Malware Analysis Report

2024-11-30 05:21

Sample ID 240709-swz2yasbqa
Target https://download2347.mediafire.com/cd5iqip9vdtgpTxcleY9hndNplIHEKWuvboHCAh2znif25mvvnbBcBw_TBWTgjJv3PDaheneeR8c7W5mL5uCbe_BYtN1OtQyjNNjSb6XIn9ZAeYJebdUGZtqOaKgh6ZQEHfpOeyk42R_B5911dcBA7cIdzCv2Hz4pKfJGlXt4k0Bdw/93937e8dzccjueg/Loader.zip
Tags
lumma xmrig discovery evasion execution miner persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://download2347.mediafire.com/cd5iqip9vdtgpTxcleY9hndNplIHEKWuvboHCAh2znif25mvvnbBcBw_TBWTgjJv3PDaheneeR8c7W5mL5uCbe_BYtN1OtQyjNNjSb6XIn9ZAeYJebdUGZtqOaKgh6ZQEHfpOeyk42R_B5911dcBA7cIdzCv2Hz4pKfJGlXt4k0Bdw/93937e8dzccjueg/Loader.zip was found to be: Known bad.

Malicious Activity Summary

lumma xmrig discovery evasion execution miner persistence spyware stealer upx

Lumma Stealer

xmrig

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Checks processor information in registry

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 15:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 15:29

Reported

2024-07-09 15:45

Platform

win10-20240611-en

Max time kernel

911s

Max time network

935s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://download2347.mediafire.com/cd5iqip9vdtgpTxcleY9hndNplIHEKWuvboHCAh2znif25mvvnbBcBw_TBWTgjJv3PDaheneeR8c7W5mL5uCbe_BYtN1OtQyjNNjSb6XIn9ZAeYJebdUGZtqOaKgh6ZQEHfpOeyk42R_B5911dcBA7cIdzCv2Hz4pKfJGlXt4k0Bdw/93937e8dzccjueg/Loader.zip"

Signatures

Lumma Stealer

stealer lumma

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5188 set thread context of 3592 N/A C:\Users\Admin\Downloads\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 68 set thread context of 4748 N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe C:\Windows\system32\conhost.exe
PID 68 set thread context of 5940 N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe C:\Windows\explorer.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Loader.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://download2347.mediafire.com/cd5iqip9vdtgpTxcleY9hndNplIHEKWuvboHCAh2znif25mvvnbBcBw_TBWTgjJv3PDaheneeR8c7W5mL5uCbe_BYtN1OtQyjNNjSb6XIn9ZAeYJebdUGZtqOaKgh6ZQEHfpOeyk42R_B5911dcBA7cIdzCv2Hz4pKfJGlXt4k0Bdw/93937e8dzccjueg/Loader.zip"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://download2347.mediafire.com/cd5iqip9vdtgpTxcleY9hndNplIHEKWuvboHCAh2znif25mvvnbBcBw_TBWTgjJv3PDaheneeR8c7W5mL5uCbe_BYtN1OtQyjNNjSb6XIn9ZAeYJebdUGZtqOaKgh6ZQEHfpOeyk42R_B5911dcBA7cIdzCv2Hz4pKfJGlXt4k0Bdw/93937e8dzccjueg/Loader.zip

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.0.1530788805\1380504365" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1660 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c2f1022-f77f-4ba6-b8b0-982210124581} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1764 1b01f4d9958 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.1.530650364\1804603363" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21706 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3da2cfb-a8bd-45ad-8e36-bac6894da41c} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 2140 1b01f1e5558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.2.1505335371\489325359" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2952 -prefsLen 21809 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af55fd5f-742e-4c0d-904e-e3761a349840} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 3004 1b0230df458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.3.402435863\1833611549" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f49485c-0cb4-49b2-9705-a4e700731a0f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 3636 1b024615458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.4.675259695\804385832" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5040 -prefsLen 26569 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a4b863-7d04-49b8-abac-56fbef98e051} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 4960 1b026a1d558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.5.928768535\277344998" -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26569 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fbab2e8-ef49-4cb2-af57-2fb8203c72e9} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5264 1b026a1fc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.6.1275848833\579576807" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26569 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48e94375-9c7d-42de-92ec-44cda6a79e8f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5284 1b026a1e158 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Loader\" -spe -an -ai#7zMap12127:74:7zEvent26429

