Analysis Overview
Threat Level: Known bad
The file https://solarabest.com/Bootstrapper was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Subvert Trust Controls: Mark-of-the-Web Bypass
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
NTFS ADS
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 21:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 21:56
Reported
2024-09-19 22:26
Platform
win7-20240729-es
Max time kernel
1556s
Max time network
1561s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Bootstraper.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\Bootstraper.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\Bootstraper.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\Bootstraper.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Bootstraper.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://solarabest.com/Bootstrapper"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://solarabest.com/Bootstrapper
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.0.1283672104\1647527403" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 988 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13ac06c1-355d-43da-951f-0b484b416a43} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 1340 f0f2458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.1.573671780\1386169102" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f930ec5c-bccb-4c6d-8efc-28194ffa3244} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 1552 e844e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.2.628897593\1827794116" -childID 1 -isForBrowser -prefsHandle 1840 -prefMapHandle 1924 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53624e9c-b75f-4165-b9a6-b2fc6ea15c8f} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 1248 19c9c458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.3.406801774\1352157278" -childID 2 -isForBrowser -prefsHandle 2592 -prefMapHandle 2588 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dff73c8c-90f3-49fe-b1e6-83440c90ea5f} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 660 e62858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.4.954572858\1343837334" -childID 3 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dad7ccf-f08b-425e-8228-2e353238b41b} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 3732 1f34c858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.5.2114551198\100027617" -childID 4 -isForBrowser -prefsHandle 3844 -prefMapHandle 3848 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1260aa87-3a39-4891-bf70-518266b7518d} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 3836 1f34fb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.6.1739833397\365121066" -childID 5 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b2fd4d1-0b1f-4fad-b1c5-35e1b1ead1e8} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 4000 21c1f258 tab
C:\Users\Admin\Downloads\Bootstraper.exe
"C:\Users\Admin\Downloads\Bootstraper.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1480
C:\Users\Admin\Downloads\Bootstraper.exe
"C:\Users\Admin\Downloads\Bootstraper.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1496
C:\Users\Admin\Downloads\Bootstraper.exe
"C:\Users\Admin\Downloads\Bootstraper.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1492
