Malware Analysis Report

2024-11-13 16:45

Sample ID 240709-2pyd7szhjr
Target file.exe
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:46

Reported

2024-07-09 22:49

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe
PID 1588 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe
PID 1588 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe
PID 4656 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4656 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4656 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe
PID 1336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe
PID 1336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe
PID 1336 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe
PID 1336 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe
PID 1336 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe
PID 1664 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1664 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3960 wrote to memory of 1360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKKKFBGDHJ.exe"

C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe

"C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1582112-41b1-4f79-ac42-3cb3436c515d} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63f11193-ee98-4f65-85f0-065ba72bfcc6} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 1432 -prefMapHandle 2812 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2510895b-be24-4cd1-90fd-4e2fe10d8c5f} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70201111-5195-4c49-beea-1abe9420e69c} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4628 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9caec85d-d1cc-4e36-9530-f4442ceab21b} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67c12ae4-7f47-4f8d-ae3c-ddcc75457c55} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5708 -prefMapHandle 5704 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c9b75a7-a07c-4c78-a2f6-21bb79711e56} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfca1b0-c215-479e-b8ff-8982258b2df7} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:55021 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:55029 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1008-0-0x0000000000170000-0x0000000000D50000-memory.dmp

memory/1008-1-0x000000007EBB0000-0x000000007EF81000-memory.dmp

memory/1008-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1008-76-0x0000000000170000-0x0000000000D50000-memory.dmp

memory/1008-77-0x000000007EBB0000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/4656-81-0x0000000000420000-0x00000000008BE000-memory.dmp

memory/4656-92-0x0000000000420000-0x00000000008BE000-memory.dmp

memory/1336-94-0x0000000000130000-0x00000000005CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe

MD5 e43a0ac327404f3008b679e0b1293c6b
SHA1 9a2461c520ccc44840c1bd041467ce084dadab51
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512 804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d

memory/2904-110-0x0000000000420000-0x0000000001000000-memory.dmp

memory/2904-111-0x0000000000420000-0x0000000001000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 a9cec187d2c5ad25ca8ffed106a488cb
SHA1 a3220ef64a5996e5f82c657950502ebebcdafb72
SHA256 eaa6094b803b75b78a262853affd1f96e43408724c791f5245945e4e24939543
SHA512 4d375e95d53b46dcbc1ac48e870dc5a9379ac23a888e7a23bdd4e116194ab67a4dd60fe3fec0b78603087f830631d442425276bd84c69eab1ce2ddd5ec1812a2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

MD5 d503f9a7e370491f25f26f25f326e7c0
SHA1 8be7f1650779a5d2cd4288dacad75498239a5f8e
SHA256 4b1b431b2ef840e9702fd06d8afb47b51eaa352f329b8bc4657c3e432fc78242
SHA512 65e16f1e9d36fc6ef0fe6f2c80cc812064d58716a201777ceb37a3696ac5b7201c74969e3500c5ce2da19d59f23c18d1e3a0819c2465472269c4d0b20468ba16

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\2d174ab2-173d-4e70-804a-41f4cc4f59ea

MD5 07027d496e867c2f1cf9b08d48a923c0
SHA1 b2249f48d5057f281210d208a926934c425d7ae9
SHA256 4940ccd9dad7716989ab44ff7a30e8675a9db60205964b3f20aaa376526682e2
SHA512 590a2d38b14075d33e2b786a7dd0892d1a9549b93424777b333c9cf5b4f7277f680a06445078cd5ee8f61fb42c0e375ab52893edf02b4f7dedd9a3b5985325fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 35208189a9b062be93ccd4d7bae6abc4
SHA1 f7a333debde00e09803f76c5a2c5568785993e08
SHA256 b908817d7983ec899378eff9a426225bad15ea4aae3aa421f6f30fe74baec8a2
SHA512 6615136c8673cc167903425ad14876d2d1fe477f3a528751398fb3172939e90a2d150bfac05564be0d161dd0c52a5fec72a86a6c0d4766e3ea8cc1b6c66c93d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 24a481b7e240f82e51c4b6647a28d9da
SHA1 834f07d8145c7d0442af5d884417309c701c67af
SHA256 b0ab139684c19d0fb32202802d1741edad30bc82c6ff60a72575967e55c38f1c
SHA512 e385e030f3a46dfbffbdc128ae42ebcf9f19e4eaea687d27da07bc77c12766514eedf63bf49e0027872a82b7ae8bee7cad88551f10ebc09f6f6827818ce94154