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.0.635852661\1620284" -parentBuildID 20221007134813 -prefsHandle 1600 -prefMapHandle 1588 -prefsLen 23808 -prefMapSize 233932 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1155a66-73c1-4d4f-9c91-5a1e186743de} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 1712 24ade4f8658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.1.1186232693\691218776" -parentBuildID 20221007134813 -prefsHandle 1992 -prefMapHandle 1988 -prefsLen 23853 -prefMapSize 233932 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe014ee6-31dd-4491-afa5-7dd57ad27e8d} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 2004 24ad36db558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.2.1890138144\409469829" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 2672 -prefsLen 24314 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae45d7c7-8c56-4493-91dc-9eaa6e09e022} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 2676 24ae1f5af58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.3.1062533499\832618682" -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3212 -prefsLen 29499 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29ca5744-3bc3-4849-b325-e53bf6789978} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 3224 24ae302b158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.4.1682610\1208956932" -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3732 -prefsLen 29654 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cbf2629-879e-4f43-bd4d-089674d5e95b} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 3752 24ae3c18b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.5.893755435\1055796507" -childID 4 -isForBrowser -prefsHandle 2244 -prefMapHandle 2556 -prefsLen 29578 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63d7be8e-ab02-42ba-9ce0-b4c73f34382b} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4568 24ae50d9e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.6.709444829\766077504" -childID 5 -isForBrowser -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 29578 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d4925aa-4d8a-467e-a61f-5d8d627d8d1b} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4796 24ae50db658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.7.1864976312\455065962" -childID 6 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 29578 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {681bc82c-7f9f-44c2-8abd-7195f1e39df8} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4892 24ae50db958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.8.1664612398\604476823" -childID 7 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 29578 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a612820-2cfd-402b-95d9-509df68a2278} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5304 24ae694bb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.9.1869452776\3286839" -childID 8 -isForBrowser -prefsHandle 4676 -prefMapHandle 4648 -prefsLen 29636 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {569e6578-9a0b-4cbc-996c-8f9cf2ef15d6} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4664 24ae59b2558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.10.1515356546\1436855656" -childID 9 -isForBrowser -prefsHandle 4760 -prefMapHandle 4972 -prefsLen 29636 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7993e91d-f4d0-475f-a52f-5eedf1ae61b7} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4772 24ae5a6ba58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.11.793898507\93265468" -childID 10 -isForBrowser -prefsHandle 2288 -prefMapHandle 5432 -prefsLen 29636 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1384672-e3f9-40d9-a0ff-6ea3b5cfa150} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4336 24ae7246e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.12.1147024006\1307365325" -childID 11 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 29636 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1848dda6-2b84-4b8a-8765-66545befcf20} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4440 24ae7247158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.13.1235830708\449454761" -childID 12 -isForBrowser -prefsHandle 6112 -prefMapHandle 6116 -prefsLen 29636 -prefMapSize 233932 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e08a591-cfab-436f-8a99-3118a7eddacd} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 6104 24ae7248358 tab

C:\Users\Admin\Downloads\Loader\Loader.exe

"C:\Users\Admin\Downloads\Loader\Loader.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe

"C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ELGZIZQU"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ELGZIZQU" binpath= "C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ELGZIZQU"

C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe

C:\ProgramData\ffxhzanjhoyu\xhxxxnnmboqv.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
N/A 127.0.0.1:49789 tcp
US 8.8.8.8:53 download2347.mediafire.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 199.91.155.88:443 download2347.mediafire.com tcp
US 8.8.8.8:53 download2347.mediafire.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 download2347.mediafire.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
US 8.8.8.8:53 88.155.91.199.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:49795 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:52637 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 127.0.0.1:52648 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 ac.duckduckgo.com udp
IE 52.142.124.215:443 ac.duckduckgo.com tcp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 215.124.142.52.in-addr.arpa udp
US 8.8.8.8:53 duckduckgo.com udp
IE 52.142.124.215:443 duckduckgo.com tcp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 links.duckduckgo.com udp
IE 20.223.54.233:443 links.duckduckgo.com tcp
US 8.8.8.8:53 links.duckduckgo.com udp
US 8.8.8.8:53 links.duckduckgo.com udp
US 8.8.8.8:53 233.54.223.20.in-addr.arpa udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 8.8.8.8:53 external-content.duckduckgo.com udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
US 8.8.8.8:53 improving.duckduckgo.com udp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
US 8.8.8.8:53 222.125.142.52.in-addr.arpa udp
US 8.8.8.8:53 www.calendardate.com udp
US 8.8.8.8:53 www.calendardate.com udp
US 104.26.13.212:443 www.calendardate.com tcp
US 8.8.8.8:53 www.calendardate.com udp
US 8.8.8.8:53 212.13.26.104.in-addr.arpa udp
US 104.26.13.212:443 www.calendardate.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cse.google.com udp
GB 172.217.16.238:443 cse.google.com tcp
US 8.8.8.8:53 cse.google.com udp
US 8.8.8.8:53 cse.google.com udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
GB 172.217.16.238:443 cse.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.169.78:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 172.217.169.78:443 www3.l.google.com udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 104.26.13.212:443 www.calendardate.com udp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 bitchsafettyudjwu.shop udp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 8.8.8.8:53 236.168.67.172.in-addr.arpa udp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 172.67.168.236:443 bitchsafettyudjwu.shop tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 2c6e68cedabe4ec09b6b735bc80951d4
SHA1 63189f916207ec4a2051466d92c1e4aa6dbf1dc2
SHA256 06efd2122cb024fb1686412818745dc724624aa5c32dd96b8950b6186342c839
SHA512 05830c03a00d57f702fc5be9392abe7656f6827599b551969a2752620185c85e9288af5e53e81f5257d3787c0e20ba4c232ad0dfcaba709ed256ca0ac2b32ffa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\246fe852-07f3-4294-861e-639d9a8813ed