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49202 | tcp | |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 104.21.22.51:443 | solarabest.com | tcp |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49209 | tcp | |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 104.21.22.51:443 | solarabest.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2---sn-aigzrnse.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigzrnse.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2.sn-aigzrnse.gvt1.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 68bc866866272ffde2858b0ebe06d9ea |
| SHA1 | 5f3913d48d2b4075e3ca854743b46613ed5bfe74 |
| SHA256 | 108666182d3c03ff966fa2a43b94bc1680a5e8f4ebcd46a3ce98edb91f8786c2 |
| SHA512 | 1f7209ce2be436ea7399c57923339c7ecc4695f5d14d92e066bbace2f97ad08e8eb24650f7c11e0b3a936c4b546882c232706e3d7baaf9fd1e3a1bf9f76e4adc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
| MD5 | e444c935720808c376064dfbbc261c7e |
| SHA1 | a216c1f429534b8276e21e639334864b170ba17e |
| SHA256 | 5eab0a589ff7c733abc3acf9798265feab259cd7b13d056ea57c91e3e32e60d1 |
| SHA512 | 91e50f650bd99efa39e700951ff2db06c4acb3a6f96acf39a94ecaa1c220154a20b6069f99535d870230c4467d9fd1bb42b0ecfe72e6030096eba85ec10d970d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\b553ee64-9b56-4e1e-83e9-f2f45796fbf3
| MD5 | ff5e7ccbecef2b5ae52ecd8ede61b8d0 |
| SHA1 | caa78d6c9a02a7e740d061ec25236098e4c1f0ec |
| SHA256 | 78aa26809e1fe27b24cc220e27f3a2df125612d9a194fcef78af52a658386be4 |
| SHA512 | b84780d98418756803ac233e7aa8f8e0b96d26f964c5b72d40bcad764f134e901bbe989a6b74c23c10728e7aabbfd9ca3b47ad9005e9231099812857105fe039 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\8037efcc-07d5-4a20-a083-680cd1af5411
| MD5 | f07bd6c1bde71dd0aa10942cce1f8d8f |
| SHA1 | 6825703a41c18395f04c828f615e32d9df09ad79 |
| SHA256 | 9d9917426d8495d0408a49f302019c1f0f7543e5415502a75e06c66ddce93df2 |
| SHA512 | 3d29dd0eca0cca9f3a3eb5f80849c877eedd3afbfb5b64b93fbb3fe2ac94c69cba0a9d977666a8287fe5ef8d1eedb0ae13183ecfccd42eb71ef1316af124e801 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | bece0acf9d7f19d01c7943c54d2ad372 |
| SHA1 | aef59ca4b0fe97f32db128e103bfb98aee3b5e29 |
| SHA256 | ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8 |
| SHA512 | 105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | eb95bfe80f3270b780dcda718a33f940 |
| SHA1 | ba0a0e356cb0b1d17de558e112fb048198af2035 |
| SHA256 | 84fd461a5057c24410062de4020ffdce07a4c23069b7926ac3106531371d4237 |
| SHA512 | 4b5a6da1dce11084a2663e7bbffbc2ee669158272802c588eca796c029ae491b353ec1e9f082428cbb1ac10351c8a86e7da97948218acd53b70aec88ff61c9c8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 4fbc7d44dc98142041d2af89deb0f647 |
| SHA1 | 5a8242445f6c91f03fa2911fa303e8acc4731269 |
| SHA256 | da98e5657ac64a3cb31e2209450b4ca2f893eca99d073cb982e2e3300127c5f0 |
| SHA512 | 8b0d14c4c871ada70244fe15b3f6dd10b06d0615f77496eb39aa9d29d3953234bd3d5febf8c271900a4c3b468584801d05cae2dbf0c444d83285e23956632de6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\Downloads\Bootstraper.JtjLzvxf.exe.part
| MD5 | 180dbffebfd29126aaab8f20706e3718 |
| SHA1 | f56cf0dc93abc764efecae56ecebe542f9780453 |
| SHA256 | 22b212463241e283e84346df68a637845212eb2eecb1fe3231ebdfe8a4796c01 |
| SHA512 | 21c62ee915f08ebcf1bab8278c37fc94b47218d6a00e1311ec4263780733bc1c69774a442d613fdc048ae67580a6472750321e906fa547281f92b4b01164b916 |
C:\Users\Admin\Downloads\Bootstraper.exe
| MD5 | c50467b5fb84d76fe915c8c175be02b8 |
