Malware Analysis Report

2024-08-06 12:59

Sample ID 240604-xhqzbsgg46
Target sheet rat v2.6 (extract.me).zip
SHA256 0a85d4af371a4f35c280ae54abf97ea70fce6406bc5b2ed199d95700075e577c
Tags
rat pyinstaller miner asyncrat xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a85d4af371a4f35c280ae54abf97ea70fce6406bc5b2ed199d95700075e577c

Threat Level: Known bad

The file sheet rat v2.6 (extract.me).zip was found to be: Known bad.

Malicious Activity Summary

rat pyinstaller miner asyncrat xmrig

Async RAT payload

Xmrig family

Asyncrat family

Contains code to disable Windows Defender

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-04 18:52

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 18:51

Reported

2024-06-04 18:55

Platform

win10v2004-20240508-en

Max time kernel

164s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 4556 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4556 wrote to memory of 3652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe

"C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4436,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\Client.exe

"C:\Users\Admin\Documents\Client.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.0.1638687476\1004260699" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09d03db0-1e01-4dc3-967b-3e39813f8055} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 1880 17aadc0fb58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.1.2112119124\588213045" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31c9773-b2e2-4af1-8409-5e95658b1221} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2448 17aa0e89958 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.2.398320363\923670377" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2704 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {090d6445-69b6-4c50-aab2-b08e58b28048} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2948 17ab09efe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.3.2037734126\2134599323" -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb17ba3-4bef-4e8e-aa82-3a2e91a146e8} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4148 17ab31cb458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.4.793910816\1657595402" -childID 3 -isForBrowser -prefsHandle 4344 -prefMapHandle 5112 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {999468d5-dec2-4d28-ae84-60849f15165f} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5088 17ab31b3c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.5.842621162\1837478885" -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5609aa97-76a5-43bd-b156-6c8259f48a45} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5244 17ab4f77b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.6.690379902\1755521668" -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5a4efc8-e6ca-43aa-96d8-78ccb081da54} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5436 17ab4f7ae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.7.822283880\262225272" -childID 6 -isForBrowser -prefsHandle 5940 -prefMapHandle 5932 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88050e28-2502-4bef-bbad-7b7adc181050} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5936 17ab6688e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.8.82533630\272523986" -childID 7 -isForBrowser -prefsHandle 4648 -prefMapHandle 6096 -prefsLen 27838 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de2a2289-354f-40a1-8920-5aef2449d80c} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4504 17ab3117858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.9.678179172\1981113242" -childID 8 -isForBrowser -prefsHandle 6228 -prefMapHandle 4972 -prefsLen 27838 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dfe5536-431b-4078-abde-1b293f3ad3e0} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6252 17ab2c80e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.10.1365602473\686118192" -childID 9 -isForBrowser -prefsHandle 6096 -prefMapHandle 4348 -prefsLen 27838 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b25ae6-fe9c-417f-aa94-621a653c727a} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6176 17ab2991558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.11.655804180\1487832029" -childID 10 -isForBrowser -prefsHandle 6592 -prefMapHandle 6596 -prefsLen 27838 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {739b49b3-15b4-4b73-96fc-b742332a10fd} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6580 17ab2991e58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 maps.googleapis.com udp
GB 142.250.200.42:443 maps.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 1.1.1.1:99 tcp
N/A 127.0.0.1:49959 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 44.237.65.238:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 238.65.237.44.in-addr.arpa udp
N/A 127.0.0.1:49966 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ac.duckduckgo.com udp
IE 52.142.124.215:443 ac.duckduckgo.com tcp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 215.124.142.52.in-addr.arpa udp
US 1.1.1.1:99 tcp
US 8.8.8.8:53 duckduckgo.com udp
IE 52.142.124.215:443 duckduckgo.com tcp
US 8.8.8.8:53 links.duckduckgo.com udp
IE 20.223.54.233:443 links.duckduckgo.com tcp
US 8.8.8.8:53 links.duckduckgo.com udp
US 8.8.8.8:53 links.duckduckgo.com udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 8.8.8.8:53 external-content.duckduckgo.com udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
US 8.8.8.8:53 improving.duckduckgo.com udp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
US 8.8.8.8:53 233.54.223.20.in-addr.arpa udp
US 8.8.8.8:53 222.125.142.52.in-addr.arpa udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 46.34.125.74.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.187.227:443 recaptcha.net tcp
US 8.8.8.8:53 recaptcha.net udp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.187.227:443 recaptcha.net udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
N/A 127.0.0.1:80 tcp
US 1.1.1.1:99 tcp
US 1.1.1.1:99 tcp
GB 142.250.187.196:443 www.google.com udp

