Malware Analysis Report

2024-11-13 14:19

Sample ID 240705-g8nznawfme
Target #!SetUp_14807--!PassW0rdz#$$.zip
SHA256 75240b9609c102dbec6d1ada163a1bfdfe156f55dd21c5e614b3a60722d61929
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75240b9609c102dbec6d1ada163a1bfdfe156f55dd21c5e614b3a60722d61929

Threat Level: Known bad

The file #!SetUp_14807--!PassW0rdz#$$.zip was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 06:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

125s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caret.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3484-3-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-2-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-1-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-0-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-4-0x00007FFC43F55000-0x00007FFC43F56000-memory.dmp

memory/3484-7-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-8-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-9-0x00007FFC00650000-0x00007FFC00660000-memory.dmp

memory/3484-10-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-11-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-12-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-13-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-15-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-14-0x00007FFC00650000-0x00007FFC00660000-memory.dmp

memory/3484-17-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-19-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-21-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-23-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-22-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-20-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-18-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-16-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-24-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-25-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-28-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-27-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-26-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-29-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-39-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-156-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-157-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-185-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

memory/3484-225-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-226-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-227-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-224-0x00007FFC03F40000-0x00007FFC03F50000-memory.dmp

memory/3484-228-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240508-en

Max time kernel

105s

Max time network

116s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caret.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 52.111.229.43:443 tcp

Files

memory/3124-5-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-9-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-10-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-15-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-19-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-21-0x00007FFF2FB90000-0x00007FFF2FBA0000-memory.dmp

memory/3124-23-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-22-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-20-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-18-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-17-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-16-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-14-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-13-0x00007FFF2FB90000-0x00007FFF2FBA0000-memory.dmp

memory/3124-12-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-11-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-8-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-7-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-6-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-4-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-3-0x00007FFF724AD000-0x00007FFF724AE000-memory.dmp

memory/3124-2-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-1-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-0-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-31-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

memory/3124-44-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-45-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-47-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-46-0x00007FFF32490000-0x00007FFF324A0000-memory.dmp

memory/3124-48-0x00007FFF72410000-0x00007FFF72605000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

131s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\test.asp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4356,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

91s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3132-1-0x0000000000B20000-0x0000000000D10000-memory.dmp

memory/3132-0-0x00007FFB1AAA3000-0x00007FFB1AAA5000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4868 set thread context of 3216 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SearchIndexer.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1252

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4868-2-0x00007FFE37670000-0x00007FFE3770B000-memory.dmp

memory/4868-6-0x00007FFE37688000-0x00007FFE37689000-memory.dmp

memory/4868-7-0x00007FFE37670000-0x00007FFE3770B000-memory.dmp

memory/4868-8-0x00007FFE37670000-0x00007FFE3770B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d878db92

MD5 8e13711f88bde12eb76f7943879d3fe6
SHA1 cf62cf776adfa0b475103d99f203565c2833efb9
SHA256 2f6edcf39bf9fd4741e63ebe95f658c4b68f68c8d921245faaed4d3b5ef62b53
SHA512 f112120b317265216ec7654c1ce40318b7f2a3c05ce5ffa158b2f297a3bb5748a37d77e77c79998464db585be682f76349c914f6bbb0318e0d8e6adae69d0250

memory/3216-12-0x00007FFE40490000-0x00007FFE4066B000-memory.dmp

memory/3216-13-0x00000000745B0000-0x0000000074645000-memory.dmp

memory/3216-15-0x00000000745B0000-0x0000000074645000-memory.dmp

memory/3216-14-0x00000000745BE000-0x00000000745C0000-memory.dmp

memory/3216-17-0x00000000745B0000-0x0000000074645000-memory.dmp

memory/3024-18-0x00007FFE40490000-0x00007FFE4066B000-memory.dmp

memory/3024-19-0x0000000000C20000-0x0000000000C78000-memory.dmp

memory/3024-20-0x0000000000C20000-0x0000000000C78000-memory.dmp

memory/3216-21-0x00000000745BE000-0x00000000745C0000-memory.dmp

memory/3024-22-0x0000000000C20000-0x0000000000C78000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:33

Platform

win10-20240611-en

Max time kernel

129s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2520 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2520 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:32

Platform

win10-20240611-en

Max time kernel

129s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2712-0-0x00007FFB83AE3000-0x00007FFB83AE4000-memory.dmp

memory/2712-1-0x0000000000E30000-0x0000000001020000-memory.dmp

memory/2712-2-0x00007FFB83AE3000-0x00007FFB83AE4000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:33

Platform

win10-20240611-en

Max time kernel

128s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240508-en

Max time kernel

53s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1856-0-0x00007FFE6D250000-0x00007FFE6D26C000-memory.dmp

memory/1856-5-0x00007FFE6D250000-0x00007FFE6D26C000-memory.dmp

memory/1856-4-0x00007FFE6D268000-0x00007FFE6D269000-memory.dmp

memory/1856-6-0x00007FFE6D250000-0x00007FFE6D26C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8f2e1c6c

MD5 00cad6313888c625eabca9bdb7143cd2
SHA1 1a2dd69e3b3c6f3f3b529c0e7a3787a69567f42d
SHA256 62c4a5b16ea157c9c22761306d863966a851105ea24f258fe28096c23eacd698
SHA512 8536a70dc0390f9838bda5e4665a4e0a4481d5360d48903f036c1435a62517d603cd25d6e931ce44f1db14da46086dd9ad9a1493be73ecb9282b9ebf22b1d80a

memory/2880-10-0x00007FFE75C30000-0x00007FFE75E25000-memory.dmp

memory/2880-11-0x00000000755B0000-0x00000000755C4000-memory.dmp

memory/2880-13-0x00000000755B0000-0x00000000755C4000-memory.dmp

memory/2880-12-0x00000000755BE000-0x00000000755C0000-memory.dmp

memory/2880-15-0x00000000755B0000-0x00000000755C4000-memory.dmp

memory/4788-16-0x00007FFE75C30000-0x00007FFE75E25000-memory.dmp

memory/4788-17-0x0000000000C00000-0x0000000000C58000-memory.dmp

memory/4788-20-0x00000000007BB000-0x00000000007C2000-memory.dmp

memory/4788-21-0x0000000000C00000-0x0000000000C58000-memory.dmp

memory/2880-22-0x00000000755BE000-0x00000000755C0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240404-en