MD5 fc908e504dfc68ccf923d03c25817bd2
SHA1 a9a99282912ed9228fa7f282a556c8b11e522b94
SHA256 ea15fa70ff69e503b1f68ee2c1138e79af2f2e0e9837d02e4be0e7857a071870
SHA512 331f9b707f91aa0bbe2f948f2543b5dda1f28fd0824f90931da1c1499a3c6fed97cab99a5636d4a0a4bc8b986394321d0ca508e677ffbf486a686aa066a8dcce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\9b8a3fef-5ebc-47c6-951d-44294a159ee6

MD5 6ae6eba91b8d71bdd51d295a164c746b
SHA1 b4174805076f6c1f58645790c2a6e96ee02b21bd
SHA256 ea6b66240d0b562c36731500697ddc55f0676041680dea2403318d85344c0422
SHA512 7c179ef8a44eb106c2d1fb137a8a25f76601b074432d607dc21d4e19aba353652128a0896c0c83ff68f75501d87bc595986c2d35856f36a84b2fea75c818560b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

MD5 df202d56360a4e68f55aa13ee5231025
SHA1 3d872dd39d4c7b9407948bcdab8f9e7b0bff847e
SHA256 3bb65c004caa860fb67cb8ed1a4d36c47e7cc291046a8eee50ebba1f9555dd35
SHA512 4567542704f7969bfc2d2a0e8dd65921cc6dffab78b4204b605a03b28814d6633c936a8ec25c3306b65b6b2eb5d3e94eee9bf13b89da694534c00e982731c2a4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 6b78492c16fa8e9530412eabecffdc58
SHA1 ea6ce094932a798f3be6b144cf586c39d926d7a4
SHA256 287c3486906693098053cdd00764ca3907b48fb2d471ac3ff959d4d2cfd175a2
SHA512 f6d2b7d5416c453c88da16a2ac10bad66fd960c767520b1a636167e834a42e0bc63e9a660ab89325e44b1bce1f2a6e14a736546e328d3c0765ce550f827a4c6e

C:\Users\Admin\Downloads\Loader.M1K2p5-M.zip.part

MD5 dc060308fc5d567a671fa14cce77418a
SHA1 37f5cc2a805be418d79aa7451f0704d15fc9c6a4
SHA256 da4b99aa6d108766d5a185b959b2d589bb2d41afda552e183518fdbd67eff0a1
SHA512 07e8928208968bad272d4b55b344618460387c6e4f4b5fd9e55e66447a9a6b8aea5567d787d02e60264db8f57f27ab393a7fc461668ed97c54b2f02612087ec2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 051f46e608cf2fa541c3c87c6a330e6f
SHA1 c84920435e03a481bdc8b6936c5b4700c7616302
SHA256 76c68ba20419045e1b997c8bdb80c51ac8cc61bfd86a01c9d3d5c71013313789
SHA512 f672f90ec682b494bef0180624d1e494486280ab87d433304d99aa4cf178793a638c2d8da1f43cda883663912e90e4636dc9b67bf1e1290f73a7483858e39781

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 63b99554ae3f99e617607ee8c21a558d
SHA1 e5a26243dcba36e231a809f8bb964cb67451bd86
SHA256 3ccac59862218eb9a687d7f37f0f0602bcf3d60231561947d08c4ce83da54832
SHA512 f972657a027e9f17d006e8c53e2c1e72c5280a0269f5e08d484d0a3448f1ea504d0abf27facf79c052e361656752341b491251612d75b27b1f0d6204cf4b32a7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 c7acd44e5a1fb9f0ce2da7ca94134d27
SHA1 3240b3bc067872d7972516e7f5c2c65cea9e1217
SHA256 cc1e9822527dbd0b2021e0fb6768b74606072c4227495e387a7059c137462106
SHA512 5cc742403739ca9aa7d72391a48fde454cca7119f846c19ed2e89a97d3636e7dcefa874b65eb867c3386d2534651cd673090a92a4e56224688f3c857a3d311e8