Files

memory/1320-0-0x000000007535E000-0x000000007535F000-memory.dmp

memory/1320-1-0x0000000000820000-0x0000000000968000-memory.dmp

memory/1320-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

memory/1320-3-0x0000000005220000-0x000000000527C000-memory.dmp

memory/1320-4-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/1320-5-0x0000000005FE0000-0x0000000006232000-memory.dmp

memory/1320-6-0x0000000005640000-0x000000000564A000-memory.dmp

memory/1320-7-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1320-8-0x00000000083B0000-0x000000000845A000-memory.dmp

memory/1320-9-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1320-10-0x0000000009420000-0x000000000944C000-memory.dmp

memory/1320-11-0x0000000009740000-0x0000000009A22000-memory.dmp

memory/1320-12-0x0000000009D10000-0x000000000A064000-memory.dmp

memory/1320-13-0x0000000008760000-0x0000000008782000-memory.dmp

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

MD5 14393eb908e072fa3164597414bb0a75
SHA1 5e04e084ec44a0b29196d0c21213201240f11ba0
SHA256 59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80
SHA512 f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

memory/1320-18-0x00000000087A0000-0x00000000088EB000-memory.dmp

memory/1320-30-0x0000000008900000-0x000000000894C000-memory.dmp

memory/1320-31-0x0000000075350000-0x0000000075B00000-memory.dmp

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

MD5 a35bc67d130a4fb76c2c2831cbdddd55
SHA1 66502423bba03870522e50608212b6ee27ebf4c5
SHA256 e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192
SHA512 4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

MD5 cfcf8e91857f364e002065c52ff8f91c
SHA1 8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a
SHA256 572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6
SHA512 364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

MD5 2e8ab7cdc2081c09a98f6c5593909409
SHA1 282769c943f8ab0429315869466d042a99de95f4
SHA256 17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae
SHA512 b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\0fvn15qq.newcfg

MD5 b18785caae8834f89e34cde89b93cafc
SHA1 cee194149b484295ddba88111a251986bdc0c7af
SHA256 105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811
SHA512 fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

memory/1320-69-0x0000000009B30000-0x0000000009B6C000-memory.dmp

memory/1320-70-0x00000000096E0000-0x0000000009701000-memory.dmp

memory/1320-80-0x000000000E9B0000-0x000000000EA62000-memory.dmp

memory/1320-81-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1320-82-0x000000007535E000-0x000000007535F000-memory.dmp

memory/1320-83-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1320-84-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1320-85-0x000000000F0E0000-0x000000000F202000-memory.dmp

memory/1320-91-0x0000000075350000-0x0000000075B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 c56f3148f368c68453623fd8d5004938
SHA1 bd4209094c4cb4be944cacf392079cd7dffb9fd0
SHA256 6d9ce7bb9bd71e1ea8172ddf40b300ecfa6dda464757fcade812e2981bc14e1e
SHA512 eb6959f7d372508f16b4d4611b0ba1ea2649f661182acdafe9fff2add1a7d0f5aec54e51c59c29b34a79c0f2f98beb1f67d2470d37a3e9dac1f6eaf0b46abff0

memory/1320-98-0x0000000075350000-0x0000000075B00000-memory.dmp

C:\Users\Admin\Documents\Client.exe

MD5 3cdf8fbb95d91924b43b464a9e5eda01
SHA1 27b559741a1abf2852bde7edd24214acff34b00b
SHA256 62e7eee0c34bfc7df1693dfc216e24751aab276509b02583278f573c09677098
SHA512 812bffb44c1c6dacdf79a6577ae0f57f274e86487b857f581e4e65f38bc84a0ad8e2266970ab231407f6a7e6dc51293f3ac3779a203eaf16d723e3b561d95a5c

memory/224-108-0x00000000000D0000-0x000000000015E000-memory.dmp

memory/224-109-0x00007FF98E2A3000-0x00007FF98E2A5000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

