Malware Analysis Report

2024-11-13 16:47

Sample ID 240710-cn4gdsseqc
Target c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe
SHA256 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404

Threat Level: Known bad

The file c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 02:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 02:14

Reported

2024-07-10 02:17

Platform

win7-20240705-en

Max time kernel

141s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe
PID 928 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe
PID 928 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe
PID 928 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe
PID 2432 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2432 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2432 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2432 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe

"C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDGDAAKFHI.exe"

C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe

"C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp

Files

memory/2688-0-0x00000000002B0000-0x0000000000E98000-memory.dmp

memory/2688-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2688-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2688-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2688-64-0x00000000002B0000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GHIJJJEGDB.exe

MD5 f904f4e23035a9535b504569ffff9aba
SHA1 694fdfda0919c7d169e1cbde465d8707e80d9a37
SHA256 eeb995d1617196c79fe986db9a93d7e548ac86228fc3d8e0988355ddb7f10d93
SHA512 994a9b3630b6afba69ab9e691bdd27ca05defd0de328dbb82256bd1613554e8270948a90db4aa54427364b9bb1210f4bd0fc8ad07d75e150506a560b5c5508ce

memory/2432-100-0x0000000000B80000-0x0000000001060000-memory.dmp

memory/1796-116-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/2432-115-0x0000000000B80000-0x0000000001060000-memory.dmp

memory/1796-121-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-122-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-123-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-124-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-125-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-126-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-127-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-128-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-129-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-130-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-131-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-132-0x00000000010E0000-0x00000000015C0000-memory.dmp

memory/1796-133-0x00000000010E0000-0x00000000015C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 02:14

Reported

2024-07-10 02:17

Platform

win10v2004-20240709-en

Max time kernel

151s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe
PID 2828 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe
PID 2828 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe
PID 4852 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4852 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4852 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe
PID 3308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe
PID 3308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe
PID 3308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe
PID 3308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe
PID 3308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe
PID 4224 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4224 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1928 wrote to memory of 848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe

"C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHCGIJDHDG.exe"

C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe

"C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4845c724-07e3-4186-9e2a-8cb818ca66a8} 848 "\\.\pipe\gecko-crash-server-pipe.848" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e47bb70-572b-40d8-9c10-f0fb85e46838} 848 "\\.\pipe\gecko-crash-server-pipe.848" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3264 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07320f9d-0e21-4435-b37a-7c458e2ecd36} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4176 -childID 2 -isForBrowser -prefsHandle 4168 -prefMapHandle 4164 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e0c2b3-9979-42e3-9c5d-c6d5a875d519} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4800 -prefsLen 31179 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29b44bd-655d-49d6-ba7f-9cd576dd2202} 848 "\\.\pipe\gecko-crash-server-pipe.848" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e26d293a-da81-405e-8110-24c8aebb02f9} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f679c6-683a-47f2-a96e-d075fcef74bc} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b69a660-5be5-4a43-99e6-bb101d17c5d2} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:51771 tcp
N/A 127.0.0.1:51778 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp

Files

memory/1548-0-0x0000000000730000-0x0000000001318000-memory.dmp

memory/1548-1-0x000000007EAC0000-0x000000007EE91000-memory.dmp

memory/1548-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1548-31-0x0000000000730000-0x0000000001318000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1548-75-0x0000000000730000-0x0000000001318000-memory.dmp

memory/1548-78-0x0000000000730000-0x0000000001318000-memory.dmp

memory/1548-79-0x000000007EAC0000-0x000000007EE91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe

MD5 f904f4e23035a9535b504569ffff9aba
SHA1 694fdfda0919c7d169e1cbde465d8707e80d9a37
SHA256 eeb995d1617196c79fe986db9a93d7e548ac86228fc3d8e0988355ddb7f10d93
SHA512 994a9b3630b6afba69ab9e691bdd27ca05defd0de328dbb82256bd1613554e8270948a90db4aa54427364b9bb1210f4bd0fc8ad07d75e150506a560b5c5508ce

memory/4852-83-0x0000000000170000-0x0000000000650000-memory.dmp

memory/4852-84-0x0000000076F44000-0x0000000076F46000-memory.dmp

memory/4852-96-0x0000000000170000-0x0000000000650000-memory.dmp

memory/3308-98-0x0000000000B50000-0x0000000001030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/3964-124-0x0000000000760000-0x000000000134D000-memory.dmp

memory/3308-130-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3964-134-0x0000000000760000-0x000000000134D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 a5e06eb737f36a3071c6742a6d927d92
SHA1 5454fc249660b0dcda259e26941e128c25ae6386
SHA256 f108d799141d58571fb7c4c4ac61a6a0c13822941ef1829bbd4460c6c0ecf6cf
SHA512 eca78243532fe90fe89e23015e7b94d7aed7b489056858f9b39492fbb98397e9283555c02045643732f19f30030ccc56d102808f96f777dfb798ea86bf89ab38

memory/3308-142-0x0000000000B50000-0x0000000001030000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp

MD5 8fdfe14e773c716561337419debffcd9
SHA1 89c6cd64a3b161c4b1f84d087058c9d69bc7f9cc
SHA256 bbd2133f0091c26001993310745dc1f08455ce295b17f36f0885163e4eee21f5
SHA512 e97c79ac8bd362d954edddc8845ec9c94d3bc42d62c22a332e04f5cb61f0ae87b9125f82f6908aa0e789f5334f7825308a80d0df6a641da4e998ddeda3eb1984

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\2c21bf7b-7daf-44bf-9bb5-52226ea79ded