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 96b9e773f76c042e8dafbb2525387ae0
SHA1 2794d31d616b633a66f1b36555c130e561bfeebd
SHA256 cdc98388aff51a374ae629e64a8af658cfcf56b379165daaca83f2256b2d37c2
SHA512 6995c76b9f53a45f70ce7ccd5f988ba33f0233b6ce7d86f5392de409339db924a943328bcd5d28a28a47af9eb2a5fa21b683940113cf65b5972705ab0ff0876c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 35ab8068f89fbeb4579dc0fa97e390d6
SHA1 461451b5c3c9abb6720828149db1152009a83078
SHA256 ae65c162d311d3bf8b163ca463882ee76a13b1708beb17a3fa26ef5dd54649b2
SHA512 b4e37610b6c31dbd596b352059e7fddddd3ae713b41707dadc9b03baabf3dd2ceb21c2a8c977fe3f94468056479c890f7c8c383b58c8ebdc722144d304a50cbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2ef14e38dc2c7923cba48234068b024d
SHA1 37e530872b227796bff7821f2290b06b1977912e
SHA256 de94490e7fab7ce22a40b2b3508ae267df1c77d7b8d21e5baf8a9ad8ac47279f
SHA512 0e62d6e1cbd561373956069c4ab266ebabac427aadb318aec80645b83903e0ff8a38293d6c6faec4889e3166454849b24bb0cb08514501bccdd1e35c10a2c0dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 978b91c9fda9be607b204e24b2afee3c
SHA1 65155effb809ca0dfedc5c6ff132e9b564d8794f
SHA256 b3a84f13df88e98186ff84fa01d2e96c21bad88d113d8ce9535e9e7d0fb68651
SHA512 cc12d61d5bf6ce65fc797d0362c172ea42760b930f3e5f3111b39b9d6db782d844e2bdfd49ffd0b0a25fafc8c866aa31821ed633b40a77386b1bfc0ccd2a83ce

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\9772

MD5 741f8f4b1247ada301b0e74048d8acaa
SHA1 ff94d9423d332738926bd29b29d1288e9c57c895
SHA256 e17ebc4b8c34fd9c652ab4102b61e0366b872da067416e9d45ea3bdc6ec7a697
SHA512 18f74e0b5a4933c4e5e9d2140f29e8edf17d9c2d287458bd09cb2add9f7e3f5a0b563b6ba8275b1eb3d123f3a5da6d9b26a26b0c68dc088816ff777eacefd266

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

MD5 5169e9a8638f0a3719f683ff438c91bd
SHA1 cf86800f13ed7274ad18a209185172bcce09a336
SHA256 182d183f2b701a07113d4eac7d94b812d85860d453fb5d410fd26c908dcb595c
SHA512 182ed559d607f3696da04ead34ed1adc4151b19ea991b855ba2dc5362fe62a6f0a21f6c8e5607b83f8d7b5906bc77207c737293bbd9729485b82c455843d195d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 3cd7534989f1974166b326527ad65841
SHA1 3e6fb409df1edb73de7339baec88a05d76921299
SHA256 851ae8c0244a1699abce19dc322760f2906d91bf16fbc7c8cfddb443dd5fdf91
SHA512 33d73beb21aa496a48b2f94f8c17950806290f54f29030c433e935022e34da9c7fdc3a41d2d90717857a5876e12fe33a5776cc297bda138196116f5468cee8a3

C:\Users\Admin\Downloads\Loader.zip

MD5 ea4563de56158638bac7122398141207
SHA1 bd6a6918c94cd050b6facc8f09d976ec85130375
SHA256 6807feb9018ee6da320cac2a433d1cac2d6d41c8abcab166487b59f812b33111
SHA512 780806592c74172972bd5982a55601a90b2e15091eabc1113639e9a19170b4b814a220d7c2039e19a6ed944e16a550878df59bfafdcdcd895b224e7227e72eb5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\urlCache.bin

MD5 9cdba78f00f76dfcb343b650ce31e1f4
SHA1 fcd7f0955aba2a4c0115f8a0d989c7c7960adb60
SHA256 53920afb697e98338b48578b503012b956208e5c93cd53f4395af28e06bba351
SHA512 09ea45449156568c5114fd0a662956cc3cf7108ef85e51c7846897c0e3bdd9332e0f1d4629eaf722f503b34f6d2c7e549a8839ba19b498c325d7a0770017a73d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\scriptCache-child.bin

MD5 04ff606f77db0c400ab528e396a0e95f
SHA1 f21fa1bb0d473e79cc7807a83558842533c45c45
SHA256 a7f11bb2182913bf957f0743a8280f6905b9f21d3a5d36bd173895f0c79cea84
SHA512 3e54cdc3d5a3423d92c13065a5bb0f97d084bae2d28dafd7f919104b2876d134398550d8cdb6998a5531437a7ac4b794ade7b2c4c71bf991a9715459f76cf646

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\xulstore.json

MD5 58e240288763218d12bf235d34e5aee2
SHA1 89135494b57f590011c09668dec3b90d2c5ee9ae
SHA256 615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176
SHA512 caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\scriptCache.bin