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 4ecf653eb5cc309e3a0ef4dfc389ada5
SHA1 e73169a808ae5cb422f6e4ce2461fc65afa3e489
SHA256 69825c21c1e81524eb47809ceb6ca341df84c264bb6793f6b77dae9f77a81622
SHA512 b0291b574a3b53ca67622519e432205e1ce3434f59bba741fa23d8e9a0aa9c3e6da962247128aebf298dc9f031a246f4bec9207430a7bfbac1b34723a2327925

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\1422b79a-8b85-404e-a11a-9af1eaa85398

MD5 b0201bd8160eb33b5e8394c618ffe9aa
SHA1 a3e14ee321266e451d59a37a8fcc1cd65b5fdd6c
SHA256 94f1dae2ee3171b9728e6b6ae865be19746681eea7b2cf2939a961b0991d293b
SHA512 2ff3c03286267f9fb3a1b84ded03410df4364a049e9ac3a6872ce1367d4e81fb084d02c60c3384b3ea6bdb2d1e5e7ace493846a64bf5d06dea58dfe83d269525

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 461e7d80dfa1cd698fd40b82ea12c68f
SHA1 66ce5c32b2f65b4aaa7cb0969d84162b73202e3f
SHA256 99dd8c481c4c590ac87568b48a81c85b5b6caefae7ed67ac4e6b0b8ff7153b35
SHA512 188f40bb5c3172bff8db9304e9d64cf247661ef0b05eb70e0734d04dc2609403cfde21416577fd2839122ddd26927bf58ae943762fabf4329e38d6b1abd3a530

memory/1336-451-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/436-456-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/436-462-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-463-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-472-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-477-0x0000000000130000-0x00000000005CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 afd316813c823a03cf045a06b1f3eb63
SHA1 8a13fe4501cee41e1fca5f1a5aa1b91a5d470965
SHA256 1fffbaa839cb8f63f17f15390fe28d4ccacb97c296f974e5cdc7a462b664c083
SHA512 0544fb522188fa8c13b04c87bf5180bd5db7acfe3fe020f520753cbcbc7973f8fde77b95072746614896c76a938488b6473218a8b1847e0e276c1d93f5c3aac0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 56ee8d7842ce43902b42f8d653391e81
SHA1 22ac0d06085115f869ce4b1fd518061d4edad877
SHA256 42cef8cb548278f03bb4a2490853dcc040c528d5920b17f97923dfe4d0919b1a
SHA512 009e71ee3311f2d970c362b24477f43e34169d7e9dcf7cb73f489ca222211166af0844ddfcd4136c0426816c6ea49076e60e95c6760f51ff6d9f9a93da20d99f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 d6c3326716b6fbfb4fa90b717210df29
SHA1 bcc7271d603c9319c353bb8479121d81b3184734
SHA256 220b2c4b58ca16b347e1f3401ec189a1f90f8431724ad2f9e7dd9450e444f2ae
SHA512 ea3eb814c82291cf9e03879587d333b7ad673c574460c1be01e23b3ac9682f23b27dee824c8e83465b32cc2eb4074260b4566cebf847bd4e16a180c887c98416

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 6aa7fe4b1f24488e5dbc5de45157e8cb
SHA1 98c325d0a7a4a3c1e452350fe5601fcfe81764e4
SHA256 981c6f4ee91ccef860ba3c8aa1e3ec5e6ce6cd9c10587ddf9e7debba56d63a22
SHA512 6bbab2da66a49e66cc4032ee2a22541db134b751acad1c9267d3b520818c039d35db0223b04322008f529d1f443cacb6f5d62ae045e40f391d850c7ed8746cbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0185b20ed1cc6ded132a0aacdff6e86d
SHA1 df519aa070aaf20ac7c5f9146e47451e4a26a874
SHA256 9f4b39086adcd77f1d4b59ae07a510c23080c495fcebf19e9157be7aba1d6ac5
SHA512 9bfe9698a47914aea081a2126672b6fdd0f95dfbbd33316592417baf90e160f5d1bc2947501a603ac6a4c429fde48d424300e2d9de9ae182e68fb1cc8b99826d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 fc3d373bdfae834bf32f879013f23b54
SHA1 0704215fff7bb7a358ebeb7a3ada3ff2966c9d2d
SHA256 2ab9cf8049e58f0a389a14b66aa1bdfde857e009fa2925a30c725890ce52d1e1
SHA512 31fffe0dddb090b191021081dd09e61563df916252c4f1d45c546e444c5c2e0f1ad75b34a19df9306349d583cdef6f6fbc8b78b890457587ceb5986e828c4dde

memory/1336-762-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-1962-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2664-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2670-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/4368-2673-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/4368-2674-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2675-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2676-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2677-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2678-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2679-0x0000000000130000-0x00000000005CE000-memory.dmp

memory/1336-2680-0x0000000000130000-0x00000000005CE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:46

