238.33.7:443 | situla.bitbit.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.40.47.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.33.238.87.in-addr.arpa | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.124.67.191:15121 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 191.67.124.3.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| DE | 3.124.67.191:15121 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 234.238.32.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:49834 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 35.83.5.171:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 54.148.119.23:443 | push.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.5.83.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.119.148.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 104.26.11.242:80 | 2ch.hk | tcp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 104.26.11.242:443 | 2ch.hk | tcp |
| US | 8.8.8.8:53 | 242.11.26.104.in-addr.arpa | udp |
| US | 104.26.11.242:443 | 2ch.hk | udp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 8.8.8.8:53 | 2ch.hk | udp |
| US | 8.8.8.8:53 | jsn.24smi.net | udp |
| US | 172.67.5.129:443 | jsn.24smi.net | tcp |
| US | 8.8.8.8:53 | jsn.24smi.net | udp |
| US | 8.8.8.8:53 | jsn.24smi.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.5.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| US | 8.8.8.8:53 | 198.201.212.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:49842 | tcp | |
| US | 8.8.8.8:53 | 2ip.ru | udp |
| DE | 195.201.201.32:80 | 2ip.ru | tcp |
| DE | 195.201.201.32:80 | 2ip.ru | tcp |
| US | 8.8.8.8:53 | 2ip.ru | udp |
| US | 8.8.8.8:53 | 2ip.ru | udp |
| DE | 195.201.201.32:443 | 2ip.ru | tcp |
| US | 8.8.8.8:53 | 32.201.201.195.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| DE | 195.201.201.32:443 | 2ip.ru | tcp |
| US | 8.8.8.8:53 | ipv6.2ip.io | udp |
| US | 8.8.8.8:53 | 200.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 216.58.208.98:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| US | 8.8.8.8:53 | partner46.googleadservices.com | udp |
| US | 8.8.8.8:53 | partner46.googleadservices.com | udp |
| NL | 142.251.36.2:443 | partner46.googleadservices.com | tcp |
| GB | 216.58.208.98:443 | googleads.g.doubleclick.net | udp |
| NL | 142.251.36.2:443 | partner46.googleadservices.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| NL | 142.250.102.155:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| NL | 142.250.102.155:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| NL | 142.250.179.193:443 | tpc.googlesyndication.com | tcp |
| NL | 142.250.179.193:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| NL | 142.250.179.193:443 | tpc.googlesyndication.com | udp |
| NL | 142.251.39.98:443 | www.googletagservices.com | tcp |
| US | 8.8.8.8:53 | 98.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| NL | 142.251.39.98:443 | www.googletagservices.com | udp |
| US | 8.8.8.8:53 | 193.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| JP | 142.250.206.227:443 | csi.gstatic.com | tcp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| JP | 142.250.206.227:443 | csi.gstatic.com | tcp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-5hne6nzy.gvt1.com | udp |
| NL | 172.217.132.166:443 | r1---sn-5hne6nzy.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-5hne6nzy.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-5hne6nzy.gvt1.com | udp |
| US | 8.8.8.8:53 | 227.206.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.208.58.216.in-addr.arpa | udp |
| JP | 142.250.206.227:443 | csi.gstatic.com | udp |
| NL | 172.217.132.166:443 | r1.sn-5hne6nzy.gvt1.com | udp |