MD5 9bb6d0e3ccc6d4d9f71ad1fd7c8ee0c2
SHA1 5812be88edcd232f04172f478cbd1ed29de7a5cf
SHA256 9a1f0e320fb774bcc801a0c332a4f6d8eac1945994acf17fa2046764264cf668
SHA512 9b58a9f1d75acbe69ca9b71c09f58aab873dd2f8c1af6451ba7c90074402500c325e44f3eb8616ee2493f7c64e2eca3c55715c297cdf53c1ed4d08fd2a710241

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\index.log

MD5 dd7bbe0e783222e404159b467c57dd23
SHA1 ac77b157b18082dc0aca0da57d3c3c098d5228b7
SHA256 5058aba509a05ce5878bebbe616399525025fd9f2241f07fc1f777fc0fda2951
SHA512 df9fc56943cb86228c4706de09a99d9d86b70b660f5298327093bbe67ac762c331678d527d2a8a5a0e21038eb3a49d566c8e0f029420f08666dbdc1d12fd190c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\index

MD5 a56cd88428127254775fb2bfe2034b43
SHA1 7423180ffa1c83282bfeea0afe9e73b15b9efad9
SHA256 c7725d72181095d4d0593c10bab62e5ff1e64a69f48f417894175608072d4c33
SHA512 3de4135223031db72149ca1c8ba8de84e3a2d096c2151c93f78259a76b55d3f75ce662042244cadff9d6adba64de86355ed448026d4a075b45456c1b24028490

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json

MD5 362985746d24dbb2b166089f30cd1bb7
SHA1 6520fc33381879a120165ede6a0f8aadf9013d3b
SHA256 b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA512 0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\SiteSecurityServiceState.txt

MD5 22f888dd33cd826b87e35f5645b6ec5f
SHA1 3c1c24edad3b01a39256fd62bbcd31e7a27685f1
SHA256 6a3ee9678cededf6d311301572d227f4da58d2b9a3603b853e05629a86a07be8
SHA512 3b7a63458743aabb5f7f2502e3c34c5af108bf4b55e7c4b2d6a44c3726497594dfc3dabf55a9c767d83495424eb41b3adbf12710a917fb3f7716dda11482e6c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cert9.db

MD5 5ed2346b0c506a243fc24b8bd7aa51d8
SHA1 5726a2f6412e60a76e2ec6c7dc9eecd8e39bf436
SHA256 1d38d7f10154c592723319a65e5909dfb3fe5dbbd2c006066e3ba676ee18c056
SHA512 983a1b8038005f069848145b38aa30c1f1662eb8acc66721ae19186e8dbc369f159d8a636f09251fc3f58f569c2664357f1ee7376bd559fde3af84d4433fe7c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

MD5 a7e41559ebef084d6fda46ee5fbd925e
SHA1 f7ca00ac553ebf7481b74c3054bee1a2272b6351
SHA256 8d3670ec6670d39b6a1f18f4a43cd6883ca2c1c8803c3ee4fa43c4566ff33645
SHA512 73a081609b41e90462ef0b4eb58a3d778ca0d592413da3615528b0ef0f0d1ef205bcea179b6047604ede541244f6b9ac7d7ce4755cc1ae086a7feaf0d35ac363

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\extensions.json

MD5 3a01b4a89e5a34364aa1e0423f19205b
SHA1 54e71e49ad74ec3a72f3ae011b3130b4b0a13e6a
SHA256 c281a1ab0e4fd3e14684f80e13d2f77839b58d3ba641bb0e539c35d6ac683c81
SHA512 08076c4f6cee0556dbc425167d4073756f0c5743da053900680f8e65638663b5ce466d5e628775ec2f2f25af18251440c3b6f53025c1b2151ebc72e1517382d8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 504002ece2a2c967757d3a36fa742b2c
SHA1 f53686bccae98aee0e10eb55bafa9a7d4f668ce6
SHA256 4a628eae44788dea5fec6dc248715712ca3e3021ab6a32b9da51a701c6ccab91
SHA512 f08ad2c3fc69ad0a7315b748c63f9815be124f849b72597b5e2f2e0847d17323683073d75ff8dd1847cc12321e06975c9855ceffedfaa8b325b71126dd4429f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices.txt

MD5 594275f5381c8c2ba287ba8d90af1230
SHA1 a799070b0f9508f0921c370877c454ccd57891a7
SHA256 7131a7d8eb71cae5e48ce6fd7efe4d1be326656aaa34cfd4d174a4253b77125d
SHA512 c45c26e79c43cc69a21034fd777ef8bfba9eec7b56a65f7f1f8138a9d3f4031d614d6063e52f902dd9043c21b6b53f618210bf36f3bd444910aecf6166578c58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\places.sqlite