Reported

2024-07-09 22:48

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe
PID 1636 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe
PID 1636 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe
PID 1636 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe
PID 1172 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1172 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1172 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1172 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1432 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe
PID 1432 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe
PID 1432 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe
PID 1432 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe
PID 1432 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe
PID 1432 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe
PID 1432 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe
PID 1432 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe
PID 1784 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1784 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1784 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1784 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 612 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJEGCAEGI.exe"

C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe

"C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.0.1916356855\1050497383" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9775bc2-88c8-488b-afc0-d9c033c14cfc} 612 "\\.\pipe\gecko-crash-server-pipe.612" 1284 edd6158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.1.808637786\922589770" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe294c2c-5001-4e8f-a671-620a56265392} 612 "\\.\pipe\gecko-crash-server-pipe.612" 1500 d72558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.2.1089606800\452259044" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd72384-3052-4d15-bd91-3348c706abd3} 612 "\\.\pipe\gecko-crash-server-pipe.612" 2112 19dcc658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.3.875039890\626985238" -childID 2 -isForBrowser -prefsHandle 1640 -prefMapHandle 1112 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3cfc883-bad0-46ea-ae01-324ca02b2fec} 612 "\\.\pipe\gecko-crash-server-pipe.612" 584 1c61b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.4.325258781\178384413" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae4c739d-b239-4f6c-a8a5-6901104885d9} 612 "\\.\pipe\gecko-crash-server-pipe.612" 3760 200f3558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.5.102304984\1485150756" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d59cf2a-13c0-4b81-ba7b-14f8a52a0e55} 612 "\\.\pipe\gecko-crash-server-pipe.612" 3928 200d9458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.6.515833040\1649660966" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f19520d4-ba51-4bda-b550-def2bdd8bbe3} 612 "\\.\pipe\gecko-crash-server-pipe.612" 4092 200d9a58 tab

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49366 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49373 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp

Files

memory/2676-0-0x0000000000B40000-0x0000000001720000-memory.dmp

memory/2676-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2676-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2676-64-0x0000000000B40000-0x0000000001720000-memory.dmp

memory/2676-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1172-80-0x0000000000070000-0x000000000050E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EGDGCGCFHI.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/1172-115-0x0000000000070000-0x000000000050E000-memory.dmp

memory/1432-117-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1172-116-0x0000000007020000-0x00000000074BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\6c41f8de5e.exe

MD5 e43a0ac327404f3008b679e0b1293c6b
SHA1 9a2461c520ccc44840c1bd041467ce084dadab51
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512 804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d

memory/1432-138-0x0000000006B50000-0x0000000007730000-memory.dmp

memory/1432-139-0x0000000006B50000-0x0000000007730000-memory.dmp

memory/2216-140-0x0000000000960000-0x0000000001540000-memory.dmp

memory/2216-142-0x0000000000960000-0x0000000001540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\f9efa3893e.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs.js

MD5 3aeb15f2a7e5755d29780f221579f8d9
SHA1 a86cbb3b76f745e1c8619a5be8af0ffaff2d7c55
SHA256 5eaf0985335dbc821a2ab737dfa5948fe4a2cc386d2c3e1fbe30589474e68f09
SHA512 f95a1f4b00077a0657a3dbb80331626523cffb87678cfabfb7e5cf94d171c5e27ce9880625229ff663a31c73d48cbc73302843fc21104a6febc8885147005414

memory/1432-164-0x00000000001C0000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\51007461-2e0d-4110-81cb-c0d00500d16e

MD5 1b20950a51163f85d629db280397e10a
SHA1 d90b29ae48b43efb9fedca77630b02de2bfd3449
SHA256 04645e8eff301d30d34bce6c5c39f8c5831b93cd8ef11b41d64244c7533d824d
SHA512 a1aa0792b9b7affd9e12dbe3809c66d3ff9f3bf81231ec253c665c39c06cab64c99792fc5eeb08d016463714e5787ed7c407f60591cd549c8f86c21f9db4ba19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\e8f15274-1e20-474c-ad8d-51c8ace05e45

