Analysis Overview
SHA256
6ef6ef99e387801bbcb19f3295f0fa626fd2a0515a8f1947bce5d1f43fa6f968
Threat Level: Known bad
The file Celestial.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Umbral family
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-22 15:05
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-22 15:05
Reported
2023-11-22 15:08
Platform
win7-20231025-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Celestial.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\Celestial.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 3044 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\Celestial.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 3044 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\Celestial.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.250.179.131:443 | gstatic.com | tcp |
Files
memory/3044-0-0x0000000000EC0000-0x0000000000F08000-memory.dmp
memory/3044-1-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp
memory/3044-2-0x000000001A870000-0x000000001A8F0000-memory.dmp
memory/3044-3-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-22 15:05
Reported
2023-11-22 15:08
Platform
win10v2004-20231020-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133451392139122234" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx" /o ""
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe34599758,0x7ffe34599768,0x7ffe34599778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4036 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1916,i,10801366802503527108,3777308439472416193,131072 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.0.678394175\1097221039" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d0f33b8-9e14-4fde-99e7-7b780e675d7c} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 1960 1fe9e8e5a58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.1.628728628\1175317311" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04ece0d1-e1eb-487b-bd44-5b6184f95daa} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 2360 1fe9e43a758 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.2.581473317\1524056244" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3040 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9652413d-d20e-4a18-8cf4-b77a121a5a00} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 3004 1fea2922e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.3.1653495241\353473468" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3448 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5871cdd7-5572-4268-9cb9-88419ae827ea} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 3468 1fea361f258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.4.1713647828\680291326" -childID 3 -isForBrowser -prefsHandle 4484 -prefMapHandle 4480 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fc771fc-0bf6-4d0a-b32a-6c268afd8144} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 2760 1fea42eac58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.5.1066700142\1410036238" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c679f89a-961f-444e-810f-5b0b723a7cd6} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 5064 1fea4f48258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.7.734232273\1252649766" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {366d66d9-4066-47a2-92d7-47f63e418c9d} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 5492 1fea4f48b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.6.605132451\209885265" -childID 5 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6477cf-2d27-403b-ad6b-a238d8fc8bbe} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 5292 1fea4f48558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.8.592309303\716756135" -childID 7 -isForBrowser -prefsHandle 5468 -prefMapHandle 5668 -prefsLen 26831 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b0c37c4-210a-4cc9-a0e2-1b099feca6c7} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 2716 1fe9ebf7a58 tab