Max time kernel

75s

Max time network

80s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\test.asp

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10-20240611-en

Max time kernel

127s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 3232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 3232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 3232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:31

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-05 06:28

Reported

2024-07-05 06:32

Platform

win10-20240404-en

Max time kernel

174s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6396 set thread context of 6212 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 4564 set thread context of 392 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6492 set thread context of 972 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6796 set thread context of 5520 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 5528 set thread context of 640 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6244 set thread context of 6132 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 520 set thread context of 6044 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6604 set thread context of 6440 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6612 set thread context of 5464 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com
PID 6968 set thread context of 5324 N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe C:\Windows\SysWOW64\more.com

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1556 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 2616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 2616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 2616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.0.256192670\538984355" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1612 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b35f99a2-8590-4b61-880c-36fd57152f83} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 1780 23a6e8f0e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.1.180961114\1945428131" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca71ad77-579a-4a21-9b3a-87338ad9087a} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2136 23a63872b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.2.2087785568\1872984519" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da425ef8-7408-469b-bcf8-f6d424ebcecb} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2936 23a72b9d458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.3.75058371\1274503902" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3528 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {588b7a54-64ef-4c4c-8858-74085202e58d} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 3556 23a711e4d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.4.1741440085\1872824567" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4376 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16fee4f0-de87-438d-a50e-a8322c386d00} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 4396 23a74e28958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.5.1528660120\794880995" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee51924-2857-4ee6-9119-7ba88374f0d3} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 4992 23a63865658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.6.1931859016\1908959936" -childID 5 -isForBrowser -prefsHandle 1380 -prefMapHandle 1552 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54dc4cbc-1439-4351-b0c7-aa0dd4b0d0dd} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5116 23a75384258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.7.786274565\341324183" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb5d4790-1be1-4786-b063-d72d21430f9a} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5244 23a75384b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.8.1085262786\1446866004" -childID 7 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca49423-c4fc-4ad4-8e26-815714b460f2} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5632 23a6eb3b458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.9.1319680788\1298330172" -childID 8 -isForBrowser -prefsHandle 9460 -prefMapHandle 10088 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1392a664-1eb6-4e51-ba6b-0df35821ec4e} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 9444 23a6ebf3558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.10.1064870816\1452692527" -childID 9 -isForBrowser -prefsHandle 9364 -prefMapHandle 9360 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee41d15a-e458-4ec1-bbb4-e0cdd817cfc1} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 9372 23a77bce358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.11.1961872403\381782839" -childID 10 -isForBrowser -prefsHandle 9480 -prefMapHandle 10096 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5feec7-f0c8-4620-8cfd-b1b362df2d65} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 10060 23a77e0c758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.12.166951869\1846538772" -childID 11 -isForBrowser -prefsHandle 9492 -prefMapHandle 9488 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b26e8928-156d-43c4-b455-2b317f9599a6} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 9288 23a77e0df58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.13.169294894\63820366" -childID 12 -isForBrowser -prefsHandle 9492 -prefMapHandle 9284 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c480144-e5a7-41b0-a82c-6d7a46172017} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 9296 23a7818ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.14.1850635965\405547875" -childID 13 -isForBrowser -prefsHandle 9296 -prefMapHandle 8992 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6674cff-67ff-4337-aafe-956d11d4f53f} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 9492 23a78479858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.15.644725712\1453449888" -childID 14 -isForBrowser -prefsHandle 8920 -prefMapHandle 8924 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {311e8701-2156-455a-b94f-4cd5a43883b0} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 8660 23a78458558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.16.1232460903\1468436626" -childID 15 -isForBrowser -prefsHandle 9020 -prefMapHandle 9016 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c913dc27-d2f7-4667-a0fe-fb8bceed30b6} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 8880 23a78541658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.17.361382641\814551459" -childID 16 -isForBrowser -prefsHandle 8360 -prefMapHandle 8356 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb779f7e-73bb-4fe8-8dc5-77295e208b87} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 8368 23a78540458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.18.1844974214\523259513" -childID 17 -isForBrowser -prefsHandle 8176 -prefMapHandle 8164 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00819f11-7772-457c-82c3-ca6866c4e7db} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 8188 23a78455b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.19.1981872973\1651969631" -childID 18 -isForBrowser -prefsHandle 8140 -prefMapHandle 8132 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6845327-c0dd-41b8-98db-a87889468be3} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 8360 23a78039858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.20.423606262\735696949" -childID 19 -isForBrowser -prefsHandle 9020 -prefMapHandle 9024 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4a5d91e-ffcb-4aaf-97a2-23f909a79b89} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 7828 23a78038958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.21.672510966\731739775" -childID 20 -isForBrowser -prefsHandle 7636 -prefMapHandle 9020 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a54b19ea-d1ca-4719-b9e6-175e0b863a9e} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 7644 23a78b05558 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.22.1235135177\1499424435" -childID 21 -isForBrowser -prefsHandle 7376 -prefMapHandle 7284 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b255326-54ab-4791-bc4a-7a875d709841} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 7308 23a70034958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.23.364325266\1305227531" -childID 22 -isForBrowser -prefsHandle 6884 -prefMapHandle 6888 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c06f80b-d768-4a6d-b8c3-5d8d26d7e44d} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 6952 23a7743f558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.24.1488273622\1213081290" -childID 23 -isForBrowser -prefsHandle 6872 -prefMapHandle 6876 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb9d9cc-1cd1-4105-8a13-6c1a199bbd10} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 6840 23a77442558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.25.89188524\1552483277" -childID 24 -isForBrowser -prefsHandle 6860 -prefMapHandle 6864 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd7d3b5-b342-416d-a271-af8cb2dd2134} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 6728 23a77440758 tab

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\" -ad -an -ai#7zMap20380:118:7zEvent25184

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\" -an -ai#7zMap32563:196:7zEvent29477

