Malware Analysis Report

2025-04-13 11:59

Sample ID 240819-wse45ssdmn
Target PepperX.exe
SHA256 fcece45f00b710bd5cb01a2a79781c871f1bd36fac18e00e85bd6452ecd5eadd
Tags
pepperx quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcece45f00b710bd5cb01a2a79781c871f1bd36fac18e00e85bd6452ecd5eadd

Threat Level: Known bad

The file PepperX.exe was found to be: Known bad.

Malicious Activity Summary

pepperx quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 18:10

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 18:10

Reported

2024-08-19 18:21

Platform

win10-20240404-en

Max time kernel

591s

Max time network

596s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PepperX.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\PepperX.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\PepperX.exe C:\Users\Admin\AppData\Local\Temp\PepperX.exe N/A
File opened for modification C:\Windows\system32\SubDir\PepperX.exe C:\Users\Admin\AppData\Local\Temp\PepperX.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\PepperX.exe N/A
File opened for modification C:\Windows\system32\SubDir\PepperX.exe C:\Windows\system32\SubDir\PepperX.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\PepperX.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PepperX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\PepperX.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\SubDir\PepperX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\PepperX.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4472 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\PepperX.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\PepperX.exe C:\Windows\system32\SubDir\PepperX.exe
PID 4472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\PepperX.exe C:\Windows\system32\SubDir\PepperX.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 4616 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\PepperX.exe

"C:\Users\Admin\AppData\Local\Temp\PepperX.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Windows\system32\SubDir\PepperX.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\PepperX.exe

"C:\Windows\system32\SubDir\PepperX.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.0.1896431052\1347487326" -parentBuildID 20221007134813 -prefsHandle 1664 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f331fb7c-8a53-4311-8c47-298b00ce1014} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1784 28b198d6158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.1.495415119\1134430334" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5412878-3af4-4356-a412-8533f91e780f} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2168 28b075e4158 socket

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Windows\system32\SubDir\PepperX.exe" /rl HIGHEST /f

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.2.763046308\461062228" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2864 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e95bd2c2-e20b-40a9-82c7-777c119ae897} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2880 28b1da9d858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.3.865044025\1003202553" -childID 2 -isForBrowser -prefsHandle 3360 -prefMapHandle 3356 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da7f4812-af19-478a-a0ac-4c1c2b0cb75a} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3380 28b07562258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.4.398514513\391907127" -childID 3 -isForBrowser -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a0d22f-80be-4c55-91ce-8936de0ff28d} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 4188 28b1fb1d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.5.906151278\1080296547" -childID 4 -isForBrowser -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ccaa79b-c61e-4cae-9021-787511d68093} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 4984 28b20692e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.6.818588765\263672872" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad63f3fd-23ca-4153-a1ef-3b79dcb5fe72} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5108 28b20edbe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.7.1009991090\827538769" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c327ae56-6584-42ba-9104-f358fcaea1d0} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5400 28b20edd658 tab

Network

Country Destination Domain Proto
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49779 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
N/A 127.0.0.1:49785 tcp
US 8.8.8.8:53 47.249.226.44.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp
US 73.190.43.125:4782 tcp

Files

memory/4472-0-0x00007FFC74E63000-0x00007FFC74E64000-memory.dmp

memory/4472-1-0x00000000004A0000-0x00000000007C4000-memory.dmp

memory/4472-2-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

C:\Windows\System32\SubDir\PepperX.exe

MD5 2ed601b0043d457f70fff1f1846acebb
SHA1 7c1a93357661d9b7ae82f570db12267b0163dc75
SHA256 fcece45f00b710bd5cb01a2a79781c871f1bd36fac18e00e85bd6452ecd5eadd
SHA512 36abc1f2c857e6d266b8bf7544f9f7bae9d1d8b96487588c0c7bb20f725323d12979831de4616d7af59424b4d2851359b2f2f5e97845585da6e7b18902f90d72

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PepperX.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/4472-10-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

memory/4488-11-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

memory/4488-12-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\5596ed59-2c2e-48cd-af54-e736687619ea