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1820.9.920503200\1427215415" -childID 8 -isForBrowser -prefsHandle 5960 -prefMapHandle 5048 -prefsLen 27232 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffbfc576-0a6c-480e-a079-1e4f65858c09} 1820 "\\.\pipe\gecko-crash-server-pipe.1820" 5080 1fea011d358 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:56209 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 44.239.75.237:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 93.243.107.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 237.75.239.44.in-addr.arpa | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:56216 | tcp | |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| DE | 172.217.23.206:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| DE | 172.217.23.206:443 | plus.l.google.com | udp |
| NL | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| NL | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | tcp |
| NL | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 98.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.roblox.com | udp |
| US | 8.8.8.8:53 | us-central-default-px.roblox.com | udp |
| FR | 128.116.122.4:443 | us-central-default-px.roblox.com | tcp |
| US | 8.8.8.8:53 | us-central-default-px.roblox.com | udp |
| US | 8.8.8.8:53 | css.rbxcdn.com | udp |
| US | 8.8.8.8:53 | static.rbxcdn.com | udp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| NL | 95.101.78.57:443 | css.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | a1962.dscw27.akamai.net | udp |
| US | 8.8.8.8:53 | a1962.dscw27.akamai.net | udp |
| US | 8.8.8.8:53 | 4.122.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1992.w27.akamai.net | udp |
| NL | 88.221.144.32:443 | a1992.w27.akamai.net | tcp |
| US | 8.8.8.8:53 | a1992.w27.akamai.net | udp |
| US | 8.8.8.8:53 | js.rbxcdn.com | udp |
| US | 2.18.121.137:443 | js.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | a1993.g.akamai.net | udp |
| US | 2.18.121.137:443 | a1993.g.akamai.net | tcp |
| US | 2.18.121.137:443 | a1993.g.akamai.net | tcp |
| US | 2.18.121.137:443 | a1993.g.akamai.net | tcp |
| US | 2.18.121.137:443 | a1993.g.akamai.net | tcp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 2.18.121.137:443 | a1993.g.akamai.net | tcp |
| US | 8.8.8.8:53 | roblox-api.arkoselabs.com | udp |
| US | 8.8.8.8:53 | a1993.g.akamai.net | udp |
| US | 128.116.102.3:443 | roblox.com | tcp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 172.64.154.86:443 | roblox-api.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 8.8.8.8:53 | roblox-api.arkoselabs.com.cdn.cloudflare.net | udp |
| US | 172.64.154.86:443 | roblox-api.arkoselabs.com | udp |
| US | 128.116.102.3:443 | roblox.com | udp |
| US | 8.8.8.8:53 | 32.144.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.102.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metrics.roblox.com | udp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| US | 8.8.8.8:53 | apis.rbxcdn.com | udp |
| FR | 128.116.122.4:443 | metrics.roblox.com | tcp |
| NL | 23.72.252.130:443 | apis.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | a1818.b.akamai.net | udp |
| FR | 128.116.122.3:443 | ecsv2.roblox.com | tcp |
| US | 8.8.8.8:53 | us-central-origin-px.roblox.com | udp |
| US | 8.8.8.8:53 | a1818.b.akamai.net | udp |
| US | 8.8.8.8:53 | us-central-origin-px.roblox.com | udp |
| US | 8.8.8.8:53 | 130.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.122.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | locale.roblox.com | udp |
| US | 8.8.8.8:53 | apis.roblox.com | udp |
| US | 8.8.8.8:53 | images.rbxcdn.com | udp |
| FR | 128.116.122.4:443 | apis.roblox.com | tcp |
| FR | 128.116.122.4:443 | apis.roblox.com | tcp |
| FR | 128.116.122.4:443 | apis.roblox.com | tcp |
| FR | 128.116.122.3:443 | us-central-origin-px.roblox.com | udp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| NL | 88.221.144.65:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | a1899.dscw27.akamai.net | udp |