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:49775 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
N/A 127.0.0.1:49783 tcp
US 8.8.8.8:53 easyupload.io udp
US 104.26.2.69:80 easyupload.io tcp
US 104.26.2.69:80 easyupload.io tcp
US 8.8.8.8:53 easyupload.io udp
US 8.8.8.8:53 easyupload.io udp
US 104.26.2.69:443 easyupload.io tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cnt.trvdp.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.adapex.io udp
US 8.8.8.8:53 platform.twitter.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 jsdelivr.map.fastly.net udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
NL 18.65.39.56:443 cnt.trvdp.com tcp
NL 18.65.39.56:443 cnt.trvdp.com tcp
US 104.21.234.176:443 cdn.adapex.io tcp
PL 93.184.220.66:443 platform.twitter.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 jsdelivr.map.fastly.net udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 69.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 cnt.trvdp.com udp
US 8.8.8.8:53 cdn.adapex.io udp
US 8.8.8.8:53 cnt.trvdp.com udp
US 8.8.8.8:53 cs41.wac.edgecastcdn.net udp
US 8.8.8.8:53 cdn.adapex.io udp
US 151.101.129.229:443 jsdelivr.map.fastly.net udp
US 8.8.8.8:53 cs41.wac.edgecastcdn.net udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 stg.truvidplayer.com udp
US 104.21.234.176:443 cdn.adapex.io udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net udp
NL 13.227.219.24:443 stg.truvidplayer.com tcp
US 8.8.8.8:53 stg.truvidplayer.com udp
NL 13.227.219.24:443 stg.truvidplayer.com tcp
US 8.8.8.8:53 stg.truvidplayer.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 229.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 56.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 176.234.21.104.in-addr.arpa udp
US 8.8.8.8:53 66.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 24.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 cat1.hbwrapper.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 cloudflare.com udp
US 8.8.8.8:53 c.amazon-adsystem.com udp
US 134.122.30.244:443 cat1.hbwrapper.com tcp
US 8.8.8.8:53 cat1.hbwrapper.com udp
US 151.101.129.229:443 jsdelivr.map.fastly.net udp
US 8.8.8.8:53 p2.gcprivacy.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 104.16.133.229:443 cloudflare.com tcp
US 8.8.8.8:53 cloudflare.com udp
NL 18.239.70.203:443 c.amazon-adsystem.com tcp
US 8.8.8.8:53 cat1.hbwrapper.com udp
US 8.8.8.8:53 d1ykf07e75w7ss.cloudfront.net udp
US 8.8.8.8:53 cloudflare.com udp
US 44.218.22.218:443 p2.gcprivacy.com tcp
US 8.8.8.8:53 p2.gcprivacy.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 d1ykf07e75w7ss.cloudfront.net udp
US 8.8.8.8:53 grid.bidswitch.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 p2.gcprivacy.com udp
US 8.8.8.8:53 ads.yieldmo.com udp
US 8.8.8.8:53 rtb.openx.net udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 ad.360yield.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 ghb.adtelligent.com udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 targeting.unrulymedia.com udp
US 8.8.8.8:53 fastlane.rubiconproject.com udp
US 8.8.8.8:53 ssc.33across.com udp
US 8.8.8.8:53 s.seedtag.com udp
US 8.8.8.8:53 rt.marphezis.com udp
US 8.8.8.8:53 g2.gumgum.com udp
US 8.8.8.8:53 prebid.media.net udp
US 8.8.8.8:53 pbs.optidigital.com udp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
US 8.8.8.8:53 bidder.nl3.vip.prod.criteo.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
DE 51.89.9.252:443 onetag-sys.com tcp
NL 145.40.97.67:443 prebid.a-mo.net tcp
DE 142.132.249.188:443 ghb.adtelligent.com tcp
NL 18.239.50.10:443 hb.yellowblue.io tcp
US 34.149.50.64:443 s.seedtag.com tcp
US 178.128.135.204:443 rt.marphezis.com tcp
US 8.8.8.8:53 s.trvdp.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
US 8.8.8.8:53 bidder.nl3.vip.prod.criteo.com udp
US 34.160.72.119:443 pbs.optidigital.com tcp
US 104.22.31.209:443 prebid.smilewanted.com tcp
US 104.22.31.209:443 prebid.smilewanted.com tcp
US 104.22.31.209:443 prebid.smilewanted.com tcp
US 104.22.31.209:443 prebid.smilewanted.com tcp
US 8.8.8.8:53 euw-ice.360yield.com udp
NL 18.65.39.118:443 s.trvdp.com tcp
NL 18.65.39.118:443 s.trvdp.com tcp
US 8.8.8.8:53 secure.quantserve.com udp
US 8.8.8.8:53 rw-yieldmo-com-tf-362867385.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 am6-prebid.a-mx.net udp
US 8.8.8.8:53 boot.pbstck.com udp
US 8.8.8.8:53 p.gcprivacy.com udp
US 8.8.8.8:53 euw-ice.360yield.com udp
US 8.8.8.8:53 rw-yieldmo-com-tf-362867385.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 am6-prebid.a-mx.net udp