MD5 5ee3d4214b3068c7739b4b8038f5f7cd
SHA1 64b3af7bb280e67598455cba1d130814917717a9
SHA256 74bda378773d86e62daf5b22d9bcb019b234239c15ef9d6e0ff725b64b715158
SHA512 ebc0efe6190b37ab5adeaac7de08c4a932f043a0a5e2a80e90fb8a37c6a159472a9c007fbebd7307f732dbd6a6c8d43e05e890a134073088aab7ccab37ce2897

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\protections.sqlite

MD5 49397db0486dc59d607907a086f40c9b
SHA1 08742ce9db9569062def08e99eea8470702feb7d
SHA256 890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4
SHA512 fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\1a679a11-0b5b-490c-97d5-f53f7b3548d7

MD5 8f13ab16f178fdaad64cbedd5dcc81c7
SHA1 27f0d3443f5ef7ff24e2d9e715cbc83043bd4c2c
SHA256 0fd386ad0d5a84980fb826aa13d36d774e33e71453c77dfbaae6f2d7f243489e
SHA512 c37b09b8e9566ed235214fbeadadcf353e026dcd83c762fc0fbae0106557205564c59f526057336da601138178bc6d0ebe8c9db628c000aeac0771fd0855a98d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 76f374e2d10fee1f6cdc1750b8df2ce9
SHA1 3acb8e8f366c2dd5e63099ad5995898bf0c61743
SHA256 d344879c0c6c583cdb30c27bf014772946c74749ca828a0b478ee79188d7a33f
SHA512 4689183d313353aaa297e1369622eb654f9053e8b0191517fbeb9f6dd84513f2e1298b635449d4e3088febb29e54f438218d9687eb42c74978d2e54c65497085

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\security_state\data.safe.bin

MD5 f163340be773d943fb91374569054133
SHA1 60932822c1a22941ebfe40d063d46c7318e8e589
SHA256 60ec85325bbc744eb5ab47fc458a9cb44a1c865f3da5efd140aa8d4f7c9beb44
SHA512 9096a1ed590f1670397e93b83ee8ccea640d34eda7eaade28920c93d6c14543e85de0f46db1c759545ff6820e4ba5d8979ed7830812c08fd4dcba2442e62ab8c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6682bc8c0cc8802cf41cc1b7c4722ff1
SHA1 9e16c181cd4256814800110e5b72cc35f1140973
SHA256 753cf4a6a3daef184d9c2e3fd3c121e533cea4f58a96650d57f15b9590dd0ba2
SHA512 a36d70050eeab79f7d544a70a64643dc17e623265280ffa79bb673a5895623a96d5aa3a7f7c02edd9b30ccadd11b238d05d1f74cb2ae099b4d43ac974f23e619

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bfb693e3f1a84b506e7b9cb3d0f36b37
SHA1 3d788610fab4a11e199df61793ba0f1423d8fcb0
SHA256 408ab8226de07c6168c04f2b5d77b380fe034575a54f05b1ad22526511d83899
SHA512 f66f4bef3af80619eb5440c664f63b9086370707092f00588810d3edc65a94b323ebb91afef20b292c0913c562d0f78909eb6413c8291616f581cf4b3295df7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 9411941a7298b68c4d159874993129b3
SHA1 89bc8112eebac44be7268c5c2f0319814f82039d
SHA256 4c1dd2accaf90cd122f387889b2ddb3691ec161182880c2fa87aef3f7f8cb7b5
SHA512 54cd5844dcb9bc51903bc45ad1db57fdbf919293c1d138f228efa18597541a5daf274a6e323e57415c65bc1bd3155319d113a47cec867e6e5b97fdb33ba65e76

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 02414c1fbc00be3cae13c16501b73144
SHA1 3d04646cb3cc9dbeed0412fdb8c9ae91eb639ecf
SHA256 382d0cff5155d626c8c1b1ac55a2209bc1165726b64708c3296ab6ad392035f9
SHA512 dd9bd149454fc6089f579959f6ef6b53d7d85fdff63ca1d5769da97c256428a474c8049229ab0fe57cedacaf3c910781f8c825406375a34a38899276c8fe7d30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 42c97209f25319307fe0f9080cea266e
SHA1 00f1c5a593c10f16be3faad3a416a0a5867e031c
SHA256 71443267b95aa38e104b497658b817565d7527f7a2b2d1f753cb109ee91a3250
SHA512 82b2985a1f9d33b48b711a7cb0562789b72c986a2d1162a9799ed25178f44d05e0a5258155766176aa0cb4f5be305005988a0d3c3e5050a807d52d926401d02c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\crashes\store.json.mozlz4.tmp