| SHA1 | f90df72fc5195ad11be36dddf8543b2381d585aa |
| SHA256 | 83eeb9b2ba7a602cc27d74322423e42d75d41aa9e0a65799841ab900ebacdfa4 |
| SHA512 | 17131d92f50ad6313ab5a3cecd7b897ea2ec01ffe02f9cd4d08b2af1f7fb928d430fb618061dab2071625663c075796a58925213598cf875244b5dfb3b4a9ec8 |
memory/1692-140-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/1692-141-0x0000000000D60000-0x0000000000D7C000-memory.dmp
memory/1692-142-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/1692-144-0x0000000000510000-0x000000000051A000-memory.dmp
memory/1692-143-0x0000000000510000-0x000000000051A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b1c0884784648e6372fc72ab0e5ab704 |
| SHA1 | 087e46a2a77f1fd1314fa42288bf0ce0a808d6c1 |
| SHA256 | d034b7398e44e6d3fd7b367c8acd6a2ebf3a80365888fe1958a28a83c2d999f0 |
| SHA512 | 9596b779a3fd53696d3e581f3e575b3c09c8fb2063229d80f880827e2eb429edbcc933434278eaa8bd48be44ea68fb7392ad509a3291d920d2f083fcda405a40 |
memory/1692-166-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/1692-167-0x00000000748B0000-0x0000000074F9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 21cce829df9f6230c5e1b2952c15bfc5 |
| SHA1 | 5220240a855d55f3b2ee986878fa5a6ff064f2e5 |
| SHA256 | d4c035dd13a25a98a72dfe6169f4c408b35b1af1708087a005a1ea8992bdfa43 |
| SHA512 | 6094493bbda614a28dd99bf0f0a588626806b82ae9db2e5c32100163a49dac4fb8133524c9c068ec2f0b25dd78f5d43ea9764c03f59a8eafe031f8b6ced342ab |
memory/1692-173-0x0000000000510000-0x000000000051A000-memory.dmp
memory/1692-174-0x0000000000510000-0x000000000051A000-memory.dmp
memory/2336-180-0x0000000000F50000-0x0000000000F6C000-memory.dmp
memory/2336-181-0x0000000000440000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | 71983e6944d2433613f9fc61e8d4c2b3 |
| SHA1 | fed991d24b1ef1e94df86485887ce85b430008f8 |
| SHA256 | e2a3c1250bf1cb325091999c1c658929ff50c30cdb4096135ef355eed94be44d |
| SHA512 | 5e8a4ae42d3f03943fc8448adac97306ef3406f4883e72bd2ac2310f22135ba6d9d5934f45e802b552d28e64f360e972587af515dd376723d0e8fb26644c1e30 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37
| MD5 | 210bb644844ebbe00b6ed0f2ca2aa472 |
| SHA1 | 8a7f1e18cbfda018e2f6eef3e428cf907e6decd3 |
| SHA256 | 315ccda6e0180eb27a0e0e3a866d77fd4283340e0cbdf63a0931b6a4d45237d6 |
| SHA512 | 64d3aeebce39d7c03320e8820c1750f2e381d3cb634aa3ea9270b4e14fcf4db3fea116e7dfa25ca016567c5a92e56765c325798b0e07e9bd8c6de0c4a6190811 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | cc72265fefd4de56979477dc3fbe8a86 |
| SHA1 | 671df3a7415fbd8721b37b18e78a89eb999de985 |
| SHA256 | 37ffec5f3eaf9be46af437f169fa784ac187f8dc99f36d8655cf2070aba01aae |
| SHA512 | 3b65b56009508c98430092958237b958b3723bf545db51e89f86747ab0e7b8709001fdad3bd4c6ca045a36117663fdfe68e4af41edee5b703ee515b7bb139508 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
memory/1556-2211-0x0000000001150000-0x000000000116C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 319c0b621316f8f6a4bcf3cf5bb79b3c |
| SHA1 | 01c3228a258d7c6ed6173092ae3e98c2a295b4cf |
| SHA256 | 6a9699fcaedd6b23d7a274ac5530716008cadceadbbd33cd67667f8a54058a44 |
| SHA512 | 5c804377553d987199c275cd8b0020561fc86a17298b5f5ab1e4662fc9344005605b2542b6c7d24f4bdee19b1f435346ecda046ff5f955df864e87468eead841 |
memory/1556-2230-0x0000000000500000-0x000000000050A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | ca8cb758ffdb0c9befeec36a458b3ff0 |
| SHA1 | 7c81028cbd3681247f615e3a066553182b6b23c0 |