US 172.67.25.151:443 boot.pbstck.com tcp
US 172.67.25.151:443 boot.pbstck.com tcp
US 8.8.8.8:53 rtb.openx.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 rt.marphezis.com udp
US 8.8.8.8:53 rtb.openx.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 rt.marphezis.com udp
NL 18.239.18.109:443 p.gcprivacy.com tcp
US 8.8.8.8:53 hbopenbid-lhrc.pubmnet.com udp
US 8.8.8.8:53 tag.1rx.io udp
US 8.8.8.8:53 s.seedtag.com udp
US 8.8.8.8:53 config.aps.amazon-adsystem.com udp
US 8.8.8.8:53 aax.amazon-adsystem.com udp
US 8.8.8.8:53 hbopenbid-lhrc.pubmnet.com udp
US 8.8.8.8:53 s.seedtag.com udp
US 8.8.8.8:53 tag.1rx.io udp
US 8.8.8.8:53 ssc.33across.com udp
US 8.8.8.8:53 tagged-by.rubiconproject.net.akadns.net udp
US 8.8.8.8:53 hb.yellowblue.io udp
NL 18.239.68.199:443 aax.amazon-adsystem.com tcp
US 8.8.8.8:53 tagged-by.rubiconproject.net.akadns.net udp
US 8.8.8.8:53 ssc.33across.com udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 secure.cdn.fastclick.net udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 cdn.hadronid.net udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn.browsiprod.com udp
US 8.8.8.8:53 ghb-adtelligent-com.geodns.me udp
US 34.149.50.64:443 s.seedtag.com udp
US 8.8.8.8:53 prebid.media.net udp
US 8.8.8.8:53 pbs.optidigital.com udp
US 104.22.52.173:443 cdn.hadronid.net tcp
NL 18.65.39.122:443 cdn.browsiprod.com tcp
DE 51.89.9.252:443 onetag-sys.com udp
US 8.8.8.8:53 ghb-adtelligent-com.geodns.me udp
US 8.8.8.8:53 prebid.media.net udp
US 8.8.8.8:53 pbs.optidigital.com udp
US 172.67.25.151:443 boot.pbstck.com udp
US 8.8.8.8:53 g2.gumgum.com udp
US 8.8.8.8:53 229.133.16.104.in-addr.arpa udp
US 8.8.8.8:53 203.70.239.18.in-addr.arpa udp
US 8.8.8.8:53 244.30.122.134.in-addr.arpa udp
US 8.8.8.8:53 218.22.218.44.in-addr.arpa udp
US 8.8.8.8:53 64.50.149.34.in-addr.arpa udp
US 8.8.8.8:53 67.97.40.145.in-addr.arpa udp
US 8.8.8.8:53 10.50.239.18.in-addr.arpa udp
US 8.8.8.8:53 252.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 188.249.132.142.in-addr.arpa udp
US 8.8.8.8:53 btlr-eu-central-1.sharethrough.com udp
US 8.8.8.8:53 204.135.128.178.in-addr.arpa udp
US 8.8.8.8:53 209.31.22.104.in-addr.arpa udp
US 8.8.8.8:53 119.72.160.34.in-addr.arpa udp
US 8.8.8.8:53 118.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 151.25.67.172.in-addr.arpa udp
US 8.8.8.8:53 109.18.239.18.in-addr.arpa udp
US 8.8.8.8:53 199.68.239.18.in-addr.arpa udp
US 8.8.8.8:53 173.52.22.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.pbstck.com udp
US 8.8.8.8:53 btlr-eu-central-1.sharethrough.com udp
US 8.8.8.8:53 g2.gumgum.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 rt.ad-score.com udp
US 8.8.8.8:53 id.hadron.ad.gt udp
US 8.8.8.8:53 s.trvdp.com udp
US 8.8.8.8:53 global.px.quantserve.com udp
US 104.22.0.93:443 cdn.pbstck.com tcp
US 104.22.0.93:443 cdn.pbstck.com tcp
US 8.8.8.8:53 events.browsiprod.com udp
US 8.8.8.8:53 yield-manager.browsiprod.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 35.208.216.174:443 rt.ad-score.com tcp
US 35.208.216.174:443 rt.ad-score.com tcp
US 104.22.4.69:443 id.hadron.ad.gt tcp
US 104.22.4.69:443 id.hadron.ad.gt tcp
US 8.8.8.8:53 s.trvdp.com udp
US 8.8.8.8:53 global.px.quantserve.com udp
US 44.238.202.240:443 events.browsiprod.com tcp
NL 18.239.36.122:443 yield-manager.browsiprod.com tcp
US 8.8.8.8:53 boot.pbstck.com udp
US 8.8.8.8:53 p.gcprivacy.com udp
US 8.8.8.8:53 boot.pbstck.com udp
US 8.8.8.8:53 config.aps.amazon-adsystem.com udp
US 34.160.72.119:443 pbs.optidigital.com udp
US 8.8.8.8:53 p.gcprivacy.com udp
US 8.8.8.8:53 d1jvc9b8z3vcjs.cloudfront.net udp
US 104.22.0.93:443 boot.pbstck.com udp
US 8.8.8.8:53 config.aps.amazon-adsystem.com udp
US 8.8.8.8:53 aggle.net udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 e4536.g.akamaiedge.net udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 d1jvc9b8z3vcjs.cloudfront.net udp
US 8.8.8.8:53 cdn.hadronid.net udp
US 3.33.163.81:443 aggle.net tcp
DE 79.127.216.47:443 id.a-mx.com tcp
US 8.8.8.8:53 e4536.g.akamaiedge.net udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 cdn.hadronid.net udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 cdn.browsiprod.com udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn.pbstck.com udp
US 8.8.8.8:53 cdn.browsiprod.com udp
US 8.8.8.8:53 eu5.easyupload.io udp
US 8.8.8.8:53 rt.ad-score.com udp
US 8.8.8.8:53 cdn.pbstck.com udp
US 8.8.8.8:53 a.ad.gt udp
US 8.8.8.8:53 id.hadron.ad.gt.cdn.cloudflare.net udp