| US | 8.8.8.8:53 | adclick.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.questtips.com | udp |
| NL | 81.171.31.78:443 | www.questtips.com | tcp |
| US | 8.8.8.8:53 | www.questtips.com | udp |
| US | 8.8.8.8:53 | www.questtips.com | udp |
| US | 8.8.8.8:53 | adclick.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | in.questtips.com | udp |
| US | 8.8.8.8:53 | adclick.g.doubleclick.net | udp |
| NL | 81.171.31.78:443 | in.questtips.com | tcp |
| US | 8.8.8.8:53 | in.questtips.com | udp |
| US | 8.8.8.8:53 | in.questtips.com | udp |
| NL | 142.251.36.2:443 | adclick.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 166.132.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.31.171.81.in-addr.arpa | udp |
| NL | 142.251.36.2:443 | adclick.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| NL | 81.171.31.78:443 | in.questtips.com | tcp |
| NL | 81.171.31.78:443 | in.questtips.com | tcp |
| NL | 81.171.31.78:443 | in.questtips.com | tcp |
| NL | 81.171.31.78:443 | in.questtips.com | tcp |
| US | 8.8.8.8:53 | securepubads46.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | securepubads46.g.doubleclick.net | udp |
| NL | 172.217.168.194:443 | securepubads46.g.doubleclick.net | tcp |
| NL | 172.217.168.194:443 | securepubads46.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.168.217.172.in-addr.arpa | udp |
| NL | 172.217.168.194:443 | securepubads46.g.doubleclick.net | udp |
| NL | 142.251.36.2:443 | adclick.g.doubleclick.net | tcp |
| NL | 142.251.36.2:443 | adclick.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | afs.googleusercontent.com | udp |
| NL | 142.250.179.193:443 | afs.googleusercontent.com | tcp |
| NL | 142.250.179.193:443 | afs.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| NL | 142.250.179.193:443 | googlehosted.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | a46c46e4831ffdf0ab0c42342e7261c7.safeframe.googlesyndication.com | udp |
| NL | 142.250.179.161:443 | a46c46e4831ffdf0ab0c42342e7261c7.safeframe.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | pagead-googlehosted.l.google.com | udp |
| US | 8.8.8.8:53 | pagead-googlehosted.l.google.com | udp |
| NL | 142.250.179.161:443 | pagead-googlehosted.l.google.com | udp |
| US | 8.8.8.8:53 | 161.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.193:443 | googlehosted.l.googleusercontent.com | tcp |
| NL | 142.250.179.193:443 | googlehosted.l.googleusercontent.com | udp |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs
| MD5 | e04e55d2e6cc3d920631fdc5d6dcc1ce |
| SHA1 | 2c4dbcff71f8678623a7c197440ec281804dc5a5 |
| SHA256 | f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb |
| SHA512 | 9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998 |
memory/5112-140-0x0000000002CE0000-0x0000000002D16000-memory.dmp
memory/5112-141-0x0000000005870000-0x0000000005E98000-memory.dmp
memory/5112-142-0x0000000005780000-0x00000000057A2000-memory.dmp
memory/5112-143-0x0000000005F10000-0x0000000005F76000-memory.dmp
memory/5112-149-0x0000000005FF0000-0x0000000006056000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0nsjjk5.5b2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5112-154-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5112-155-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5112-156-0x0000000006600000-0x000000000661E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1
| MD5 | eb9c76ab230c2b8527d504429d7aca20 |
| SHA1 | ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb |
| SHA256 | f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf |
| SHA512 | f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2 |
memory/5112-158-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5112-159-0x00000000075C0000-0x0000000007656000-memory.dmp
