Malware Analysis Report

2024-10-10 13:03

Sample ID 240618-xg768avaqb
Target Solara.exe
SHA256 1ac539099498a1b248611e9a8c493486cafc55abf4360f7279a753ae9b6b3b40
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ac539099498a1b248611e9a8c493486cafc55abf4360f7279a753ae9b6b3b40

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:50

Reported

2024-06-18 19:29

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Media Player\c5b4cb5e9653cc C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Media Player\services.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Windows Media Player\c5b4cb5e9653cc C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Program Files (x86)\Windows Media Player\services.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\cap\SearchUI.exe C:\Containercomponentdriverdll\Msperfcrt.exe N/A
File created C:\Windows\security\cap\dab4d89cac03ec C:\Containercomponentdriverdll\Msperfcrt.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Containercomponentdriverdll\Msperfcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\cap\SearchUI.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\cap\SearchUI.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\cap\SearchUI.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\cap\SearchUI.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\cap\SearchUI.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1680 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1680 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1648 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 3532 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Containercomponentdriverdll\Msperfcrt.exe
PID 3984 wrote to memory of 908 N/A C:\Containercomponentdriverdll\Msperfcrt.exe C:\Program Files (x86)\Windows Media Player\services.exe
PID 3984 wrote to memory of 908 N/A C:\Containercomponentdriverdll\Msperfcrt.exe C:\Program Files (x86)\Windows Media Player\services.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3284 wrote to memory of 1840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1840 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Containercomponentdriverdll\KeujGBFUQImr.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat" "

C:\Containercomponentdriverdll\Msperfcrt.exe

"C:\Containercomponentdriverdll\Msperfcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Windows\security\cap\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\security\cap\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\security\cap\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Media Player\services.exe

"C:\Program Files (x86)\Windows Media Player\services.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.0.1137892790\1928467079" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fabc3b6f-9e25-49eb-b0b7-f6b05b0daa78} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 1808 189f1013658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.1.652930625\1969170970" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f55d8fe1-13b2-42be-8700-690dbf3e59f9} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2164 189efb33258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.2.988098252\892044837" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975f9c78-b7a9-4994-86c3-c9335cd8bc53} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2832 189eff60858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.3.1864447599\1795590886" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd99e04-f5b0-4578-a011-6d4c57e5dd45} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3416 189f280da58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.4.1606423600\857781962" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4020 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed9f9a9-f334-47ab-af6f-9e8188538eb9} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4044 189f5582d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.5.931176945\1799100269" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39fbada5-4b2b-4131-af1a-0df3c5a021c4} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4788 189f5584858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.6.1434569755\994096303" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f728d5c-a063-4a8f-bfba-b6899b6a09f7} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4952 189f6406e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.7.1989601351\1961571124" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c31e1e0-4783-47fb-9a76-d5f279ab623d} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 5152 189f66fb558 tab

C:\Windows\security\cap\SearchUI.exe

C:\Windows\security\cap\SearchUI.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Program Files (x86)\Windows Media Player\services.exe

"C:\Program Files (x86)\Windows Media Player\services.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"

C:\Windows\security\cap\SearchUI.exe

C:\Windows\security\cap\SearchUI.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\security\cap\SearchUI.exe

C:\Windows\security\cap\SearchUI.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Program Files (x86)\Windows Media Player\services.exe

"C:\Program Files (x86)\Windows Media Player\services.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"

C:\Windows\security\cap\SearchUI.exe

C:\Windows\security\cap\SearchUI.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\security\cap\SearchUI.exe

C:\Windows\security\cap\SearchUI.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996780.xsph.ru udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 65.195.8.141.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.232.194.163:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
N/A 127.0.0.1:49789 tcp
N/A 127.0.0.1:49796 tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 163.194.232.44.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
RU 141.8.195.65:80 a0996780.xsph.ru tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
RU 141.8.195.65:80 a0996780.xsph.ru tcp

Files

C:\Containercomponentdriverdll\KeujGBFUQImr.vbe

MD5 ff6ec30615d52d4f5d785b686f0a4889
SHA1 02fea89ed16a0ab87def5cbb70cd00756e7d36a3
SHA256 960ef567e503ff1338e13194e0b3ffe34cca35ed7f7374f18095510743b748f1
SHA512 d29dd5eae96b13e4b2511651783d705703e0d4651273c9c11c177a2acb94b9c7a4863598d42f379b69cc67b6a7689d282f7231df2489d62566e0048a765c85fd