US 172.67.71.25:443 eu5.easyupload.io tcp
US 8.8.8.8:53 rt.ad-score.com udp
US 8.8.8.8:53 events.browsiprod.com udp
US 8.8.8.8:53 id.hadron.ad.gt.cdn.cloudflare.net udp
US 104.22.4.69:443 id.hadron.ad.gt.cdn.cloudflare.net tcp
US 8.8.8.8:53 yield-manager.browsiprod.com udp
US 8.8.8.8:53 intake.pbstck.com udp
US 8.8.8.8:53 events.browsiprod.com udp
US 8.8.8.8:53 aggle.net udp
US 8.8.8.8:53 yield-manager.browsiprod.com udp
US 172.67.25.151:443 intake.pbstck.com tcp
US 172.67.25.151:443 intake.pbstck.com tcp
US 172.67.25.151:443 intake.pbstck.com tcp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 aggle.net udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 eu5.easyupload.io udp
US 8.8.8.8:53 a.ad.gt.cdn.cloudflare.net udp
US 172.67.25.151:443 intake.pbstck.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 eu5.easyupload.io udp
US 8.8.8.8:53 a.ad.gt.cdn.cloudflare.net udp
US 8.8.8.8:53 intake.pbstck.com udp
US 8.8.8.8:53 intake.pbstck.com udp
US 8.8.8.8:53 122.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 93.0.22.104.in-addr.arpa udp
US 8.8.8.8:53 69.4.22.104.in-addr.arpa udp
US 8.8.8.8:53 122.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 174.216.208.35.in-addr.arpa udp
US 8.8.8.8:53 240.202.238.44.in-addr.arpa udp
US 8.8.8.8:53 81.163.33.3.in-addr.arpa udp
US 8.8.8.8:53 47.216.127.79.in-addr.arpa udp
US 8.8.8.8:53 25.71.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.rlcdn.com udp
US 8.8.8.8:53 api.rlcdn.com udp
US 34.120.133.55:443 api.rlcdn.com tcp
US 8.8.8.8:53 api.rlcdn.com udp
US 34.120.133.55:443 api.rlcdn.com udp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 8.8.8.8:53 hbx.media.net udp
US 8.8.8.8:53 acdn.adnxs.com udp
IE 34.252.172.206:443 rw-yieldmo-com-tf-362867385.eu-west-1.elb.amazonaws.com tcp
US 8.8.8.8:53 csync.smilewanted.com udp
US 151.101.193.108:443 acdn.adnxs.com tcp
US 172.64.149.180:443 js-sec.indexww.com tcp
US 8.8.8.8:53 js-sec.indexww.com udp
GB 23.46.72.29:443 hbx.media.net tcp
US 67.202.105.23:443 ssc-cms.33across.com tcp
US 8.8.8.8:53 hbx.media.net udp
US 8.8.8.8:53 u.openx.net udp
US 67.202.105.23:443 ssc-cms.33across.com tcp
US 67.202.105.23:443 ssc-cms.33across.com tcp
US 8.8.8.8:53 vid.vidoomy.com udp
US 8.8.8.8:53 scripts.opti-digital.com udp
US 104.22.31.209:443 csync.smilewanted.com tcp
US 8.8.8.8:53 eus.rubiconproject.com udp
US 8.8.8.8:53 ads.pubmatic.com udp
US 67.202.105.23:443 ssc-cms.33across.com tcp
US 35.244.159.8:443 u.openx.net tcp
US 8.8.8.8:53 x.bidswitch.net udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 8.8.8.8:53 prebid.adnxs.com udp
US 8.8.8.8:53 prod.appnexus.map.fastly.net udp
US 8.8.8.8:53 hbx.media.net udp
GB 23.46.73.76:443 eus.rubiconproject.com tcp
GB 23.36.168.202:443 ads.pubmatic.com tcp
US 104.18.2.52:443 scripts.opti-digital.com tcp
GB 195.181.164.15:443 vid.vidoomy.com tcp
US 8.8.8.8:53 pixel.33across.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 55.133.120.34.in-addr.arpa udp
US 8.8.8.8:53 206.172.252.34.in-addr.arpa udp
US 8.8.8.8:53 108.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 180.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 29.72.46.23.in-addr.arpa udp
US 8.8.8.8:53 8.159.244.35.in-addr.arpa udp
US 8.8.8.8:53 23.105.202.67.in-addr.arpa udp
US 8.8.8.8:53 u.openx.net udp
US 8.8.8.8:53 pixel.33across.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 static.smilewanted.com udp
NL 185.89.208.11:443 prebid.adnxs.com tcp
NL 35.214.149.91:443 x.bidswitch.net tcp
US 8.8.8.8:53 e8960.b.akamaiedge.net udp
US 8.8.8.8:53 e6603.g.akamaiedge.net udp
US 8.8.8.8:53 u.openx.net udp
US 104.22.31.209:443 static.smilewanted.com tcp
GB 23.46.72.29:443 hbx.media.net udp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 sync.adtelligent.com udp
US 8.8.8.8:53 e8960.b.akamaiedge.net udp
DE 37.252.171.52:443 ib.adnxs.com tcp
US 8.8.8.8:53 scripts.opti-digital.com udp
US 8.8.8.8:53 e6603.g.akamaiedge.net udp
US 35.244.159.8:443 u.openx.net udp
US 8.8.8.8:53 1651846316.rsc.cdn77.org udp
GB 185.83.71.234:443 sync.adtelligent.com tcp
US 104.18.2.52:443 scripts.opti-digital.com udp
US 8.8.8.8:53 1651846316.rsc.cdn77.org udp
US 8.8.8.8:53 scripts.opti-digital.com udp
US 8.8.8.8:53 xandr-prebid.trafficmanager.net udp
US 8.8.8.8:53 sync.smartadserver.com udp
US 8.8.8.8:53 user-data-eu.bidswitch.net udp
US 8.8.8.8:53 static.smilewanted.com udp
US 8.8.8.8:53 xandr-prebid.trafficmanager.net udp
US 8.8.8.8:53 user-data-eu.bidswitch.net udp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 pixel.rubiconproject.com udp