memory/5112-160-0x0000000006B60000-0x0000000006B7A000-memory.dmp
memory/5112-161-0x0000000006BB0000-0x0000000006BD2000-memory.dmp
memory/5112-162-0x0000000007CA0000-0x0000000008244000-memory.dmp
memory/5112-163-0x00000000088D0000-0x0000000008F4A000-memory.dmp
memory/5112-164-0x0000000007750000-0x0000000007782000-memory.dmp
memory/5112-165-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/5112-175-0x0000000008650000-0x000000000866E000-memory.dmp
memory/5112-176-0x000000007F020000-0x000000007F030000-memory.dmp
memory/5112-177-0x0000000008780000-0x000000000878A000-memory.dmp
memory/5112-178-0x0000000008F80000-0x0000000008F8E000-memory.dmp
memory/5112-179-0x0000000008FD0000-0x0000000008FEA000-memory.dmp
memory/5112-180-0x0000000008FC0000-0x0000000008FC8000-memory.dmp
memory/5112-181-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5112-182-0x0000000005230000-0x0000000005240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
| MD5 | d2053aeb9216c3040b40e67d72578669 |
| SHA1 | 3a33aab579e13bac21c4966b4e2491cee400155f |
| SHA256 | 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df |
| SHA512 | 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f |
C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
| MD5 | d2053aeb9216c3040b40e67d72578669 |
| SHA1 | 3a33aab579e13bac21c4966b4e2491cee400155f |
| SHA256 | 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df |
| SHA512 | 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f |
memory/3380-187-0x00000000006F0000-0x0000000000706000-memory.dmp
memory/3380-189-0x000000001C9F0000-0x000000001CA00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat
| MD5 | fe473f7e2aeaa16a9987e236f10c56ca |
| SHA1 | a1056a23223515d8accdaa933ad6f28528183ecb |
| SHA256 | 2b712f73463cde21248bec035ad7a8925b3afb97c8032c40654ae993c45ec2b6 |
| SHA512 | 395dbdac22611eea770c6d947dbbfa91ff850b2cce7c0a6275054d3343d1c498e490798447f1396a1e481056651b75e7d6125f5aa59029a0dae62234f7d73cc4 |
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | d2053aeb9216c3040b40e67d72578669 |
| SHA1 | 3a33aab579e13bac21c4966b4e2491cee400155f |
| SHA256 | 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df |
| SHA512 | 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f |
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | d2053aeb9216c3040b40e67d72578669 |
| SHA1 | 3a33aab579e13bac21c4966b4e2491cee400155f |
| SHA256 | 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df |
| SHA512 | 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f |
memory/4876-198-0x000000001F500000-0x000000001F576000-memory.dmp
memory/4876-199-0x000000001F4A0000-0x000000001F4BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
| MD5 | f73e52d124620d05267ba934f3b312d3 |
| SHA1 | 34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30 |
| SHA256 | fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7 |
| SHA512 | 4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | b3a0db2044ea20932b47c4706c2b1b18 |
| SHA1 | d6850d0c95412f48474ff76a6dae99763761dc63 |
| SHA256 | 0a936eea42ffefdcf5d2e0bc55f37dbc9fdf97a2db064e3306aa0a7e6d582b65 |
| SHA512 | 092d20dfab1e3c1427c10b4040e2b745c4050f4ec8c94549e454e632cbf97dcc5fc11cbbf3fe35d3bd7fa71b7a9c9ce6adcc395a62fc77e139fdc793f57f9685 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | 35c16387c51de4ea676c0e9b71ae6b6c |
| SHA1 | 7d6d65ddffb2ae9c5302c3eb7690115c1e19212f |
| SHA256 | 9dddbb7bb3361913863439bcd66615a1b7e8199e2bdc040182f13b967a04825d |
| SHA512 | ba103758a94bda00720b0d02b4146c682b5845e274744826363907fc8e54c5ae3f7f0a64f33273671ddba417633efe9bc6d242ca96fd2c04603893a8e217e0c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5249f5fdf7023819b70d23d026db5a22 |
| SHA1 | c974877951ae1c4caa2534ff1725a866a2fe5f8a |
