Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-thnx7awhla
Target appleskin-fabric-mc1.20.1-2.5.1.jar
SHA256 85e23a429634048a2e9addc808914c1c43083083f5e21f2bf3c39c49e5af38b5
Tags
discovery evasion ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

85e23a429634048a2e9addc808914c1c43083083f5e21f2bf3c39c49e5af38b5

Threat Level: Likely malicious

The file appleskin-fabric-mc1.20.1-2.5.1.jar was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion ransomware

Modifies boot configuration data using bcdedit

Modifies file permissions

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 16:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 16:03

Reported

2024-10-20 16:38

Platform

win10v2004-20241007-en

Max time kernel

1151s

Max time network

1148s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\appleskin-fabric-mc1.20.1-2.5.1.jar

Signatures

N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\appleskin-fabric-mc1.20.1-2.5.1.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4920-2-0x000001BD36330000-0x000001BD365A0000-memory.dmp

memory/4920-12-0x000001BD36330000-0x000001BD365A0000-memory.dmp

memory/4920-11-0x000001BD34A50000-0x000001BD34A51000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 16:03

Reported

2024-10-20 16:21

Platform

win10-20240404-en

Max time kernel

130s

Max time network

131s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\appleskin-fabric-mc1.20.1-2.5.1.jar

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 4892 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3692 wrote to memory of 4892 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4660 wrote to memory of 3200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\appleskin-fabric-mc1.20.1-2.5.1.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.0.1984423922\65492471" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39d2ade3-db5b-472b-9562-cb76c22d2ee3} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 1784 17e158d8b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.1.163720386\91508167" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b7d3bf6-1e87-4a5c-9a3e-5cf3723b2d66} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2136 17e0a672e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.2.1623063092\1492818726" -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 3000 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11de0954-62e3-4b50-bc9d-4f876d2d451a} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2888 17e1989cd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.3.635810991\1343293442" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a76628d6-d630-439b-9b00-7b0deeb0f5c1} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3480 17e0a65c158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.4.780089514\84479855" -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3892 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0b7fa3-cfc0-4ade-9658-2e0b5efd128b} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3908 17e1ab9fc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.5.1993574554\228790565" -childID 4 -isForBrowser -prefsHandle 4836 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c33e6665-282b-4ad3-a774-579d263e1b8d} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4800 17e158da658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.6.2045015535\1574268671" -childID 5 -isForBrowser -prefsHandle 4836 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d27fa821-9cb6-42d1-954c-a32f8cb20930} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4940 17e1c31a358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.7.392811167\1206208986" -childID 6 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {273c4ee3-cff1-403f-94c0-f6edf34ed610} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4896 17e1c318258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.8.1708524869\314384823" -childID 7 -isForBrowser -prefsHandle 3300 -prefMapHandle 2572 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d07b06a4-a368-499a-a49c-585b7357ba4c} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2772 17e15b22f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.9.445188094\773592133" -childID 8 -isForBrowser -prefsHandle 2740 -prefMapHandle 4764 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aaae700-f438-4dc7-b69b-1dbef03fa362} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3888 17e19ead858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.10.57536069\1177016754" -parentBuildID 20221007134813 -prefsHandle 4248 -prefMapHandle 4020 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fcf6d6-d18d-4c12-b338-e2df10b4888e} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4056 17e17fb7558 rdd

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {current}

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} safeboot minimal

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3af4855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 127.0.0.1:49778 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 43.49.25.52.in-addr.arpa udp
N/A 127.0.0.1:49785 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.180.17:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.180.17:443 csp.withgoogle.com udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 17.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 216.58.201.110:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.200.46:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 142.250.200.46:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 216.58.201.110:443 consent.google.com udp
GB 142.250.200.46:443 encrypted-vtbn0.gstatic.com udp

Files

memory/3692-2-0x0000028F80000000-0x0000028F80270000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 68898f139019ee020c6392776fc979e8
SHA1 d92df97d2ff3e0b4b483dbbe2b1e476d180c3aeb
SHA256 d52a7b13d41f009a8c2c545557b00094f92187eb688725eba494746526d03dfe
SHA512 c33f95bbec4c6839702e4c716183c6879a90abdd8fb5a9ff2066ea005643ef82be43a3d119c7b20b7598c0d8f343bb06352f73cc9cb66361010e3a1a9c0d00dd

memory/3692-12-0x0000028FFB370000-0x0000028FFB371000-memory.dmp

memory/3692-13-0x0000028F80000000-0x0000028F80270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

MD5 f430eaec633a0ca454bbb17554f9baba
SHA1 b61784c28164c8399517176f42ff0d8fba23dac0
SHA256 67a95768fb8aa18b53d605b727ab5315ec27f0edef23599e28e7765e86b469d0
SHA512 670525b8ed0d93a9cbae2c8ddd58027d975133d84e043ed91bc0c34781e70447853fa9fd0e5c71c9baccf628a65b1cb0026a0c35c1f52e1163ea058f36ac1065

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\3ddabf63-8c49-4c4d-ba2e-27d1d7bfc1d8

MD5 c0ee4c51e2266d6d6fe939fd333b8806
SHA1 5f3e087f0debd5d4799d02488d79a88b4d83b511
SHA256 c4d42e8444dd7b3e788c99a37846953b5a97fae76095486d3d8012c49c55f359
SHA512 bb714950124aa95a6928118cf522dc130901ece423024ed62b7550d965471914bd1075592da40dd56a58f34da735eadeb0d4edb09f944e26fe0312347370ffcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\63b83fb4-0a90-42f0-b9d2-ecf3c3598566