US 104.18.36.155:443 ssum-sec.casalemedia.com tcp
NL 89.149.193.89:443 sync.smartadserver.com tcp
NL 185.89.210.244:443 secure.adnxs.com tcp
US 8.8.8.8:53 sync-unosync-com.geodns.me udp
US 8.8.8.8:53 static.smilewanted.com udp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 ice.360yield.com udp
US 8.8.8.8:53 sync-unosync-com.geodns.me udp
US 8.8.8.8:53 rtb-csync-euw1.smartadserver.com udp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
NL 69.173.156.148:443 pixel.rubiconproject.com tcp
IE 54.75.246.78:443 ice.360yield.com tcp
US 8.8.8.8:53 rtb-csync-euw1.smartadserver.com udp
US 8.8.8.8:53 pixel.rubiconproject.net.akadns.net udp
US 8.8.8.8:53 ap.lijit.com udp
US 8.8.8.8:53 cm.adform.net udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 8.8.8.8:53 pixel.rubiconproject.net.akadns.net udp
US 8.8.8.8:53 76.73.46.23.in-addr.arpa udp
US 8.8.8.8:53 202.168.36.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.181.195.in-addr.arpa udp
US 8.8.8.8:53 52.2.18.104.in-addr.arpa udp
US 8.8.8.8:53 11.208.89.185.in-addr.arpa udp
US 8.8.8.8:53 91.149.214.35.in-addr.arpa udp
US 8.8.8.8:53 52.171.252.37.in-addr.arpa udp
US 8.8.8.8:53 234.71.83.185.in-addr.arpa udp
US 8.8.8.8:53 155.36.18.104.in-addr.arpa udp
US 8.8.8.8:53 89.193.149.89.in-addr.arpa udp
US 8.8.8.8:53 244.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 148.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 78.246.75.54.in-addr.arpa udp
US 8.8.8.8:53 blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 track-eu.adformnet.akadns.net udp
IE 52.209.44.234:443 ap.lijit.com tcp
DK 37.157.2.228:443 cm.adform.net tcp
US 8.2.110.33:443 us.shb-sync.com tcp
NL 18.239.94.61:443 s.ad.smaato.net tcp
US 8.8.8.8:53 track-eu.adformnet.akadns.net udp
US 8.8.8.8:53 blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com udp
US 104.18.36.155:443 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 234.44.209.52.in-addr.arpa udp
US 8.8.8.8:53 228.2.157.37.in-addr.arpa udp
US 8.8.8.8:53 61.94.239.18.in-addr.arpa udp
US 8.8.8.8:53 33.110.2.8.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 token.rubiconproject.com udp
NL 69.173.156.149:443 token.rubiconproject.com tcp
IE 52.50.226.183:443 ice.360yield.com tcp
US 8.8.8.8:53 pbs.optidigital.com udp
US 8.8.8.8:53 ssp-sync.criteo.com udp
US 8.8.8.8:53 ssbsync-global.smartadserver.com udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 ssp-sync.nl3.vip.prod.criteo.com udp
NL 178.250.1.7:443 ssp-sync.nl3.vip.prod.criteo.com tcp
US 8.8.8.8:53 ssp-sync.nl3.vip.prod.criteo.com udp
FR 178.32.197.53:443 ssbsync-global.smartadserver.com tcp
US 8.8.8.8:53 ssbsync-euw2.smartadserver.com udp
US 76.223.111.18:443 eb2.3lift.com tcp
US 8.8.8.8:53 eu-eb2.3lift.com udp
US 8.8.8.8:53 ssbsync-euw2.smartadserver.com udp
US 8.8.8.8:53 s.adtelligent.com udp
DE 142.132.249.184:443 s.adtelligent.com tcp
US 8.8.8.8:53 s-vertamedia-com.geodns.me udp
US 8.8.8.8:53 s-vertamedia-com.geodns.me udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 149.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 183.226.50.52.in-addr.arpa udp
US 8.8.8.8:53 7.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 18.111.223.76.in-addr.arpa udp
US 8.8.8.8:53 53.197.32.178.in-addr.arpa udp
US 8.8.8.8:53 184.249.132.142.in-addr.arpa udp
US 8.8.8.8:53 cdn.indexww.com udp
US 172.64.149.180:443 cdn.indexww.com tcp
US 8.8.8.8:53 cdn.indexww.com udp
US 8.8.8.8:53 vpaid.vidoomy.com udp
US 172.64.149.180:443 cdn.indexww.com tcp
GB 89.187.167.8:443 vpaid.vidoomy.com tcp
US 8.8.8.8:53 1099493781.rsc.cdn77.org udp
GB 89.187.167.8:443 vpaid.vidoomy.com tcp
US 35.186.253.211:443 rtb.openx.net tcp
US 35.186.253.211:443 rtb.openx.net udp
US 8.8.8.8:53 cdn.indexww.com udp
US 8.8.8.8:53 am6-prebid.a-mx.net udp
US 8.8.8.8:53 am6-prebid.a-mx.net udp
US 8.8.8.8:53 1099493781.rsc.cdn77.org udp
US 8.8.8.8:53 8.167.187.89.in-addr.arpa udp
US 8.8.8.8:53 211.253.186.35.in-addr.arpa udp
US 8.8.8.8:53 assets.a-mo.net udp
US 104.19.159.19:443 assets.a-mo.net tcp
US 8.8.8.8:53 assets.a-mo.net.cdn.cloudflare.net udp
US 8.8.8.8:53 assets.a-mo.net.cdn.cloudflare.net udp
US 8.8.8.8:53 19.159.19.104.in-addr.arpa udp
US 8.8.8.8:53 image8.pubmatic.com udp
GB 185.64.191.214:443 image8.pubmatic.com tcp
US 8.8.8.8:53 imagsync-lhrpairbc.pubmatic.com udp
US 8.8.8.8:53 imagsync-lhrpairbc.pubmatic.com udp
US 8.8.8.8:53 214.191.64.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\58a70c74-6ddd-428c-a600-a31edcf1a610