| SHA256 | 71f4bf82d7b1f61dd10add49495e6d195fa6cff8269735c09bd9808ef1318278 |
| SHA512 | fd4f3fe5ca4ad7c0e51bfc89d1bed8c1ed1ca7503a524c6438d6d9eaa266280d5797e59819e525f59e32368aa51d4106262c52424141fe80da8862c7c105a335 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | de7a4bcc5fab70ce92c7a0c4f8d9da87 |
| SHA1 | 91aa4b61c100b683c4baf8f5f0ab17b477bc34f8 |
| SHA256 | a10c03dd06362dee8fb4491fb214646fcac870d43ee3dec23b3c9f60e761d71c |
| SHA512 | 5f8c765fcfe49e0379160dd93f5d47830e3770cda867c8faf8067643358c7c0be45776d2f5d607746d5ef4e9bc16a0bbceb0eccb2e49cf0832172b5952c23537 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\broadcast-listeners.json
| MD5 | 968c1b4bbfc753bc61a27a81a5ec18ef |
| SHA1 | e551a5e0ba9e9e0d690c2916b4f1156327d27177 |
| SHA256 | 6d52592373298786e72df27a56ef3e60c70c4c1f125d6ffa8c67f971358a184f |
| SHA512 | 926d9d3a38600ec5d0fef760f9383d5138962cc24a714fdb92dcd37daf0313b6906644c940b5160b201eb4e6845a8521794ed3a4fd59db2d819e5316c4fe45ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionCheckpoints.json
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\targeting.snapshot.json
| MD5 | a0101423c15fb3892f93d20625705529 |
| SHA1 | 2fe8846a7b1d4c16b7ac9d1e60825f6bd502f8be |
| SHA256 | 653ab2c2a2d9a9acaafa43c90d1772a6e22e2e9b41cac6efa460b424f9690e79 |
| SHA512 | 1ba7122bf33f56c84dcabc17772e823d9b3f6bae1263e82d8e7e5b0fe3e9c02d893e2094363ea1037a147060610df9f248674e0d71a495b16bb2bb5cf759a61b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\xulstore.json
| MD5 | 8c8e29dfc7492b92903124e1da454a88 |
| SHA1 | 09e1ea8b5a53255747809121543598e55e38f9ba |
| SHA256 | 08e5486c5550ae2844b9569fbe77ca63617c48b2918e8427ba729deba24a2cbb |
| SHA512 | bb1b2cab79ab3a1e467094748fa6879ec325c21da733255428d2b661c02255dcd3036a3706afeb4f576c168127b4a537802f5748950a3db8fb0c04f4827f903f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | f268e95d411f31d6664ea6f5f5934aea |
| SHA1 | f3e47f70dc10da7bfac53b5f6b269664816ebe25 |
| SHA256 | 40b2b1ff69b5de24403a9ebd182e8704cd4e8d0a4b56fa4e6ce451207d7cf9ee |
| SHA512 | 9a8169ac9f9a3ebe6bb236308ae0f279bada34b3a421ae4d97c33ce4ae4af2c629d2f67df69575d6b0ea7c06359adde869294a691358bbb4573034312b90c051 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\bookmarkbackups\bookmarks-2024-09-19_11_xTq2h+S603FCU6C336nrGw==.jsonlz4
| MD5 | b87efcb27c4625955a16e8cdc79d70a1 |
| SHA1 | 79b8ea7edd452d86d9087407aea75e612aad92a2 |
| SHA256 | 98982fa608a6d2ee9e544bfcf5856f62bc003d67861ebb4d63937bbfc23ff8f3 |
| SHA512 | 97f68c78d98079c31c18eaf47eb1595a646c095a9c400bda4a31f1c42345d6f0ab60187d2a127de21215d29121923f2c4aa7fe30319d0be86a1db601f6b26a80 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | 3ccfe3d9a05aeadadfa4b531dc5126bc |
| SHA1 | 9765c6e6e9d420646792cc3f85a90c838a8a61e4 |
| SHA256 | 476022c4a864a92f8b3fe38c21b78681a986a36de6a334a38bcd6e603fe7557a |
| SHA512 | bc6466d05baff3bb6fc4db30dce5c22edbb8aaf5de1e4e579cacd15911f96bbf6523dc284c39512764293fa4d1ee114b8a919019627162bc75aa3c4fb0ce9929 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\extensions.json.tmp
| MD5 | 2181fc3443c6ccb4bd391eecb1cdf1ab |
| SHA1 | 41520c6babb539938db1361f271c8c577c890305 |
| SHA256 | 5e26c8ca2915c5a9daf44be6abf71564d839f03c389ab0240eb91dc9279950a1 |
| SHA512 | e712948cdc44e878cb9dc709f2b3485384a98e50353571c9cee2f756effbf264c01de8b3426d8de3bc2d0e6f749d92b7b3b73bf47b91fa03ed2fb5c2bba19b16 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | f64b5daf41592248a19bb555e1a7d939 |
| SHA1 | f3c2eeb38938ae59a27e0955df6d96e3371fbb48 |
| SHA256 | d91dc779677050ab47201cecbade41dc7453eed50e2e38a2e6b11d1d1fc48414 |
| SHA512 | f38155071ff86eed59c3ba1601e178d10aae8bc26c84efb066f90757aadff904d52fcdfe1d7107abf77907f79b6c14f3c468b3258fd555992c89e691428ed2f2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\doomed\6438
| MD5 | 4437469d5a72abd3981edacaa0845f9d |
| SHA1 | 108fc75fc06d20db3245a08a0acda12c45387fce |
| SHA256 | d927444c840346f495fa18b9b3b340e8d0f9d9f6672fb2f51b0c055e3d003ee8 |
| SHA512 | a4e821d3d955bf8f072b6f2b4ec606f2fe0bf72337aeeff2e60d5fb3b89af5f1ca363de996c448aa1b58d64f200a45aa2a14592cce5cfaafaaaec90498b6fc35 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 21:56
Reported
2024-09-19 21:58
Platform
win10-20240611-es
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Rhadamanthys
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| N/A | N/A | C:\SGDT\soles.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Bootstraper.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SGDT\soles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Bootstraper.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Bootstraper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
| N/A | N/A | C:\Users\Public\Desktop\BootstrapperV1.16.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://solarabest.com/Bootstrapper"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://solarabest.com/Bootstrapper
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.0.1571534192\1053565747" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebeb69d3-a9e4-4771-ab49-6512af6afa35} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 1780 274910bc758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.1.1123971574\261405778" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21706 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbba6be-b6cb-411e-91df-513246248c41} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 2156 27490ff9558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.2.674240517\1688024558" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 21809 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7712289e-4225-4ed3-ba16-b2c62847a0d0} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 2868 2749105ab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.3.1332800036\1794237648" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb5a59e3-755d-4b64-8507-b210c86572cb} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 3656 274966fa858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.4.1163578279\1064930099" -childID 3 -isForBrowser -prefsHandle 4448 -prefMapHandle 4612 -prefsLen 26524 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c2cf521-7280-41e2-9138-2deeff3a37b5} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4584 2749752db58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.5.471417920\275397503" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26524 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c71b44fc-92a5-4c17-acc7-a6f056f7c470} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4712 27498706a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.6.1308460912\1662034521" -childID 5 -isForBrowser -prefsHandle 5180 -prefMapHandle 5136 -prefsLen 26564 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92c4edd8-ed88-46f1-90d5-7a40f23ad5d4} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 5200 2749887ae58 tab