| US | 8.8.8.8:53 | a1899.dscw27.akamai.net | udp |
| US | 8.8.8.8:53 | auth.roblox.com | udp |
| FR | 128.116.122.4:443 | auth.roblox.com | tcp |
| US | 8.8.8.8:53 | 65.144.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-central-default-px.roblox.com | udp |
Files
memory/4816-0-0x00000209542F0000-0x0000020954338000-memory.dmp
memory/4816-1-0x00007FFE353D0000-0x00007FFE35E91000-memory.dmp
memory/4816-2-0x0000020955EE0000-0x0000020955EF0000-memory.dmp
memory/4816-4-0x00007FFE353D0000-0x00007FFE35E91000-memory.dmp
memory/2036-5-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-6-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-7-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-8-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-10-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-9-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-11-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-12-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-13-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-14-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-15-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-16-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-17-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-18-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-19-0x00007FFE108A0000-0x00007FFE108B0000-memory.dmp
memory/2036-20-0x00007FFE108A0000-0x00007FFE108B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 8e56ace3e1a321219fb91f6a902cbf3f |
| SHA1 | a891636695dbd8ebe582bada0a821c0b0b2c5ffe |
| SHA256 | 8f87addb7d39c9cbbc86110d8f6eb08a97fa9402a82054f241b3901ba0afc9e8 |
| SHA512 | 79f346ef5cfd4779430b472c80d1e2fb585cd944e9b83c55f18badd8b1cf697e84a4054bb31fe46fa08b2ad00cef2c0bcab5be4f20ef19d925172bce0c8fb8ba |
memory/2036-56-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-55-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-58-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-57-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp
memory/2036-59-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
memory/2036-60-0x00007FFE53130000-0x00007FFE53325000-memory.dmp
\??\pipe\crashpad_1804_LEMRLKZOQMSQMULX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 326dba01b7d704a4ac135f8e1a69a685 |
| SHA1 | e718189b58256cb76a90dd0f188a43eded61c599 |
| SHA256 | 1989962c387821fda3ec46c07cff04390c28fdef44aa2cbf9aebd20cf030730f |
| SHA512 | 5e526352795c2b7c19195fdea88e9edac0c7ee9015343412a28efaaecaacd0748566fff875d312408672bb0b2b12b0c17599b1df641b1194f6b3a31b0e25875e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ae21fc0aea05ba591e0c91bdeb3f8616 |
| SHA1 | 1feba447d4e2055f1246ba703e116c835ca0619c |
| SHA256 | 99cb029174b30be803b8202a0ce309520b51f6ea0d157fd2c6c3a8d1f1047689 |
| SHA512 | a2c24a7cabfd86ab8db6fc1da212e79847498eb752b7a6cbb73d565d2b251cb503f644d6528e452b1efb6c17d0100e61f7abe80762d8ec12a549dfeb384e5f8a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | aa860f2c0837efe9b17206109b3361a2 |
| SHA1 | d4b0ffc96c601e00796dc173ee5a30a137dba9b7 |
| SHA256 | 77b99f9fa923090a660ea426bffb968d14ab9559d831ae599e34c45d337bc53c |
| SHA512 | 62d24ad66c8555259e33a5d09f32db9358fb8b1d652c100253b96fdbbd4f37f6a74be409c6b8b8ca3e584a4b4f7f334d7525b134bd660d41fd86f3349d2bb619 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 3a420c0d3eb97811bff89194a89d03c0 |
| SHA1 | edb1fbecfd38b3989498694ad8a80b698808d371 |
| SHA256 | b0ca2d133a75cd8bc712b98df67f6518fe01e67df702820bd52ad7a46391456b |
| SHA512 | b13f75a271841344d2c5683309f73de27adbcffefb888c40922541a6dfbb57a04feda55e5fedf0704bb9fb58471b002736ab78042b61625dcf3a7b5c1732e68f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 4f650221c31b802449cf02da450d646d |
| SHA1 | 211d1d305ea1b6cccdc04bc769787d98d65fbafb |
| SHA256 | 5aa6b88577373a3e61f34a6effda7cf289b6fd6cabfc8afdabcf649fe5889671 |
| SHA512 | 5b664fba24bea8a991ffd793bf2398f5d4a90b3d6e3a6fd70a57f076049536a8934296c590e8ca52048df91175e6d861e9e9c1d993c25553ffc651cbb847ac10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 8ebb331475436fb2ea6a047d33518ad8 |
| SHA1 | ec3e9b86439d410a04849e1ae3234120bf0b31ca |
| SHA256 | d903ca348b4322fd4caf9f007fc6f783f59d3e2eb9bbd8b31ed0c22d9c4d0b5f |
| SHA512 | fa89bb62b931d9c2cbc5db6081da739808e838185ecdd374203d1cb3e83beb8d47fb448ea4bc9f72d9fa443816dd9f1259bab42e4996d1d7361989d71d1044fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\prefs-1.js
| MD5 | 32919e0ce776a3e0389a13b8a11861fe |
| SHA1 | 0d9005044f47ece3911baf1ab190e22da7f55f16 |
| SHA256 | 927c4a057f621c903335e8842451a167834b958209855f5e730c1203b9f4b3fd |
| SHA512 | c0c7471463aca57eabf257fa6248e04760d4609a3070a118d46f0a2d7041e924b3c513f1d3dcbe9ca2a6bdcc8c6d097a27b6c11065ed872fc3ec45bd449a55c8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e986ba3cbc190b99951552b36369def2 |
| SHA1 | 95d203a53a191cc0ea0b395387f1d3a23d4ac949 |
| SHA256 | d8c9f46b6c30678042d37c8aed407d824800c154a62a0cd15c07c2abb267eb55 |
| SHA512 | 84b1f07984157389a87d7d3e38ef1598f6b81b37726805e11aff72aa5f554bba7b21a52f6dda6744c1437e41de57ec09e9a9e52729946a5f2dc787f68c13cdf6 |
memory/5016-343-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-345-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-344-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-353-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-354-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-355-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-357-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-358-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-356-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
memory/5016-352-0x000001EAAD460000-0x000001EAAD461000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\prefs-1.js
| MD5 | 68c186103d8ff0b020f6c117e1b2f75a |
| SHA1 | f134408d2bb83cae76038ca7b69d1f01209419e9 |
| SHA256 | 878fb59f8551b571654d01c5b59f2a6b48044a968cdefff305362d22d2911ed9 |
| SHA512 | 417c0138bdb8767eac23fc82481fd135ae8720f661b9b077511a2d6c21afa3e3d819b3d29e31ccf2b2872f6a8e528c0f4325b9f9b1037d070554b1c9fd6bf15b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 134d56213ac0acc169df94ae3eea9007 |
| SHA1 | ec84484dc552cf792270b79c7e112cc398e7b119 |
| SHA256 | 5d4da759ac849f4efeff1314bef6036018650980d9992aacc4523d89b721c6c8 |
| SHA512 | 76f31433fbb85e64af3b3884df21dd9578e8396f220611a45fa022db47bd24a44289fa5617a501f639d0639869a1a4330085af7686d908050b9d71cd60e79245 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fa4e9e0ef26e20315ee7bbf9529b532e |
| SHA1 | 6164774cfd74b16a4c1e44a2b6a4c665a8434293 |
| SHA256 | af2386920b9bf3edf871ae2b0276e12c23e684a89fadbfdfe938f6edad7e8163 |
| SHA512 | f6aa6646c212d98f6165f1bdf81820fb4ea9fa37f9516064b8eb8d328983ba30973b47737cfee04208571e3b1f2e1c582cb5afb45de969d41dd9deac7e75e3a6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 326dba01b7d704a4ac135f8e1a69a685 |
| SHA1 | e718189b58256cb76a90dd0f188a43eded61c599 |
| SHA256 | 1989962c387821fda3ec46c07cff04390c28fdef44aa2cbf9aebd20cf030730f |
| SHA512 | 5e526352795c2b7c19195fdea88e9edac0c7ee9015343412a28efaaecaacd0748566fff875d312408672bb0b2b12b0c17599b1df641b1194f6b3a31b0e25875e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 06bbf120006c78aae412304d6419b55c |
| SHA1 | 39577a70699de0496630c8658861e4b40aeabdee |
| SHA256 | 3939119b97cc8c7a91ec3fce66c5e22de490b778126c2477b5b1fb1bd3200e26 |
| SHA512 | 40e797c447fa8ac478292a0fa89f655e50e02a246eb719ae1d906fff4806048d2de71a6bf052e77b5903b6fa4809edcc92877365fad445aa64898a75218bdfa9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\cache2\entries\4EED77ABF2B13446DC47048EDC01C87DFC8AFFC2
| MD5 | 104909618d3080b0273fcbaf92dd5caf |
| SHA1 | 0ca988394a515cf26e58cdce8dcf20b7ecb2c30a |
| SHA256 | abf96e5bf6c0632e3ced4f4f594cd297477bac5f987e58e03590a217bfbef237 |
| SHA512 | e920382f372a3dba7379f0734c63a4c44c999dbb6506291f0962999179db8b7c0b291a2dfad9fa0b2d784512b562c44003784dd1169c325969a9f6655437ee23 |