MD5 f6963b25bfaa91f3aa3b5eb471c65dfc
SHA1 1472a98fe9cf7e3ef94413dc0c5262e9511c9a98
SHA256 79d340443ed78a1e1f49dfc1d07030a714cdeecb2a081cc86fa1179ce15fccfe
SHA512 25c3bab648e855834282a2533afbcac390b87718b80602df112fffaeb0b9c17d72447d609e1c4258bbd3380d5bd64b4ffb6983e1af2f5b8bc62108bd250f5429

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\46445c98-cc01-47c9-9cef-47e8532bd590

MD5 c0f575c8777d8875c53957f2c7724987
SHA1 f44a4611578d30997559e974636ea5660678d30e
SHA256 995e3a06cbea3edcc6431f3dc917edd4580d318f5d118b6b765efbd31c09db49
SHA512 dd8b74b3e82f93fe462eec3cd455dcd4b73396c3154f00ed23dbf0a25365da078a95c8f730c52f99cf192c032d30391c6d05cb2e898b3400b796a798112aab51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

MD5 854c3fcc98e6ed3906cc45ca65e283d4
SHA1 97fded75d17e99870bde19e1b7c10b35aed59da5
SHA256 8f8bf3008ab01039f5ec48447487b5f37b2e245a5baa0fe227288c17545d26d7
SHA512 5ebf42b2b6efdd01791aceda67140305d92ea836b9baeac3523e0a184af90698a67ad5dbbd92d6e0fbdb997a28d96a86710ab311dec2c6fbd7c35841f51bf71c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 97309eaa0ea36c0d9a9b9c9786dc34e8
SHA1 b39fa882330fbcb626e8ecfc0edb365c32bed8f8
SHA256 94946e039ded1d3e3ee4a5003fa73ffaa80f2a8620cb6614d267bf579ea93ac2
SHA512 35eda972e57b8104618036ee8ab1267b64809e4298a4097b9057b42947b8fe85beeb84860c19f4aef138145b59f8af9e7372d7e0a56e9ec2c18ff577bc6df5f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ba328301b7664dee37ed4119de3001b5
SHA1 84d2aec34fd817a4b13e3ccddb59b2726187d651
SHA256 a3a7b3209bc5dec24dc42aa322c10701c78ab335bca958c10f7dcacd91206436
SHA512 4d98d2b76575c488c40ba3deed69d11710d37eae7329131a9583d8b3aef8908aababc87cc8db63ef968c8812882b43fbfa224f57fae225a8e07f42328b64f89c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 67be1644149c54cd40b2bb08a83dc81c
SHA1 ab211fc449bdc6faf70a46c731efccdf072e52de
SHA256 64ee1c2991bbc84be21e70dfe8c53113d1ee759f10d0fe20b7ec17f9835a8b9b
SHA512 cfc2fed1993e0d04157f40e3500a578a3c93e81dff892f2799ea7de9fdfbb0c89a445dc9497da20f150bffd6025abee9a8fd36c6243693b8aa6324d4fe0fd8e6

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$.KFRMCT3d.zip.part

MD5 ba2ea4ea9bddd1f890f3441959e7dc5d
SHA1 ce98421e54a268f74f17fe0279726a17f9ffaf4f
SHA256 75240b9609c102dbec6d1ada163a1bfdfe156f55dd21c5e614b3a60722d61929
SHA512 fb952eeb92d736989409c6bcaac3d8edb96a262fd58dcf0f4ac18cecaaafd60929bb04c75bb1378485b9de099b55573740d0494ca7b7777f0a9c3ba99448de39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

MD5 cef221a08f9e5c2f8aef42ad66455b52
SHA1 c7b32d8077b6f8dac852c53de89fac38feaca34f
SHA256 776defccf4ffffeb0dd80708875fd92127871c4c4b30d79fbb3bd4fee5a51e64
SHA512 02ac4a94f61bd312411e633751fa278e2209e88b8690d7bc7904cb673fd951ea4dd0a7dc474dc9a1b6af16af3de98da4bdb5aa2e2b183cb1d78fc65a15cd6b8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 6a3e5c7fd6c1231d28b689bd37957203
SHA1 f65c743f3155c4fe09ab51bad714ea27761770c7
SHA256 3a045a2b708ccb193758a66224be4252572efcd0222278d11249615776db2655
SHA512 edaaba64117d77ad247966d69190e7f099baaf3bf06c81c4646f508fdf660f25199078c988e577e1da698e9e29abae5ff5947c307a1caf421a5560ae924b8e77

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\!ŞetUp_14807--#PaSꞨKḙy#$$.rar

MD5 415c085f378e65f59dfd6deae91cfab2
SHA1 4b9f3775fc9894c729f7fd535abbeac7db0702d5
SHA256 ebb59cab1ddc68e72abd89054f79792f214e5fb3d5a094168930334a28a069df
SHA512 7bda743ad7cbe740319fbe861b856fad2f555e5ac13f84722c3c5e2ace00e857cc4d42d9f61b80b70ec47c9587d62e8176fecc5207f22bb54ae9c14fa5ae4641

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\Setup.exe

MD5 f975a2d83d63a473fa2fc5206b66bb79
SHA1 e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256 6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512 4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\msedge_elf.dll

MD5 b37d0df4c44e4e1e9502f6b90adbd73d
SHA1 2164d4fd7184f2ed4ebb225f2ea36b84c001f7ee
SHA256 0b16174a0a47cfcabf5dd427e56355b806467ac3284d5d55f66aa19fbcf91e92
SHA512 f5fbb1d506835a4cedd2843a7ff1e1b750ad0c147730e9de521de0c1b67cece4ded32ea0bf153341f9fe6630febb7af785b117d4c49fdfe01e65a18fc450a265

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\test.asp

MD5 012206c2a828f8687db2a3e5e878068f
SHA1 ee75d067cebca73b982546e1d4c7c7cf32569e8a
SHA256 42f229a1430516ca02825a0b8ead2aa296c1a1cd7e1b41165d918e6657fe4ac4
SHA512 8a0c894cdf75f675b692a3e5fd0db278536c7b8044490fd1a83b47ca606996d9d36190017f33ff9874e0223dd6e2dbb9f5173c870d501e0ae57fbc2bb6ca323b

C:\Users\Admin\Downloads\#!SetUp_14807--!PassW0rdz#$$\0pen___files\caret.xls

MD5 4d4b5ccd0ff38d099e68792ee07c4a99
SHA1 f529d6bb59e1edd6ee57b7ceca20afaa2272d157
SHA256 90b7b1dbc330af1f1d80403bacb25b46506b666aa9182fef90aaec5d612507a7
SHA512 b8113fef6c0e7dea4ad6615fa0a451e72f481d72691d9f4001196be7784df8620ea8b7c00456a546204e0540580eaa13a4bb7ed18ef90ba7a7022682573484f6

memory/6396-576-0x00007FF9F4A80000-0x00007FF9F4B1B000-memory.dmp

memory/6396-580-0x00007FF9F4A80000-0x00007FF9F4B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71356ad7

MD5 0f5ac58d1141669520ef806a93e5fae9
SHA1 945c698653906cf3e60ac78c85cb4a2912a5fefc
SHA256 2b072860a7dfa494fa7d04118af241ba64f3170bfca69ac8845c79a00b308427
SHA512 6c698845582b32fac54babd78c4d8535a7d05e390efe67474116cc784fa628cf880bad162b83c32b9512bce1ac72545057d071cea02127298d7a20e500424627

C:\Users\Admin\AppData\Roaming\Fmcli_3\msedge_elf.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/6212-611-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fmcli_3\msedge_elf.dll