MD5 7390632f072c4700ba2d2343b6dacb49
SHA1 50f1f17891e226129917a200a33f854b9e2242cb
SHA256 c2f6ceb820a80f7891ba2ba81449c70f98b9247e411a400b7d8617f403415904
SHA512 043a80c800067175959f28e6462f6ea3edd0819e7fcedd049efe4438c244fdf69cc21a84fc2d8ddb7ace1546dfeca62dffb0aca78b616cb62f6d81d62e74f0a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 591fee339a8fd379b4504e667ff61870
SHA1 4db7c2d0b67c04d7ae2b2609b4faf4111381185a
SHA256 60367e9c45c33050a825f6976113af62edf833b4a0a2d4eb1ee1a4472a45bce1
SHA512 4056a8dc24f0e2272000980410d3dde91592d05958ba308f4b54b6824a50ff1544354da73c899d541f2f433d91d27c0a5afee7a2834db6df4262f92bfcba6e80

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 1addaae574d1f52d39560a7d2527f485
SHA1 000f99d1e5611767fae194e24755a852f5900053
SHA256 57d4fa0c5c960c912cf2c0e6f8a267860190edc5657c36e428b531091f34bedf
SHA512 e52748fa9f7fc444b0b0fe49ccc2676fb2f56595bc56e9a38b2364110e83d394dc2fd67dc8624029f441477ffd958b056bc92d6b18e28be535c142c3c7103893

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 72baee890c82c6d5ff9b0665f6a445f4
SHA1 ed2fd10ae0a4b8486f542328bb823025215766c9
SHA256 a2e40fff29cea1f3bd9211011191e68fb50f32a444c19896b9fa6d5a3fbe72ca
SHA512 2e7d059bd877b155e415fac1267bf95f982fbb294286f5b0a2657038290e768cadccf92880b5f3e9d915e869ce42e09d5186cbe632faef4fce6e1e5c6476815e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\BEEBE8D1CDB87C8493E409E1D4FDE181BA4CDB8A

MD5 5aa15aca2659faf39cb2a70c1835eca7
SHA1 42dc0203ccf756f4b5ac40e0048f90a6d6e40228
SHA256 88690c65a2939c674f764adfc5f9743336f71d20f0c24e14b024a6c3cc2939f2
SHA512 0922ce19e68f75bb45fda04498b408bd4b9b68397892ded111cf6334d0af0a55bd12a757d3d9b010481b12863450ff8a4a199b77de51990053c3a792d5fe5de8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\default\https+++www.virustotal.com\cache\morgue\116\{46e7999c-c7dd-4e55-adc0-7130377c7874}.final

MD5 f82f1082ab7c1cb2a4aab9a2f47a9638
SHA1 7aad4ff07d8b2e3bbf8467df4c4af0eaa5ec7359
SHA256 46a67c588e7b6531636267d1ce735bd1388e757c1acd2c181677bd01e01acd1f
SHA512 4a3cfdba26d6285420bb320ec3b4e541d437d3cc6fa5c9dbc5ad48a59c9fd90a075153d2b4c55986ef2ed0e2292149501e49e3fa5e5e7f3bc1d4e588d703a0f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 5ade2fc6dd9a017f6043a4d3970d4c80
SHA1 ca1c7dbece96a047eb6ef759e65edc20719764bb
SHA256 9a505208f9ad27376a63523b1dcdc235f6ab41e07c124b4d04cb171690c3276f
SHA512 31231f759bb5d31b048d8637000feb49d88a8ad0e1edc658df33eb6d9d1b36a17670e94021c2d1115a79f80ef74cb28bb840a3dc15403e0a16e09442f39f1c83