C:\Users\Admin\Downloads\Bootstraper.exe
"C:\Users\Admin\Downloads\Bootstraper.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\SGDT\soles.exe
"C:\SGDT\soles.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Users\Public\Desktop\BootstrapperV1.16.exe
"C:\Users\Public\Desktop\BootstrapperV1.16.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DISCORD
C:\Users\Public\Desktop\BootstrapperV1.16.exe
"C:\Users\Public\Desktop\BootstrapperV1.16.exe"
C:\Users\Public\Desktop\BootstrapperV1.16.exe
"C:\Users\Public\Desktop\BootstrapperV1.16.exe"
C:\Users\Public\Desktop\BootstrapperV1.16.exe
"C:\Users\Public\Desktop\BootstrapperV1.16.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49795 | tcp | |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 104.21.22.51:443 | solarabest.com | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | solarabest.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 51.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 143.180.12.52.in-addr.arpa | udp |
| US | 104.21.22.51:443 | solarabest.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:49801 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | getsolara.dev | udp |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
| US | 8.8.8.8:53 | 27.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6463 | tcp | |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
| US | 8.8.8.8:53 | 34.211.222.173.in-addr.arpa | udp |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
| MD5 | a1952e4576089281ab69b8eb7d25ab29 |
| SHA1 | e27acf9a6e5901ed779198c88219ad7149b4146f |
| SHA256 | cab97728af3d8e13362c31cda75291d15bc8e028498683ed85f701bee82716ec |
| SHA512 | d883f6e50f9e03208c16076598a89422d978205d78b8367e7f4b421102f675dd4d4894ad7976dbd7cf25b8e4d44184887a39da80a64204f0c93f9b6daf6358c8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 008a7083267b76913aca82854e1a90cb |
| SHA1 | 601d46b7c79cf073d89290fba61a4ce925feb1fc |
| SHA256 | b823422e09482f21ab31e3900047788883c0b6c95586a4e042bda99e70df1a28 |
| SHA512 | 645cc8d472babf9190224f523f54e133070adc42b42d8dc371412a688c69906383714ed7153a091b0dd2dbcbf55c0a1d95dbf2fe7116b617778ece2d1df3c6ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\364d529e-bbda-480d-b433-a20a01ff816b
| MD5 | 738ab1fa42589949873a2bcc56d651fe |
| SHA1 | cf4446f6264ebd9abdc5beaf51111bb616784511 |
| SHA256 | 2eeef2660efbf91b97c98bbb14471bb22fc217384a7a85f925e1b9753a3d2361 |
| SHA512 | 9d25b46b52b68b791881dd1662744069c9b4970bd5c414319b1ec72a8d72d28c7d78831913390fc898e61d3c5a1da14ff746809b627dd0029135cc7970b99aab |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\a6d68437-aa79-4ad1-a33b-3c41a90fd496
| MD5 | 405a6d2606cc8014f20a57c7f303d4c4 |
| SHA1 | 9795415a31027e92035632d29f5f6c5528dcef98 |
| SHA256 | 64dac15a102aad98ea50e99063d0aace2cb1027b46141b3b446206220b0bb6c5 |
| SHA512 | 8b1e187e780267c15b4747ba03a919cd46fc4cf633c1b33f77d513e07dad3213150cc6a2e81ce76fe26cea97dc1a341ef3d272dc9c5404b61a9111e91df4d127 |
C:\Users\Admin\Downloads\Bootstraper.6Vv-kbuE.exe.part
| MD5 | 6c2155fc3751b9c84b0445a1697899b9 |
| SHA1 | c699d5bf75c64aad4c34fe69c48a1f531d177128 |
| SHA256 | 8d12e065d2cc7d56bfe77dbd432611aedbb8ef05a45a237160d855cef15bb6d6 |
| SHA512 | a49ec4b24885979c1fd84a8aafe9f41cc653a40949e9f2109d39a943ac0c49c5c038f6446bfb7dfff5eb8c7d4efc6669482849ce45987c57d1354ec8153d3198 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | a844f94c0cc8610d71f4dc0403bb8566 |