MD5 196afb2cb100b0ee5ec126433ff9002b
SHA1 30d16e8ea4c76062f16d0b7fafbff72eb6d5a91f
SHA256 f76f2ea7f4122d098595277a49adc77360164d5932a4efe76a1ec818bc292fac
SHA512 c2b4c7cc0945af341374556a8030b749de88d958c869fd68cf3178da0834277030f7d3d205f09420d99af0c181b54d33b974a170875fc481464c60f4ca25e531

C:\Users\Admin\AppData\Roaming\Fmcli_3\msedge_elf.dll

MD5 03477e2970d9a74f2b451e4bbd955f83
SHA1 f3881b739fb9a448875c6a8a8dd72af2221d8c3a
SHA256 9ab10ed9f1efb22a1c2e8f21ea262da1677e4032c6050d560d6af24b28546f00
SHA512 34b0bdcc87b071ac9a5b69109952c23e89ee5395273e4dea7deb28a5216184a5bedc9698cfdfa67187171cabe5605cc05d113d2c2730bbad739bb34c1a18a0a1

C:\Users\Admin\AppData\Local\Temp\9c24c43c

MD5 e7972ad16195c335bcee7cd9b652bfef
SHA1 86e05c4252ab58a9c34f8961cc5328750d3cc608
SHA256 9fa9f0ea2f212cc91a8c0beb0198bcfa6b398bafc8f45430c80fafde5a5bad86
SHA512 fae13d207e0524be0f1a2db52651f7c063e682736ef5fc7aa8a15911e52f55308934473a6204f5ef091889a905667e51b87daceb3978cb72a4c245a323d6bb73

C:\Users\Admin\AppData\Local\Temp\a759dca2

MD5 95d929e7afffa5f4c5ca88b200ddeee1
SHA1 e31acad1067024420008da3c67b6a6795aaa47fc
SHA256 ebc9c40aeead47b8581a7d911910e760a84cc8ed0d74f46f61e606eccb38f8b7
SHA512 c6e9575c9cf9269b9330ac6dd80b8303a654aeb79a141a87c7e4166f4417f07af7ac60ea7b1b9cd2464270a0c7543e7e11b3e31b0e8556f0384c7ba1a8391d24

C:\Users\Admin\AppData\Local\Temp\ad1d8c3a

MD5 b0cd173c78398f4cab4bfd12a1342411
SHA1 ec79a9f2193f2061b013ce1961ea71a105a561fb
SHA256 48f24858f713883c19969365abf7ea3bb91748cbe85461d6f36c020ae4c2cc76
SHA512 d8c38dbe06897284d40f0f1e53be788d3fc42e62bd7aba0c627c7d54fb72d716052252668e4c75a84adb7e001e5d6fd67f55de9244ec28546ee6484168349ab9

C:\Users\Admin\AppData\Local\Temp\b22f4bca

MD5 9da9d0ac8f35d97e9f17c298548743ae
SHA1 02b2358c892818efa2907d6f37142aa13db44c31
SHA256 1604a2730b1924a6d815257ecb939f124069a6a1eb3364abd6b253b42da76ec5
SHA512 d3a29e99285d2209908932977bcdaa9d586984dbdf60ee6b42897a194a1835182b02eb3e2259d6fc4310844707d6142998c992b488360ec98e9ecd4767a4dbeb

C:\Users\Admin\AppData\Local\Temp\b33bb5b5

MD5 7d6766c9e94fcf5b0d7b4acdcd1a4b59
SHA1 b1624543cbe49b5ab1ef0f599905beef5f0f5d7c
SHA256 f029cb8ffb51e52f3845ccbd74ea332e7862bfbf2ad68184d23e69d9cc1bc6bc
SHA512 1df7f46125f2a6a0f7eedbef9b5fd31c5aff0143870ee058e879703be55ddfdde176433cbfbfa8ec41506f02c39b0e5aadb64ce90e7d3c1e79785cd27f6c50e9

memory/392-704-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9969768

MD5 b60588953d80ab34dfc2d98ef6f36754
SHA1 df9a81dd9edc4295fc17f234de456217a6df06e4
SHA256 b689cdf07ad836e37e4141e67ad7ebdc9e40a9c7393f496caf729483a2c4e7c3
SHA512 caab9b32e220497bd395899d810a4f0b06f39d05fa4675046672cfa9fed7434e3ee96f83cd366a37044e97a815c3b97757cf83c45fe17e486bbb28b6300e0070

C:\Users\Admin\AppData\Local\Temp\ba19c2d4

MD5 4b9f903fc180be92071a58434b16cb78
SHA1 82b688d291d53f08ed134add4099b984f48eb7fd
SHA256 bb47a145bffc3f4339ed3d7c51e0d15f5d5b801717c8bae484d9769e23029afb
SHA512 57666a97c46bbcc228bab32f56ff2b17da8c9ba8103899c2c71da881f7c6cc961a9af0f9576eca2f0764f4f8c4fed70e7239686ea8ca799281d65a1af80e86ac

C:\Users\Admin\AppData\Local\Temp\babd602e

MD5 f72207ce5fff942f68085656e52c34bd
SHA1 568554a435216c1e7ddc930743c4a2b389208ed0
SHA256 94532200d0aecf88eb2ba5098616125bb49e87e3521d23bb68fe302888c3da4a
SHA512 ba063ec525b5117c960ad678782e53907a2b6de5b4f045223c23906d9282d2c55c8c54ae08452a2013de07eee4085a1fd06004e8a73dcc881e6471f37e48b468

memory/972-717-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3c71b48

MD5 a3673056db6133ebf30054fdce0477e2
SHA1 daa9d02fab70ed817303794a6d6cf484c2b1f63b
SHA256 918701da909d7080d2a3a2ba234958319b763a258e78fed8f30e62ff0281f95f
SHA512 c5d1ea3484ad9cd9651e44048a2af597332740c043353686e9b845dccb7fcc36af1342401e4f2075c4c86f05d3e2c67599bf9051d4f47fb2d4ca96653502cffe

memory/5520-722-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/640-723-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/6132-724-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/6044-725-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/6440-726-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/5464-727-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

memory/6212-728-0x00000000739B0000-0x0000000073A45000-memory.dmp

memory/5324-729-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp