Malware Analysis Report

2024-10-19 07:11

Sample ID 240430-vxl8ksbe6z
Target godhuntermode.exe
SHA256 26fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396

Threat Level: Known bad

The file godhuntermode.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 17:22

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 17:22

Reported

2024-04-30 17:23

Platform

win10v2004-20240419-en

Max time kernel

56s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
File created C:\Program Files\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1968 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1968 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1968 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4292 wrote to memory of 836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 3376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 3376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 3376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 3376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe

"C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede40b07-40e0-408d-9f53-144479691608} 836 "\\.\pipe\gecko-crash-server-pipe.836" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {244c8de1-d88f-4cd3-ae5b-c7217648d067} 836 "\\.\pipe\gecko-crash-server-pipe.836" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 1604 -prefMapHandle 1532 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b251f0-4aab-43a4-8f20-34e0c76d8b6e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12089586-7a26-47d9-8ff4-f3123a068d11} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4884 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {729173ef-f48c-472b-936d-11cbf733140a} 836 "\\.\pipe\gecko-crash-server-pipe.836" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5212 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b93b1b-1b82-40c8-8996-28694003f09e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250cd809-fba5-4995-b7c1-fabf896e7d2b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5168 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7210ec9a-46d4-4169-b486-72d3e6cb3f0b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 july-pty.at.ply.gg udp
US 8.8.4.4:53 july-pty.at.ply.gg udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 july-pty.at.ply.gg udp
N/A 127.0.0.1:52999 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 july-pty.at.ply.gg udp
N/A 127.0.0.1:53007 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.4.4:53 july-pty.at.ply.gg udp

Files

memory/1968-0-0x000000001B440000-0x000000001B90E000-memory.dmp

memory/1968-2-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/1968-3-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

memory/1968-1-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

memory/1968-4-0x000000001B9B0000-0x000000001BA4C000-memory.dmp

memory/1968-5-0x000000001BC00000-0x000000001BCA6000-memory.dmp

memory/1968-6-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/1968-7-0x0000000000A70000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp

MD5 f5d30efce4b1aee5eae396d83a3ba12b
SHA1 c710a5815e1431398a03edf703dce91328e06b56
SHA256 3c7dd02a58748453a8f136ba495fbbfebd4d00ff283c0ebf9bc4db32e1d9a948
SHA512 d04000a54938a075c4228ac2c50b4c2389546b953b806cbc6425072ab1cbd79f3ce13b27def1fe15e9fd2e81d06d1d650a3aedd2e0286ad4a445e25a6308bb7b

C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp

MD5 15d749210e6e1cb4115160780901c4a3
SHA1 6a0d047973a484874fa07f24ab0a793744c69700
SHA256 7a8e4ca799b470aad149653472d9442aa5815204c04cbbf0fba0d3052b6bd09c
SHA512 369ea9b77c8e847411677caa0a37caef637832468d868d75a0c6d10e9f13442fd7c70b56e38b444034b9dc98ee7e75c361c7561128a8e3280e22b724a088315c

memory/1968-16-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-15-0x000000001C4C0000-0x000000001C4CA000-memory.dmp

memory/1968-17-0x000000001BE20000-0x000000001BE3E000-memory.dmp

memory/1968-18-0x000000001C450000-0x000000001C45A000-memory.dmp

memory/1968-19-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-21-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/1968-20-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-22-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

memory/1968-23-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/1968-24-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

memory/1968-25-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/1968-26-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-27-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-28-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

memory/1968-29-0x0000000000A70000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\6907fa81-3b4a-41f7-aad6-635691930474

MD5 4be524104903616e4594d0d56ae229bd
SHA1 b8b2f0a19c670995b2460b3ca9d2b55f9e56c3f4
SHA256 de6731b0f7b54cc472dd3967515fbcefca9d0b3f4fcc72b89ac9e278197433a6
SHA512 02523cedfc7ddc7e70de8432f31bfdd2ca618d4c8b841ed3e1c4e93148fc3c347484a5e6fc4efe10609682a8475bc37c4bbb0edae0561c7b29b22c247cc408b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\63695cda-15f3-469a-9e75-2493516382d5

MD5 9636fb2b19e673eec108645e59974df8
SHA1 a763a9e680edb76bedf43c266d997e5f185809a3
SHA256 a2b740217fa12185f29dc10ef30ade544b5925b1e065211eecac4a77274f02fb
SHA512 ee7dc7b6f9b2e48d87a13c0cfac6a2ae6a4de08357776dd231be0029a8e4f405e6be0962ded1e21a3fb87cd2bb3143f147c699c07d8f105282726a980f4061ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\13323c2a-7e6a-446f-b9b8-022a1bfeffda

MD5 3c2ddb6b9d2b0665393a62a0a7161358
SHA1 43d0ee932a4e76d7312ae189ef873785d10d9260
SHA256 f23b7386715d4ba281075bc962bc8cda5336e26535da85208f0b986f2f640cd9
SHA512 d34bb357b749992a2cea3cc8a0190830829cb971c3e5015afa9bace26c95209c2205974882f8f337cfd707a0082b6bde6660b9afb624e0fb9af531ec93f2bb4f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp

MD5 660069b3cbf98420ec15d4c08f605bc7
SHA1 562c81da7e83adbc6cbf61a7ff48f69bee1254b8
SHA256 d136816baf03b54e7a8d8d572bb5ab1c367a161d1d9967d1180be2c723709256
SHA512 1896c22299407b0b41fc60f3e388d14929d2f8ac00e4ffec6a57c960d0724f94f7399705d491bb4ef5fb173b1939b48406bb757d3c01ff0f23d4ca97d49c23d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs.js

MD5 56fd3bbedceb453571f11454e4628e83
SHA1 b5ce2b85202caa7a06ee800deaccc800143a8e38
SHA256 e265bd2152fc9659caba7580f3c8d937f64ffdea185e04c13925da915df99975
SHA512 aa76a4c5de311c01b278bde1aa7159155d8c0632d1e0581f90d6cadd240a68fba57f955dae9442faa44e735829cb1cdb99fd7954f723fee59575979af61a5755

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js

MD5 3b006a36ed2f6bd9068f5008b0686aaa
SHA1 42a0d19ab17617780edd76c3800e40068ba5f1ba
SHA256 d4e808fa37bfb40c2bcfae85f8abbe492668a08a31e908345d358d78aa049f43
SHA512 356bed376ae0af6e560db3823d4709fb2fd3606f688c5c69ec7d4ca25bf664ad7136905fa97b981ba76033c39e55b5cda312d1e2487aeb7a85ac672b2db92db4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.json

MD5 f4e69877176badff102f6f14849c202f
SHA1 1eceddee27d2321e57ea412475746bf2b491d6d1
SHA256 2b682d5c1608fb24939d169a48138829366a549cdd89b4e0f226cc0f82747e76
SHA512 03f042f40c212cbb101466ce4ae0ba471f4ec823f5009f6be0d18b6a50d5ada5672837ba784f1972b2376c0a47efd1cd7149ab33cb3efe79dd280146a7fd2374