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 9cf8abd3b3f1a1f75ad91aa7f1eb87fe
SHA1 b3665541e93d4e6eede8e8343b3a4d42397a020e
SHA256 a62bc3905b379de7762d107228bfbced753db84d61c01a5dfb723690ee7a0e81
SHA512 bb8cfae300c1b3aff65edfbafe9a9038ec6870e5e647f6e31c9a6ee0296e69396cff689616e3e79eb8477240b728f556758063a9224005420bc09f4d9dc831a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 94b63c314db08d2d8273ff0dbbda0527
SHA1 9ede0a0c9e87554c82257e5946e5132f67dd477c
SHA256 81fab78b042f823f5fbf0d2d7942b5b9dafaf7ff63185b878b79be9e600c4d4f
SHA512 6a72028328d6710e0677cfa0f184aa37818c7ac0870750984a45e25d6fde7c63a48014512c1a54d242c789d543ab5d7d13275a344a3228f822b22a183d9d4ca5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\3745

MD5 d22459e7b1641eaa0c1610ce6b7b35cc
SHA1 d4d4d63b0476c9949effd1f66ceef7d35061a3ab
SHA256 f9d514950c0807d7c82f79c83bbd172e87d19e4e4838c453fee886f1ef5afaa3
SHA512 297ee0be3ca6f6c60bc4afbdf0574bbc9fcfd7a1e256b65a2a81cce6789abf12b62c332b475a849b9127cd3a94e7ee37496981ce368f03c79cb14bc4c5ce1ae3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\default\https+++www.virustotal.com\cache\morgue\122\{1cd6b66b-e954-4918-b87a-d0c19a51177a}.final

MD5 443e3599e2e615e1bc3b2d0c283bb788
SHA1 651f0aa18d9a867f92e5c2c7b14a1e93ab73ddc4
SHA256 ce383de6996f045a7861744d2d5fc20b69d8528f9506d867ebcc026f428389f7
SHA512 57984185d3ca94f98b3d7478d35716986adb355e8e142c0e3cd591e6430802bd8d56e8098c9637344a582679958bce7bfccdd0155f73894f9010f107f95da469

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\serviceworker.txt

MD5 d928a806068441d653c54f20ddaaa918
SHA1 3994025e2dd21276f8a8e1a4177d907b64f71b2b
SHA256 638471e157f62b3aeb182a557cb7db4ab0afca933eb6453778cb28094b0a6a6d
SHA512 d910c11eee99df1166c3aaa128d544def1a43273d7cad15a80a49c0b2dafe08fce1216d03279b8d23ee822b4511fee619f8be8aa3e581431d11de0f33e3721dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\serviceworker-1.txt

MD5 224efb5ca91b4b5d3d38032f1a2a7fd5
SHA1 637910ad5b67e7bf3a5b9490d9a9c7382afb9a43
SHA256 6255e781ef6f656b709b8e491c86e3a7d600a4bd643910076e05d2e204af9047
SHA512 7c29ceab4f495c40e4eae4867a9b38fa66472dcfd27c6dac05ff747a09beb56783a69ff756df2fe04241d0e96500057d9850424a67d03fdb9d07d3db2e4d9830

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4ec02292db3416e5637785f98b550370
SHA1 6ab09758b9f32f5d294faf492ef6aba060b215fe
SHA256 32ddee6f0769e03d7cfb0ec7f893859348fa654b6e4e5e083b5befae2312d529
SHA512 1397bc8a76811603d42ec2e57f546668031cb91bb5b7966c6b64614e758eaf2ebb7ec7635d276d6ca482fdbeddd2b74a0d114059a94322e09f183af54e4ec83c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9a20fe4d4cf2afd4051138744c973b25
SHA1 9e02f01a280b1f1c1b0186c57ecdccb2e4bc2087
SHA256 aa6ed092be2c821d01112403fa787473f4062626cbd53088aab878259f3ffb3e
SHA512 8f73e36811bf89c9f21f76260dbf31f6fcd707b51e647e93f61c92d87c581f554c8bccdb17200ecf9631701472b444c3dcc8eceef6291c480115b6c2574f5f88

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\348672D4E7A1204F7DAB0B8FCCE574BBAE88ADCF

MD5 e669a5710138e1c69f4eb414778af117
SHA1 ec0cf8d4188129e3e2cb0c4d86827e4dfcba037d
SHA256 89fb6ab085f912ad8129ec2ab339bfcc3f184044234722bb5732bf755a91b511
SHA512 18ebcf136247998085f845bf7f4125168b7b6c7af3a8b834a196f6176bd586eacd1dc9234fc46af07beebf5557ffa34b5e0bfd3d5dd6cbf1ba24c76e68942a4c