C:\Containercomponentdriverdll\KHRnsPaHq6wt4rRYII1q2.bat

MD5 332b634fef3fab1c2ee04929179b93ba
SHA1 fdbaea891ecd43e10936281ef5f9d25081c074dc
SHA256 052c92ce3aa3301c1e51da420b61728ae6405c1e2a22365f44a9c9a4b8f2e779
SHA512 b650092623b219c7c957c3331ce62fbc1b5677aa0b9764766fe82be50a451c0f7875cdf35823b389440e7e3f0a788a6e53aaa5a48b095e94952a474a056c4abd

C:\Containercomponentdriverdll\Msperfcrt.exe

MD5 627d941e966fcb8c28d0ad7637d9c247
SHA1 0081828c3be966dc12d525d0e7ebb9ffbef30d07
SHA256 b9af4371cb17542d6c49f91230239d6cbb2889dfe625484d5a06b3faa98dcad8
SHA512 ed54f78e9c30c3648476c2712692ac78ee1f31680ebdfae6d0ad4baebaff9e171ebd6f3139ccc98543858e05498de27dfd51ed7fa380721bc460b40b7437a035

memory/3984-14-0x0000000000010000-0x00000000000E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 431a80e5b1e07bf29a034bf8bea14522
SHA1 013f0ff251e25062963758ea16a5bd15ae87a601
SHA256 ab877d0322303131e4e066e756f626d0bf3f3919035291816a974c60b6d5e4f8
SHA512 401210edb8afcf01e57ee80778fff72df5af1c0fb3c3f353878edff97c5a92d077e1f3c7c74e48e2b57951a6783d75b18fb188ea7f5103e95507544ad6961239

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\47738328-97a9-47ec-b334-868c37b2df19

MD5 7283b8f16889bbf383d47cc7858a61b9
SHA1 5d9698a90da9bb466a8cf1cb872dfe695957e4e1
SHA256 b36ce6850f3bd90f568a73c393e1d3e3b9ae92ddf559af36f4c63ef9312aa4ba
SHA512 b107ab9881985188f8db0749cad7940c72ba8a204bf50886b15d43e4547a04c672a92ea8cea3e93c21651c789d102c9774449bc61ce18f6191eda3a7d521e6b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\1379e0ca-09a5-4497-aceb-52af393c9d79

MD5 15cc82e493ebee49f79620c4b2c5c704
SHA1 86f58897a44f6dee714053ddb721df8b7334acd6
SHA256 d7f36925622dd4745a2485d3d046b88bfc5757d040efc5ba8ce329ac9ba901db
SHA512 e5d4a772c41c1e2eddf25108b6899f22b8e3feba09486a96b841ff9ee255133ddc582a95ff20c9044241c611a2d660b9559796b50efa57f325f8eb227d64b9f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7f868e557b098795d645df9ea302427f
SHA1 001f3306144559b4049a8ab139b4139f51e59c0e
SHA256 b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA512 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 5cc805365ae88d9e5e55f725eacf0871
SHA1 42b5c555d6ebdc5b12c63ad0516edd5fcd7c9a10
SHA256 aea0a84596ed539d24d7e3e93c2b10dc4451aedc9ddaad1861705319f8b84254
SHA512 966c058093c3c8ca06a2cdb0bd8db323de2e877eefc100c96f0c6b37b9d6fd3028cf98337120e5757f09b640511fd4d5621ffd8369ae112897aa117e42317a82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7ee6aa64706ea38718f08ca7ac2c15a7
SHA1 99ef137d5474e7de7fb9810a5849fcdc7340a4e7
SHA256 f8eea13fe8ee8e6f95ba9615fc3851bd750ea176ea320f6a339e710deb66f6ee
SHA512 8e54df42578b5df66e72afa69de9535f7114a13a0f399d4e6f47e3d354158c84e84599939cb5de9948a25a6d6a52f5f030172b7b9b74e93face9e0a163e0658a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 2aa7fa668eef9967b23fff5a1c1e189d
SHA1 eec65fc2eaf9d7c83cab82b42638190fa6217c6b
SHA256 2f043a9e67e253d6c7ea74b32ae571847590ad34ea613e1ab3b46a295a168a2d
SHA512 14d6eea9f98b78124f9df15cc034691c6e5a2c335808f994408a284bbaf35c7bb422ea88f7ab003ce9d0f81797675527c0002eb2d4c3b3d6bebbc17bf2dc27bc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2e13f64dd6f37901b2dc43e8b46a5757
SHA1 ff48923690576a490d27fe410e1079eb2b284c30
SHA256 b12da9a6db28ad1d1ef47374cc4586fad21ca1702fad026fa90680debb33a0f2
SHA512 2bd15270762423347f16791c10bff2edb15b29d62e14c7fdfcc0a7a094b7be9dd2dd319f858192a03c7be2cd40099776b3c08deec0bd06303197da2edb613ece