| SHA1 | f45b62f345ce0e7c514e9bf86d163f3b544273f4 |
| SHA256 | 9900dcd59cd9a450eb93c38a80f4325dbc4fef929e405c05410187d553c5be97 |
| SHA512 | c56093c2d2d04f64c631841b595239f354f041a9176d259375a9df4784631d53871cef66d161eba7c65c8c4100bd820e54e50dce916e504bc2e6d50a63c9a3b6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d7714cea3a9745be082627131012cb8f |
| SHA1 | ccee857effef7716b5d220d20df7b74abfe1456f |
| SHA256 | fb4384cbd59d845e1f6d2ac413ba5ec07e910e9bc0d657c03775f5132cbdc14a |
| SHA512 | 264455c268961f5969f8742546bfa6893491097751a438e6129db1445139ee904e71e0960260e7113c225dc5eb39e77a34a78a982ea5d85f87c957777758952e |
C:\Users\Admin\Downloads\Bootstraper.exe
| MD5 | c50467b5fb84d76fe915c8c175be02b8 |
| SHA1 | f90df72fc5195ad11be36dddf8543b2381d585aa |
| SHA256 | 83eeb9b2ba7a602cc27d74322423e42d75d41aa9e0a65799841ab900ebacdfa4 |
| SHA512 | 17131d92f50ad6313ab5a3cecd7b897ea2ec01ffe02f9cd4d08b2af1f7fb928d430fb618061dab2071625663c075796a58925213598cf875244b5dfb3b4a9ec8 |
memory/4556-149-0x000000007376E000-0x000000007376F000-memory.dmp
memory/4556-150-0x0000000000FB0000-0x0000000000FCC000-memory.dmp
memory/4556-151-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4556-152-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4556-153-0x000000000A050000-0x000000000A070000-memory.dmp
memory/4528-156-0x0000000004530000-0x0000000004566000-memory.dmp
memory/4528-157-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4528-162-0x0000000006CF0000-0x0000000007318000-memory.dmp
memory/4528-163-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4556-164-0x000000000A040000-0x000000000A048000-memory.dmp
memory/2732-165-0x0000000007290000-0x0000000007312000-memory.dmp
memory/2732-166-0x0000000007320000-0x0000000007342000-memory.dmp
memory/2732-168-0x0000000007430000-0x0000000007496000-memory.dmp
memory/2732-167-0x00000000073C0000-0x0000000007426000-memory.dmp
memory/4556-169-0x000000000A1E0000-0x000000000A218000-memory.dmp
memory/2732-170-0x0000000007CA0000-0x0000000007FF0000-memory.dmp
memory/3772-171-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/4528-172-0x0000000007BC0000-0x0000000007CC2000-memory.dmp
memory/4528-173-0x0000000007560000-0x000000000757C000-memory.dmp
memory/4528-174-0x0000000008090000-0x00000000080DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
| MD5 | 7f2434aa62620cbce11de2dbf0587dec |
| SHA1 | 1890370aef905c9ee16c05f27efcce00bf44b4b8 |
| SHA256 | b49a86da5d25614e1f07f2adbb51e564f8bc2ce67503143cd8338eda8c5d07f8 |
| SHA512 | 0d4d8d013fe08d9c3624c6bc2775eeae57baf8e777b08c9720c5251cd7e56a5740dc917152d0fc7d438a9ec4a753767412dd72b7a0c6c6fbc4796b593c2f622c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
| MD5 | dea5bde11181e25fb548d3ba64975eca |
| SHA1 | 327e289450b139d7fef2ac8d89d1443838102c0c |
| SHA256 | 2f8e69efb8e0b323d4c45dc71663cf75e73080eabd11f82f0a24d43786b122b4 |
| SHA512 | 033497f45fa270d896ffa85409b576b9c0509c6ae0ef5d0fb606184f14f43ac34dc3e961387eba67367a168b8bb84c4015a55e161aa0d7aada08b946aab87271 |
memory/4528-192-0x0000000007EF0000-0x0000000007F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vdaqsm5m.wna.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4556-221-0x000000007376E000-0x000000007376F000-memory.dmp
memory/4556-228-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/868-240-0x0000000000920000-0x000000000099E000-memory.dmp