| SHA256 | be16fbf2fcfcb8422b76004c5295ee3d5cec7b837ae8a0a5b74b97202c5d03d3 |
| SHA512 | 7f049ec67a346e12bd07a1b85d9d1f2103ed29c81697f56f65a7ea5cf57a398e3a1f532823f49d90785a798dc506f8aae19e626a48e4abf3961bae6f85b9a4f7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | 66c64f8a6f0b008306a4803aa7e06801 |
| SHA1 | c80a7c3a3d8e9aa3ad40e1d2f649002125038aaa |
| SHA256 | 09a5077298deb9e05df70bf43e0f13aad9519bc617281a5ab371f60965c7ac25 |
| SHA512 | aa5c63c24e48e9ce2dfd3d081e410522f458ff35e683781c4a033053c9b53b922731b09dcfef80115ac1bb6ad7bc1c3b9ca24ac9fd75265360de368e401f8b62 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\822D3475915FF1FD065AE9B7C94CAC38BAF38F99
| MD5 | 53c8c197582f8d8ec92825ef5ebd3d0f |
| SHA1 | a7cb1d9fd119ffab0041f830a049600ee7737e63 |
| SHA256 | bcaced52f3a3ac2210ba19c5a82bf88b4e034a404b5bd0c0b4a7dd348fda81fe |
| SHA512 | 6c87a658ea8cbb8e62f2cb9cd777bbd4a820be6b6754c2319d3f55bf23f4136dd31dba67ec51e78b605d29dd2feacf3cc022e5f4a2dcdde59fefa2006564bf6f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\6D81B26E0A25001159E4CC6044D6457153EA5C01
| MD5 | 7bb61a208cbdda825c0c9e6778685077 |
| SHA1 | 34c22f50bef7670bb28bf59becb384d6fbb70208 |
| SHA256 | 2b096a8f23a929e20e863add923ef4daa47a094b6007568680442644d56f5b5b |
| SHA512 | c27828888e96e47df19e9d963bf759c7a482e103e306d0ee4b8a9bae9e280ce413b6ea5eb0040092ea0793f6979ab730258317d2107c06813eadb8d833d088b1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\366C6F0FE64B4EBEDB07B5FDDBEDDD7B639F489D
| MD5 | 0301b4d7d5b6a118a60cf438bd58fbe8 |
| SHA1 | 7fc49d51a27f9ce2130d6d261a67be14ec4ad06c |
| SHA256 | f38a6a0478cf2068740a58ab39de05ffcba442c0a71498cca1a5f09359312f83 |
| SHA512 | 22c5ff7187883aca0d154cbecba305caca7be544bd4fe850175e8b018038769c0b023427e8ace38d4c255945501595c443a7188b1e4e1f9d7df1e09c1f90f5e9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A48562B06EA3ECE8F16D1B2F544E3D934FD0BA28
| MD5 | 9f04918cbd86e210c407eea90c77da2a |
| SHA1 | 89d9298a65451a134d3960710a117026d7bf5fc3 |
| SHA256 | 0617ea36fde3314406a3f6c9b88e6e1d0f17eea6c0534f6e617884d238c3ef8a |
| SHA512 | 8607a0846a5890c2acebbb946bd8609595843f0ba4b8ffd13a179d8d804373d6ca7c19abf9d1baad793573b25b86592e5359d8a2aa28818d75fde0bdf22fdf2c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\BE5B95A2C7BBBCB2AE301D63F2E5473378B07340
| MD5 | e4f3976a813abb49c0985716e6c30942 |
| SHA1 | ac7aebbb142fecb89cf84c8d211a2b7da102aa8e |
| SHA256 | fa9d731ae4ce3b6a079e032f8bd22bc1f29baf942703d8e0c59437f49bfadcb5 |
| SHA512 | d16e6b3cf4a75a2dd240652622aaf6c9ee4572814690b09822dc761ac9a8c04a32624ed070fb6a3249798fb5e5a0ac5c5ed7ee95781ef513372fa60db91af644 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 543f6a62c9d729d6ad43bc7b76bfc19f |
| SHA1 | 9dac797615e30cca43bd1defdea3f7f1fb2fd3b9 |
| SHA256 | 099b22b11ca21f717d4723947aec14062dba7ee4525ad938cd98aa72d72f1fca |
| SHA512 | 2522c61a3520f6ef851ea5c3a84d7453651f347605b64433b62db321076f7c1566b441ba1c7f92ed6b1fd7917034a73a67565f3fb4c0360f0f12a7e0bf388408 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\FEE1168BECB60A2DFAFD0F745560F244EED96138
| MD5 | 27f97762f251adb3014284a25c6f1bb0 |
| SHA1 | 5fa04714949e8191f85bb4ef540798f94674cd29 |
| SHA256 | f82a651bf751ba7e54427b458ada5a032b2a3a63354dfeb563da9330e807f10d |
| SHA512 | 54fdc9945a947880fe6aa735f2531d19b7a85e5a2159410948882f6e9389e5435216deee16faa15d93ea522b64b13553c621f8434f44689f89fa249326d76127 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
| MD5 | b56a339de41b13aae47d22253269fc0f |
| SHA1 | 03af96a4fd06a7ddaeecfa4c485345fecd005bac |
| SHA256 | df0e70044767a689b3d1b36c28bb0724c5d94bb4e260a35a671dc12eab410c74 |
| SHA512 | 96ef10e89a8966154fae4842de47152d5d25343dec64223b1ed7c386a8d35ce78ad7a453c592267fe39aafa74a0bc62339969334814edbc648915000d43d907e |