MD5 c2e25f32b19a1794a576562a39b24a8c
SHA1 d596b95dfef161e1c40ac3f429d646e16232e402
SHA256 3c6c43dc160bd22f39f11d87fcf676f66b006c19c069a3d8c79e7cd6d8f27b01
SHA512 cf0b9473d6d83a804a1ba0948ee5df595a849af6b199401fa5b37c5e91e35b7fe3df6ad3dca833036d9a81c00df8076be48054a434fc7d84f0ae0858c578afba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

MD5 0191d73e1b273d99cf500f216eecc558
SHA1 5fe835c707306f4ee2768cd683b56379c33709cc
SHA256 e83e030233b4e2fe30a972d190edc972c02063456aa05afc0625eea0cae19b93
SHA512 f51d3233d9d7f4ce4a8ed0bd43d3a5e6d3db4cc5b6d576b87c426ea39fdc5086109ba95f30c3408cf91e1f8a8872096a659443b02db1ce6e2adf8e2a66dfeaae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0ed2663971e8051b2bcb574926400fa8
SHA1 467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA256 0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512 e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 4bddc6aa6d6c8a73f55bb4665761f997
SHA1 9a5fa496978ccc4fff57c62b67419a1f333212a6
SHA256 aa5818299da10af7aded5ee4933a1b6e738cf7aeea46b7ab4750d59273df9044
SHA512 b66ebaa1dd539271ef67b70f32f2ee300c1580250c9279eea6c68153123fb67c0be906755872d7af37d16d7f4ec8702d9eefb373ff2f11950e1c374a86ac52e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 68f736a4a5d4466bf90d52cbb13a4e84
SHA1 86ee4e51edf479e59c86813a473afef7d4660692
SHA256 55b1b964fecb212866cc209ca9fdd9bd2877ec6ba503149a93226c5825e138bb
SHA512 1904bd92e7553c3eb13a6afe93d940cab7ab78da4f199f921a2be9796658a05069d82e19c7b3fa5235d994ff6f9dbbdb52d6d3e3536b028fed1cde34244dcfe7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8d9891a146dac397ef301d63967c4afa
SHA1 4e9e03035ca96f483f32711a6c6d3e98def74731
SHA256 fc153c03579103558f02e6dc50ac29ad568b2077dc24459840379c6a624d9358
SHA512 51316c6122ba239e2ac409af0386968964263dc1e6f3690781408f5c047a79b00b2fb8033b97f26a5b8bd9c323d52004320c2f94453625c874f82d5ba43e46cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 82beb412900f2cd3afa3f8c4952d1be9
SHA1 44ac217677755b1afb087f07fe640b35c77ee85c
SHA256 4e1275fb3a11561212a6fa8fbb3800fe5a43e10f3f0889e4a4d46ce85b4819f1
SHA512 e967b5337eaac055481d4f75e117b77cecb8e5b643e1d98cd66822e34d12b0d16932e4dbab4d3fec1a59ed5638e7b669c71fbadcde7a9961554263d207352a90

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2c9e67b5e21d791d02c194aabdfde0dd
SHA1 075c2054770c981381a5fa5b92543c648f163f53
SHA256 80bb2cc4ed32fb9d0860e85a6abb48661f2ddfd28a78d2f957b40bc04a2768c7
SHA512 6329fc3b9ce0982f37df9f97b41a15754cf9777e277a0ef7579806dc86371b2dfe5df934e71b4bba6011a71b0d7619f6a1f47b788d677cc95c4585ff9af08df5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bd0a6477125f0db9cae6eae150bff9ae
SHA1 5f3c01a57263470a84d6325dc97f2185d4ca23d4
SHA256 7db3715ff09a256d83d11c9d423e46bffccf9ec8f587d9aa24c0c60917b0bfa5
SHA512 823504b2c05dbff9a39a1e8b11f4b115fe7cdc05bc39fc1ac7a84969b47af901609d044182000e39f7f363adeab888000f4b039ba6c06a28199f95ec34116277

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6a33ea490df3b8b7964c08b8bb23260c
SHA1 9a7a9984e3705cd1743159bd024e615bc9ee8928
SHA256 01db07d8803793eb417d3546c2b2021a941cb59009074b0c3eb57ead3005a133
SHA512 1edf60874685988520f99754c0885af1e8184b910c16db025b258f3133a5feb4352bc95197d9c72d4d661a784c2f372c604a9f4000cc14c3ae5e09cb1141f80f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 08f3ebdf5e585124393e316752c792cf
SHA1 09dc1c0871e938aa594a4a557e016384da181161
SHA256 4273e243271b64bd30bca12bd9ca586ffef74a0015817220f70ab6ae46187dda
SHA512 31eafbb99168c8df69bc41acaf1669d34b8b89f78c507dd5a66908677e4ccfcc46c0d55534b1fcdd40e2f227fdd47dda77f245276c4481b4b44191ee3225b793

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

MD5 c8dc58eff0c029d381a67f5dca34a913
SHA1 3576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA256 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512 b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

MD5 8ce91384441beed43e9e450c88d56968
SHA1 151f22ea67717d1f953ffa699291413e2f1db4d3
SHA256 f681eb76e7c91c5b1c9df4457f62489c42e1097955bb330a1091597c8f8747ca
SHA512 9fbd703cc8e5361814d3fe69c38bcf80ad4fa490ccde13793fd5acb3b378c88e5ca39538f651780408f7341019f06eb04ea2201688e47c69dd780644beed3d4e