MD5 a6338865eb252d0ef8fcf11fa9af3f0d
SHA1 cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512 d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 06497fb905b397b37601399330b0a725
SHA1 b2ee7ed25ee6718a5184a7904a5094372cddb69f
SHA256 35485297e2602e422d7392cadcd3f11c55e5d0cb594bbb840305ba6fe0c18ebf
SHA512 217752b50a4c32d44089c8f1a6ecf14d6fb1405023bf3496fa1d98867829ec50363d70404ecf0fcb2ef9e43cbc5735d5ff72b809f3399177cd2c31a460658bd5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\890

MD5 8b787fa9a468a364354d55b82ef86450
SHA1 582afb0490b14ee3ca7e9baeee233ac05ec4e9a6
SHA256 1e2db8b58c452ab039ef62b6487cf524ac992d5c92339d2493c010d70fef391f
SHA512 548ed718261feda005e73c48d02292c3f2a73bceb90832cd2479896d19a41af17ffb834cd861d41f1f26901fa230b228015ea8f85630a43eb8e647a23dbd3937

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\17330

MD5 27edbefdad0034ea5daa096410801ba2
SHA1 b3ee8e38808414687b2d3509bb34f11d4fb27c8c
SHA256 2627c4647a8f5871fd7b51b536abcd4e961c1365cacf413c8177361aa92de847
SHA512 480235fa058316662c8324bb27575e42979b3ddf59e85d91417f3fae2267c14f6948806b3ab0b654e311a5d670785092457428753edd8eb2c2d99cd9d86ded3d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\27239

MD5 2369cc2c54e6c0528903fe3ebe6d7c83
SHA1 64283a5e7d10a6e5795c53915d8bbd1514e4d35d
SHA256 080b99c025b46749cf135f5e0b2c41710c6667b958f6d2fb77316ca8f895eeb2
SHA512 3af1d70618220fe422ec6f9cb9a811567f0260d16806c54f58557c0bf695410274e040da797ecff0b6ea5a25e629235807543536637a48600bc821708379dd5c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\DA66AF922D4C1FAA16464ECA7195B32589C209E5

MD5 a9d3a586dc361d99ef41bf4533377b0c
SHA1 35622dfdf59e9c0f8b6c0178027903f5c3d5856a
SHA256 82c9390acc79129740bc7f63074e0dc17f6f05e849fc7b64047f5d82b68aa73c
SHA512 f092c08236aafb3d51c0779a00b724ece85f2cfeb20280b66bf5ae3c10cc29ce82ac2aa210379f133949f47f08c4038c536724dba9659cfca7cb842f4704e0cc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\5ED943E4AF2424A261AC18A1B4CB69538D5C0AEB

MD5 9cf53adc357438d261760ad90912ffc5
SHA1 c189cc323aff8350f99759d84d1ff81aa733b8e7
SHA256 189d287345a689b456ec302d2e4e6673b6ab148231906bb7295c56ce8c76b224
SHA512 081a0f1fc3ce8aaee2f8a2e9ee69a82e0e13b3212288d88e230bc35daa6bcf9b2f6cef38df96891dd8f26f1e69d867bd534b842bae7ebd95bda70869c89e5161

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\358466A1ECCD3A1992ADBBF4D3608E5D50569294

MD5 686fb4da299e10c2b5b9f45898834f13
SHA1 9feb3f4d17996dc10d3efe140e7dead5e9e81478
SHA256 6a38c5e93f04786b6c4a9022e1142595830d62e65d160c866539591d81dc4e40
SHA512 90a5fdbfa01f844b49283ee80bd5c32dfa82e4ef5a89c666a166aafee63ec655602f32b1978f964ca99716dace7316136a95991f9ddeb1d3bbdaff0683407fb7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\08D594D0EB8889F244DFA0DB4BF1A1655DED9131

MD5 ab2488385d04fe4d34e94396c1514b2a
SHA1 8ea081e2949f7dc9a11f74a5214d6a3dcc18723d
SHA256 ed8d2c64788b3e98d0ff01f417f534d7f625b5ec0bf6ef0c46d6c7c7b2145fb8
SHA512 c5fa9e4963949159ac01c3be71b810bbbb7adb29be1f9a200ba06b05131a5670381479f6e42ffc7d76e5e45cd312d18b8fa85a103c0d536b736c3e38c2d6d6f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4124638e1c06e1101092922a1e34bfa9
SHA1 29a3b605f0968103544fdfac6ff8132bb913c646
SHA256 ef9796f5903b5a99996f023a9f68fb3078603a4dd9852edb8fcaf20c3c0043f6
SHA512 6b318c5a45ee1d6ef11199f32a56ed1d2d3b1dbf6ebdc283d24684d96827958de55660ff6a78b69e67aad32b35d207c0f6819d70f4fdfd08934cec1848b063ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

MD5 99601438ae1349b653fcd00278943f90
SHA1 8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA256 72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512 ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

MD5 65690c43c42921410ec8043e34f09079
SHA1 362add4dbd0c978ae222a354a4e8d35563da14b4
SHA256 7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512 c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