MD5 87aced141d26f956dc6ad19df686a73d
SHA1 87d88eecc5059af9d053cc538e5a82d46b13dd43
SHA256 cd39c8673b5393414e19e1227e52b9413e387bb5358363cef58748cd3ddb6f4a
SHA512 f1c2b1066cfb01d9b04992530adf394af80afa9c0996d8c3df03c4b307b388c1e1af7f642e723c352f371120a55e976cfc06472acbaa869a37cc313a23de9a62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin

MD5 36bc54cdd368c6b790b14683b2cdc0c0
SHA1 81829615bf50ce7b24ed25e95b5d5da8b57c8a31
SHA256 7faa31e078576bb586b9148876acde38e020128b806041a9db0d2bb81b97031d
SHA512 5595b34b7643dd0cffadf98c4e02a7fc53453edecd51fc088b445db657d2db40d48446c5b5d79355554ad0fe18694cf3feda095cd851c4ff8a8bcd31206f55cd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp

MD5 1984fc99c6c44f7f4c5b8aec55022d61
SHA1 1b6b0f8c8980d2bd15bf0b9a6ae4605c950ffa05
SHA256 5a999b21da0cf76cc65717f01e7459477cffec44b0839762d7e8270c40f84055
SHA512 01384399117bd945b5a17d8b4fa511c315b716d3d59765bcc06342db98de6bfe0efce013889cc6911eafc3232bb9e769b2c41fd3708c12f5a53aa97082988339

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp

MD5 a2af07e54a1ca850ce38b577d1010ee5
SHA1 99efe1fde25a3fd301a2d748cb5dd7872e282cbc
SHA256 c0c5a699a0b8af42a0081b61c197a2f58dc1dcbfd4a5d471b9542639bcb8dcbd
SHA512 3a756cb0fde041f35ff6be5d672b043cd2072917e00982cac68c63426749a1f641c40a1af41bc713bac9b79d64dab0c29fb459ebb36e4e4944927b4f32c15319

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

MD5 36488faf2a4f7e410516be1af31bbdf5
SHA1 25792b788e570106b2c7e9f9f9218232b6b9051e
SHA256 1a6f258982d752658c2822beada90f9679c518b8dcbd2f53e54c0bda6e1359dd
SHA512 a11935e728c33fc17ec1a875391e915275dde051515dc0b51f3d8eb19e798c017cc34f0ba73b5923dfa403d8505c2a18d1bd6ef907419fbfc6f52c521deb9918

memory/1172-290-0x0000000007020000-0x00000000074BE000-memory.dmp

memory/1432-291-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-295-0x00000000001C0000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 67fe967337960ee1ab7b49fbf446fff4
SHA1 d57b6017e4a40a8187945457e18251194c3f92b9
SHA256 bce5acfd32e679fb4d234e8d15985a5edcbcfe11566db9487fdff381070feb55
SHA512 38d5c4aa8b1d7adb5a2f740e8e0458c9f6a7ec41565759901f605632f9221a85abc599177016f5b63806b21c5af9a50818e48fae9d493c61511002ef21e416bc

memory/1432-312-0x00000000001C0000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

MD5 b02f74e18544edc0d96566daf6cda414
SHA1 4a48b46e8eddfcfd4e9a5890834d583feb2edef0
SHA256 ee14b3e7bb6820450818ab1f45ff8bc0ad317df69fbfec7ae841b97826d44361
SHA512 89b775c15f5f62ffa0755d10ed97c359888e8d30a0a633c77a6d5f66ce9d3421d727f827b9680425c500509fff622aac9c0bf994f78ee0aecd785744cfc960f8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/1432-384-0x00000000001C0000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

MD5 5c54fff02fc169127b4a41db43ea092a
SHA1 143f4ab7bce02964c7c8a75ae249df099a243a3d
SHA256 2e0aa3f11a9c8f27798d32758e6c13f054e4fb19298bc2eb2157f2c8b8ada183
SHA512 70a81bbc4c2b4cd73cd68a0c5100a1c24884e6ba637644204e617bc3574c4d500c6a7687733faca22ca378c05d618a53cf709d48ad6e82740e9cfdcbde54181f

memory/1432-397-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-399-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-404-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-411-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-412-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-413-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-414-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-415-0x00000000001C0000-0x000000000065E000-memory.dmp

memory/1432-416-0x00000000001C0000-0x000000000065E000-memory.dmp