C:\SGDT\soles.exe
| MD5 | 844b868dabe70a2748c5f86c327e9391 |
| SHA1 | 1d5ec1aa30faef047cda55d09b528046f275b9ff |
| SHA256 | c339bc88c7ecc7c7d099e8457e16a7094fc2243e68ec30041d048b4f97b224c1 |
| SHA512 | 92d93457a93969dbe3b8fcfb120be7cec97fc38646aa5b08b926ed2c909f3872ed00ff27f0b8423e7ad1d8dedb72511893504e8a6658cd9c35de0ce7c9151859 |
memory/4556-241-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4528-243-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/4528-257-0x0000000008FD0000-0x0000000009003000-memory.dmp
memory/3772-259-0x000000006C250000-0x000000006C29B000-memory.dmp
memory/2732-261-0x000000006C250000-0x000000006C29B000-memory.dmp
memory/4528-260-0x0000000008D30000-0x0000000008D4E000-memory.dmp
memory/2732-270-0x0000000009720000-0x00000000097C5000-memory.dmp
memory/4528-258-0x000000006C250000-0x000000006C29B000-memory.dmp
memory/2732-275-0x0000000009A90000-0x0000000009ADA000-memory.dmp
memory/4528-276-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/868-277-0x0000000003D30000-0x0000000004130000-memory.dmp
memory/868-279-0x0000000003D30000-0x0000000004130000-memory.dmp
memory/4528-278-0x0000000009370000-0x0000000009404000-memory.dmp
memory/868-438-0x0000000075140000-0x0000000075302000-memory.dmp
memory/5616-481-0x0000000000720000-0x0000000000729000-memory.dmp
memory/868-484-0x0000000000920000-0x000000000099E000-memory.dmp
memory/868-324-0x00007FFD46760000-0x00007FFD4693B000-memory.dmp
memory/5616-490-0x0000000004780000-0x0000000004B80000-memory.dmp
memory/5616-491-0x00007FFD46760000-0x00007FFD4693B000-memory.dmp
memory/5616-493-0x0000000075140000-0x0000000075302000-memory.dmp
memory/4556-501-0x0000000073760000-0x0000000073E4E000-memory.dmp
C:\Users\Public\Desktop\BootstrapperV1.16.exe
| MD5 | 76639ab92661f5c384302899934051ab |
| SHA1 | 9b33828f8ad3a686ff02b1a4569b8ae38128caed |
| SHA256 | 6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178 |
| SHA512 | 928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee |
memory/4528-835-0x00000000091D0000-0x00000000091EA000-memory.dmp
memory/4528-858-0x0000000008FB0000-0x0000000008FB8000-memory.dmp
memory/5856-900-0x0000025E38390000-0x0000025E3845E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ccbee3362095c6b0fbf572b2c9831046 |
| SHA1 | 7fa7ba6fa7001cac40f902572946770297637073 |
| SHA256 | 129e1fd993e0bb4c03676dec872b068b29982a655e39a4cdfc2ea96bf9d3f7c3 |
| SHA512 | 5119d3be9b9009f91de64e75206764e143891e8554c1fc14ad45a7bab9533ac8ad426094849a270f8d949a70db4807f3c42ab81219162df4b4046efdfb241218 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74dbd52fa497c8b49c964a6298fc155e |
| SHA1 | 5516f07d75b43094960d015ce42d191841f52da3 |
| SHA256 | 5ebe55f94fec19ca1c9987e08632c0447650c238f022f344d7da43135f7c3afa |
| SHA512 | 12ae1cd1b254f99a67c3eda8d9e8e48e87293d46a785f02067c781e310002e3d158b2de7f22523127c20e86989723fdd0637cb6b4293f47832b9c0ed0854a2dd |
memory/4528-924-0x0000000073760000-0x0000000073E4E000-memory.dmp
memory/5856-933-0x0000025E38870000-0x0000025E388B0000-memory.dmp
memory/5856-934-0x0000025E52DB0000-0x0000025E52EB2000-memory.dmp
C:\Users\Admin\Desktop\DISCORD
| MD5 | 487ab53955a5ea101720115f32237a45 |
| SHA1 | c59d22f8bc8005694505addef88f7968c8d393d3 |
| SHA256 | d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368 |
| SHA512 | 468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c |