MD5 8ff3fbe9260d61112f8607321d85505b
SHA1 217d264c6274dfc1f359ba38bcc90a9cc35c3d0f
SHA256 07358f5be4b5d860b87f86264b553e42a384bc642e0aa4153e963111a0ac6f08
SHA512 8029564384f188fb6fe9f4aabe074d9ca361899acf97c773c4ef3149a2e210f15c559af7fd5535b19d385bac173c5610686f73fbccccf1e716f9cb4e39c76a9f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\95202b27-bc50-448a-ac3a-b21cdc92689d

MD5 7ff2ba2e450262895c94840b452666d3
SHA1 7ebcf6f7e0a88af025a33edc72a11813e6fd8930
SHA256 193f6d033257b93cd19f9e7d13ebb2c405aa5d59a2dea787b454f238c5cefd57
SHA512 dca0e72446df013ffaf8e6b6ebc1d24076646a4d2fdaee17db0e3fea6d5046bc58c9b0671dbe11355d45750f9734ee50b1d246e4d57c2dc89f5d12426db4122d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

MD5 39f1a5966168bd73a09c51b6f155ee10
SHA1 a4b0808fc831fa55b5d1d42678ab8cc5a26a6abd
SHA256 e53bed37f795964d7b2abf6f785387831d73de51ea17e16a81da9e9734d2c415
SHA512 5e20c7be94ece4adf4adcbeda2e6f246017e4a0e2081817463c6a4a0ffd05aab7c4eb6961f2c69812d083ede5ccceac1b78a43d1949d0e6b1a94fb3e677f4bec

memory/4488-71-0x000000001BC60000-0x000000001BCB0000-memory.dmp

memory/4488-72-0x000000001C3C0000-0x000000001C472000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 f894aac846ae5f809dbdc7ee286843a6
SHA1 5b93d762dcf4ff0737055db2515dbddaebfe5faa
SHA256 11145120cc7e020c847eef4e9c11bd9b23968b798865cb5a0c65603cbe5be81a
SHA512 9e035fa8e4e77fa6c31390307734b57a4ac44d06710d55dc8f5b7a4927757a454b11f44494c98ae786b01305887cfd9c3104452770a95ee4852bca65c7a864b8

memory/4488-86-0x000000001CBB0000-0x000000001D0D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 262962d964d5f63468225e655d0fac7a
SHA1 f851187eaf091087803e07218b528f33296434fa
SHA256 0f223b239171b5ee6c9f844352bce860a397f2dbf1e04f79b29f29a6b9d2f2d6
SHA512 a0c068ed3030f592566ed7a3a193b08933ee49e7a9cbe5d126fd5e57c4634aacff65e8bf35aa3a332892064ed8e47dd7ca478bfbc83cda23bf94dd4f910611c0

memory/4488-111-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 767d78436ff0c2c2c29c540882518d68
SHA1 bd638f3d862b49b90c3206d345a08a5523cdede6
SHA256 2e97bc27508683d2a23255c6929102966f0f35cb3eb7b906ba882ec43781ec5d
SHA512 a65243b447637f7073540a4f37f7692731571674675a078f61dedf388754fdc434e24d015c25880642385c3cb3571a21d639dbd7cf0e63b0eedaabc785b415b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4074ef7f2fe3552e8f546088dc5e7a67
SHA1 a58159dd60d67afe4c633b28480c04a5859cb450
SHA256 f6560a934efd84b777d55fabf56bc1d38e81c6dbaba4af68178a03af2bacf478
SHA512 9f74d359d33328dad9904ee4771f139bc876651f7004a7d289a9aa8b38048ad9033d7d66c8b349d399c39952a3477d530d7a35a679b88bf09c42b49468cea7ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b78ff6a6136001d3fbf6c350cd61cb85
SHA1 0ba19feb045acea3539b5fe14b31ac4dc5926069
SHA256 ac5786ea8faf46d9cb3d71cd8a13d57a6c46308a3eb6ad67c44a665fa5d53dbf
SHA512 a972122884d2eb558904a326672c2227010860d48578be3b22f37f4a5ecce9a1b0e587d0d4d3008fdea030ab8984f4abb708c08a1dadac2f6d2643985f18bfbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 3fafaa0dfd030dab7f342687a22a4ec7
SHA1 92440a7aebda3da906a05cae5f749555cd090005
SHA256 a7f05b237a1ee18819fbbc28b6868525b10a9e452b0500b2b3cab8c3dcd7d851
SHA512 7fec5f3f0a48a764e55c8ae8b73edb4b909f3a24edd650bd9cd5c61f34e50920b3231ee029f0610bd164d8add2a805546e88c7bec187157125e6f2a0a784ee5b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 1603886b477b9cdaaeefd493a23247a9
SHA1 9c5c24b7ac111e08105fd7bd5d2c67009fd0cf16
SHA256 21c306ce9ae9b4a3fb99a0e4e888d8b818fc890032cf35c5e0ba29e68f30d369
SHA512 a44a168f9f3b5a12ceef6662aa213326c52eff76398cb1c655141a4a7410edddaf3ba390a488c258f156d9298454ee2ef8357bd17ec47e585b3558761648633b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 9e1c9be51f57b23c4c3d0529244d6db7
SHA1 ca91c172b60fb6d76aebcd48c96c612f4dd87551
SHA256 0fb664eb8d029a534281efe7e5c80bb13519b8bfe6021b2235d0d91f2be99c97
SHA512 9b12d807107a6ed9ddecc7a0b70c2e864b4aa5e7048040c51eed3e69d272b7ed837351ed25bc25dc63a13e2542c9a60f6d8cc3a86ee5494c56877127da64912b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 590941509220882007f650a991ae86d8
SHA1 ce6e89e1b6f46e40809906041ecd7f0d54592e10
SHA256 5d042b92875da76de5bef02cecdc6568bf56e8e94f33b200e91ed589a72baad9
SHA512 2bb06adf621cce2e1cfb7a6c96639ac2093d07769f9261f60bd59c3d7625cc9e00137e3479ed4adf187fd9d1f81c2142962b11b4fdf4564570fa6c1837d83d01