MD5 851bac52228fb362cd6592d3e0001ea4
SHA1 df02c61d3e0796c19bed5535125fd52544fa6267
SHA256 6e33a28704da844fe752dde0a0e600018651ef7bf66d6b2c6e86f59ff5c1b19c
SHA512 2458c838ecd283b66707f331ffa6aa614cb200f3cbc60cc31c9c0bdf3b468f44e86324e1f68f725f4894105573cfe2ce8abd71fc67810f2fd3a3ce4f6ccfd66f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\0df89336-7faa-4a43-962c-c13f91908058

MD5 8e9c8b0beb48c0cceabf3db487dd145d
SHA1 efb3c2364e35953cf52511c6927e8309c76ece68
SHA256 60cb647ac4100e2d5e7bad7e398c2cf6624c4acf7f9d83c50d4ad667efed9550
SHA512 d1b972894651f965836888c90a39b9bbdc2a0c62675c4dc35dc5b6677ecb5cf6a458515380cfee4106c711cd8902d0896f532b5512d47affd47289172aa3670b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 731575fffeb8caa91be30869e8982a69
SHA1 89bf2295fe7f50c67dbd8c69a1f6ef210a861ed6
SHA256 e62bda1be1e4a98d4cf0a73af0aef10eb6a4370b4625e802335438f80c0ed9cd
SHA512 df377326c4290e59ba1a5c092f767d0ebc22ae76ba4728226cbc8e92decdd8f83590583452b73ec9ee7a157ca07fa3ac7ef48b6a1861e6938f5b48a4602aea7e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 76c6c0d02c9e8ed378f6c592c006c47e
SHA1 72eac07e5d8a7a5d091920fd0c9ea5779d5ee67c
SHA256 0ab381965c32ae9e637a3f8af7cedc7115c8b62e6daa1b52b6fb7ff0865d41c2
SHA512 72f61369264f3b4f38e1c0869caeaf3381d30b633339630a18862d0a0d82a7ff437a7aec7b20c041362c2cc5959e1c77b8fca835c48266120439b58bc0616719

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 438d8000581e26b23018a1d4a4ace094
SHA1 779a1ef2667a5d7771256d2fc4ed46ac854d1c36
SHA256 c3e5a175d3d9d289cea698883611a4a980c52033cf0c3c757044d95afa8f357d
SHA512 15cae37951c0613f778d04ecfa8264d4e183ef1b956c9801715b52b33910b30a32bf506ae63c2f3e3d8925c0f0f257df302bca5e1603417b0c2d8f9a8cccde79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin

MD5 82887a9ae44e3dbd5dce854b5b8cf7de
SHA1 9d3d83a6504cccf40a63c3757893c322ed9c8967
SHA256 a8a41a0eda678721f0b2c96cb3b9dc8c10ebea307fb835154fb9015b77ee678b
SHA512 491c4c8ce756705bf6b6c7273517b0207d980ea8ae8e3d58700276be4890979a0ec7146e87784be66153c58ac51885f14236c1d9360e2c8c9754d59df25d0e85

memory/3308-494-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3860-504-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3860-505-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3308-519-0x0000000000B50000-0x0000000001030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 ec34bd4678322724b6ce26889ef7a34e
SHA1 3173d55475bef4af957e39aaf899433c53bcd4b7
SHA256 db3e8c317982985158a26e36743c2bb059c5054f67dd69bf59a0436049d39352
SHA512 39414934cbdee53b204d2365aeacfbb9ee79369eb966b157a8dff37767830ce08d7120b8269281f257c5956343eb6228373282374af48d79ad365a4c810c4bd5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 70241e4c4bd63f08bfb8b63720bab020
SHA1 07759a43a5535d7b05591aa5985deeba9b254fdb
SHA256 0d974960962236fe3c1c2068df4d15273dd4d48daa3f84442401703d42af364b
SHA512 a55dd8c19488a2b886e8a677993d24e3c60daaf7a76d7c1bbf3bd7d1d18773eaeb7c2ddd7623afbe3612d36fda90943513ad4d54321a903ab87f0fac41bfba71

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 146060897ca3518375b5cdaec9ca4f2a
SHA1 53b9bc94c14187e6d59543f845c315f374e4f299
SHA256 827b2bf6262215abb6557f8226048723166a59b6388b3ab3ac714d6a2de6be8e
SHA512 8dfcbead8e44fbcc82e816698c1ff15c0dd7303b1a02efba1c0803c3b73dd8aa7b9a7fca835322ada1b39826436ece89789ea12ef68cd89a2111d393b56b6ca9

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3308-783-0x0000000000B50000-0x0000000001030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 562ee5d91829881708bb5385de1af17f
SHA1 8b95dd308eedc92d5bca90c81b501fd7a50f348f
SHA256 d2b888470c5ab035514b455a2cd4363e653070ee365df585662e1be4ae17dd92
SHA512 6d3516f7a2b1c80e428df70a1a01ba545a58155be87f487bec9d3645613408f4dc11459a0a840744b53f47ba491ebcef76345136dba13477f41f25cdf51ece02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\sessionstore-backups\recovery.baklz4

MD5 b432b8bafb062421e6de55ad0c626b1c
SHA1 e99ee02b1d5888fbcbb296a01c34148d866c10e7
SHA256 9d37c72c4e91d8973fee04ecb6ccd1e0cc68b1d055f016256edd0c21734f183a
SHA512 f61d151ddba2ec6cfb1acf56bd2eaa12dad43b629bd703c04c1b1615de3d8b9371931493087f36d4fdc84f6f307109f6a3526737fe297b47ae59ce32964b69dd

memory/3308-1727-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3308-2631-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3308-2636-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3308-2639-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/324-2641-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/324-2643-0x0000000000B50000-0x0000000001030000-memory.dmp

memory/3308-2645-0x0000000000B50000-0x0000000001030000-memory.dmp