MD5 dfe2c7e2441e951bfd0818685a62cbab
SHA1 565b56e67923875e7d9df5ba769ec0bd9370a632
SHA256 a5ed7c25705d4bf79162055ad455cacd2adbc809ebb68604a185c68cfa8eface
SHA512 88718d866219ef41713cb22b06e2847e4f9980b46ac3ecefc0b9e3fe72d7f65ff59e8af1ed8cd25ce6da492dbe53b3e0aec2ad82fc5be4d0623c8039947c4824

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\places.sqlite

MD5 9fe057949c9343ca4b1fbef2bf65c98b
SHA1 56cb05e0ac0d0ae94961bc421319e9b751599d0b
SHA256 ff2ca644a882e7ab14db191b034a915c908db0cc2ccd75b35ee2124d4b1607b5
SHA512 fee567a904b8a169858f69a41e6ca0f53cf107b69760d81e9260869466cab7d5e9e901c18f28d4e384e29134ecbe605588bd6b24e884631e1a631d26491d3f4a

C:\Users\Admin\Downloads\Loader\Loader.exe

MD5 2f64d7672e5f567daebfb091fd9f5598
SHA1 203366fdbff64fe29e17da0084b4003be7d00d38
SHA256 fa7c889816a23be0866e921876a0c343f5aec6376396bbcb566e3c94d24fcda9
SHA512 6559a64cd1d7043f1782665fbafb3f0095c85eb1133d6a2438b9545ab247955944763203accbe9bec6edc457fb42f7e0040cf2512a05a9032a229f6b2783b87b

memory/5188-4106-0x0000000000E30000-0x0000000000E31000-memory.dmp

memory/3592-4107-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3592-4109-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3592-4110-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\formhistory.sqlite

MD5 8c2726d4baf0e944ae9fe3a24c61d09b
SHA1 07e12c8b6f8c5aba02f601c5ff119083f5a2dc38
SHA256 1bbb8a7bb5a9f4359da9de7ecc31eadf87d5b11c9a60d355dbdf6e1b39aa8257
SHA512 888107313db2c2f000759376c4d6d2d0cab9b4ff2cf9deeadc027064577f15a435aeaa2d437ceeab16d948d40069218f0b15f8df1a0ed9ac85ba6c31d2a857b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cookies.sqlite

MD5 7f7f48e1d77e67d958afd4536ddb86f1
SHA1 64ee8a4958f1d7d6b4e4b04d490ba69209fce9ba
SHA256 39d7e9acf1d7d5f089440b94c7f29f03fa2803b150a242d18330da9dc168f70a
SHA512 932cbd4ff73099c593fce89fea3bd68e61d70995f6ea3705e41994b007d6c231edc6e25abac49b47ae7a68d680fdb5c8966b3289ecd49cc444446155a8fedf42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 23d5dc6d236b153d4924a40fbefba45a
SHA1 aac388beb36b1dbad62afe07c2bc80965845f314
SHA256 bfdafaa4e25627018f1b295e561861691451a65c8e2faebcd6e9b117ba70ee43
SHA512 0ae4cff9abd7b021608b3898566ff797293c3523248c2a351028b0956c8a70546ad15755bc7fc3441a854fdd3879c1ff14930863f287f7e03e5d15a8db07cd6e

C:\Users\Admin\Downloads\Loader\If it doesn't work, run this.exe

MD5 e4fdd539b3eccb8972f24c656f37e96c
SHA1 fcd8e1d07f9f15b7ef1b9635eb68137a1b8f290d
SHA256 7db49bd6d0e58e952c26dfc926a8d3c687b30241bfbfc2c83f15057660c3b755
SHA512 0e3e64a7a070b64cbb162e89344995dc37334d8d47b40104bdaef881504bb7c1f8666ba0a65488bd65fee380fd89769b9ccaba5146ac5ccc4ec9665994cb746c

memory/3592-4117-0x0000000000400000-0x0000000000452000-memory.dmp

memory/364-4122-0x0000023447D60000-0x0000023447D82000-memory.dmp

memory/364-4125-0x0000023447F20000-0x0000023447F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_attlxe0o.csi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4068-4190-0x000001F0C2240000-0x000001F0C225C000-memory.dmp

memory/4068-4196-0x000001F0C27E0000-0x000001F0C2899000-memory.dmp

memory/4068-4229-0x000001F0C2260000-0x000001F0C226A000-memory.dmp

memory/4748-4319-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-4318-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-4322-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-4321-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-4325-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-4320-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5940-4326-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4330-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4332-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4331-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4335-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4334-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4329-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4327-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4333-0x0000000001390000-0x00000000013B0000-memory.dmp

memory/5940-4328-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4337-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4338-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4336-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4341-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5940-4342-0x0000000140000000-0x0000000140848000-memory.dmp