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 8c31c6a071c832569c1051396f7c90cd
SHA1 6a780b8d1bdbdf66f36d0747f93f1584c2b4f60f
SHA256 f77084ef30aff9059bd385ece282919a13d57acf3bccc366983aa160e903525e
SHA512 56005194b96f169c773dacbcdb2dfe9939176ed2c294413600e3e2d1341eb66417bde5d7f4908a5cb7b92208d45977f834339a701bed8613652058e6d2d812b0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e4239eb07ebd1ad6647113530dedabb1
SHA1 5b945495972d9010494b622fec0d6529b50bf428
SHA256 d20215814e214ee8812fa951e9827ad995b8cc26b8dfef1ae988b12aa50b2340
SHA512 d139569127fd37c1fa8052b6e11379fb155f867630203044c1f95ef3d135df1132ef1c59e3d0ef2ead5e65c4bfd809d2ff496880952871a12d4fea3580a8fc88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 8158b594a7b857b1acb1c6950b4f58ee
SHA1 652e800bb4fbc4ee556cf0b3a781a62f5def71b8
SHA256 fbdfe49020b9b4475618dfe7c1f2d4e4a6c8512e243bdc8d9eb81c6770ec549a
SHA512 0590a761c9a79aa57e181c25a18f97bdd92eb4bb13cf639689c6cc30006cd9a16cb80132f08c3c4bc4525f626927daa1f0b41df14cc8a9e0fa348a3752b5ecbb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

MD5 2d201eb70be3e880e69153242aa3dafb
SHA1 f45783451407fd6b97795aa1703e221c7a1b9fef
SHA256 13ee2a502e014e490b6b34ece0b1e1916d86032fac032d6363fe9a250feb2ff7
SHA512 f9ddd717eafeba781e131cb3cecc86d544a4e352eb0849a41175dcee732f052b773739962358d4557f0e9d6027d4d2c3127b43f344279dff3d7c06950a3aa98a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 0cb1abf7e53b8cd360ea27b1824d9193
SHA1 1414cc2aebf5cf5a682ded890609034d05e95a5f
SHA256 9d13fc2925bf4e6a31b8f6e775b8eb159e47aae80e5a0287cd02b4e4dc56c2b2
SHA512 a6962587ee3c493bd36f0bd0bee66452713c39522fe0065b549cba500acfcd45db4eb845acae58a03565b045e76aa0f4914cbe908538971194c540b0031a638e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-06-18_11_JYHA1IDH37kjW2ud4k03lA==.jsonlz4

MD5 7c618c5385632ed123b3929e89a9104a
SHA1 877eef304b5bca587c7f990c0b187b1fbe666e04
SHA256 0c052f029079668e4dc8f63800c6b2fd173fd97de4739e5a66d017df726f519c
SHA512 78e0c287f8367a1fb67e816d2ca7a675cf880d1a245ebc1f4633c52a54bd7fb8ba4564d7c07ceddd9f56c9efbaadb2da1ccc928f679645b3d91dcdac7c87d64e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\19217

MD5 bacfc9bbd753893b261fcf656d9d38ee
SHA1 6168f9ddd28ff0b395bb071a16410a26e81cf9e0
SHA256 7ba00ebd2262461d7eeecb80cf476a5eafc3c8610e5d6d13856d5af232961ecf
SHA512 fcc20b8f63944992a16f9fa6893ad6fb15169b5880f08ad4ca15c785cdee29acfbce6ee6f7bf4305c95441d1dfcb641e24c5e29836592267e9a218342c59cf17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 470450ed963c77635dbdd83cd63ecdb3
SHA1 6cdc3cd9a7d574cd3d50d05be6affbce8afd9e6a
SHA256 486425b1a4caee84fcdd08326d184f74efe28a71f38ff716dc750563793a4c1e
SHA512 9640c7b53c2d9e32bcfefc535da841f7ea12795ed5afad1910528e858174fad7665fbf1e75c33c93748af0d97fcdf5284c0c4c34f9b66ad08c2cc6ed68e828b4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchUI.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\16092

MD5 e52c6f1d63cddc6cf0867842e4a97e15
SHA1 5796f5d7b79ec9ee0a8c3213702ae55ffaba5a9a
SHA256 ee239740a5493f589cf46c806d88a360599a55f6530e14afabcaf1af0ff3b910
SHA512 c28199f3b5b9bbe7453ae6a735af679a062006a003d8baeaf3203dc5f147c6b147f328badb588974424d15361c55ebf997b4d7dd54cff667d80b0bfa1cd4c7f0