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 78ee8243739d3f39b57bf89d7d494784
SHA1 8f10174b101be336176069ae350c76380aa41155
SHA256 e870f3dc8f0b6a6140b8dfaf4b60016670eb94dfa4428b529961db9943163ba3
SHA512 fabe947728eb124af174c4f0677dd9e0e53ecdd1f7d02b5034034ca4d776e3a6d0c64c0bc219bc49fad9ad62b77d7b9fadada77d1825c19d885f25f2bce60cbd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\broadcast-listeners.json

MD5 c6da534f50ab008a784a62b6327a3ec3
SHA1 08554dbaec9a1b504cde8760072ca438544b776a
SHA256 65f9ebbbe54cc02611f66ffb504c59d39afc8134db665e11fa292c8d1828d954
SHA512 ec0feabb73429bab43c7ea5b0ce48911afb756b9457aa8a0469e7a5bf8595eecaecce5d0e7790da6fca789beafd62eaec3128a24755fbcce828312108b1dcb3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 d8de3f7f0dc6edf115d973c1a2102a3f
SHA1 b85dd90b4c40d46a77e3042007f426cbef4fffad
SHA256 a30a091e1d1a0ffd2471517a4aa47ef60a0050aab9aed87942fe800112ac64db
SHA512 0c8f2597f66dcf6bbb546f465fe99d4eaf3609a14779fa0f92dc04d9a918b7b54bcedd9ad665e8386f603be9b337c1ab6bd86594e0fb9d3fab345994a52442a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\bookmarkbackups\bookmarks-2024-08-19_11_ynjabA+xcPNHPZU1gEyrew==.jsonlz4

MD5 bc3030c50bf86982219a2ef0685a4342
SHA1 f5959d9850ba5f1b0e7ac71cfa35550c0dfb6c85
SHA256 5e38cdcb2dda5e8038815eb31f05ec6bf9d4db0718af6443aa4247fb70d888d6
SHA512 7970c02c7a335c3b1ae73f9363fd3282f495ddb8238947af59828eca4c52345e5ed2801e2b766b86d13f1fd784629ea86dba711711cc0760fcd579e11c0dae8b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 bc6014165a1d910b42f1a948183cb745
SHA1 a179708f7d6a9315678ccb135e56d47a8b538f60
SHA256 29a680bece2f39901a677ca21b4335e8331d216c95a461d1fda78fcbc36a7bc9
SHA512 118afdaf7cc29b576600c560e8e7ccea5d31e563f702bff0ccbc1aa16cda27f81d85ac393733dbd66c881706cb745f48b24d6768d9b706e648b9e1f271307dbf