Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-dzrgmswbrd
Target dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9

Threat Level: Known bad

The file dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 03:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 03:27

Reported

2024-07-10 03:29

Platform

win11-20240709-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe
PID 536 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe
PID 536 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe
PID 1340 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1340 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1340 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3588 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe
PID 3588 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe
PID 3588 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe
PID 3588 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe
PID 3588 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe
PID 3588 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe
PID 4724 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4724 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4472 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe

"C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"

C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe

"C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1864 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19ef8c94-78ae-45bb-969f-c8dfda18db6f} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec785e-700b-493b-99dd-f7bfe3b6b364} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3112 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f096d5af-1695-459f-9070-b941e3f3594e} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3584 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b435edd-a7ba-440a-9f4d-9cf9f75fe159} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {affb4d18-ee10-4b6f-ba5c-b7f2ef2eb20e} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" utility

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2547d020-ab8d-48a1-9b4c-57010002cb65} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40559c30-1ec4-43ac-afc0-99fc51d33c73} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5808 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b40fc1-957c-46a0-990a-8a365ff7476a} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49885 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49894 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/4304-0-0x0000000000560000-0x0000000001144000-memory.dmp

memory/4304-1-0x000000007F0A0000-0x000000007F471000-memory.dmp

memory/4304-2-0x0000000000560000-0x0000000001144000-memory.dmp

memory/4304-3-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4304-37-0x0000000000560000-0x0000000001144000-memory.dmp

memory/4304-36-0x0000000000560000-0x0000000001144000-memory.dmp

memory/4304-47-0x000000007F0A0000-0x000000007F471000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4304-81-0x0000000000560000-0x0000000001144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/1340-85-0x0000000000A10000-0x0000000000EBA000-memory.dmp

memory/3588-98-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/1340-97-0x0000000000A10000-0x0000000000EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/5072-114-0x0000000000910000-0x00000000014F4000-memory.dmp

memory/5072-115-0x0000000000910000-0x00000000014F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/3588-135-0x0000000000F90000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

MD5 1db940cde6c36e5eb5b1bfab1e143b2b
SHA1 fbbf87653e97b09eb724a2ca9a36ecb78c2d59ff
SHA256 1e153b1d1ef1ef81478f35c506a03efa22e59d38e5dec7a42d3f986c6ad0417c
SHA512 e13f9bd4717c2410158ac4c5a7851b3f73e6e98c92bfa58f8a0c6795754d6d42b5017146d28481622daacffc2ddd508455eff3dd1f4dcf57ba8629553b4e667b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

MD5 751fc8c8739b847594b90d02611fb2fc
SHA1 0f14f2c0096ee7548b1a9229be1ac78d3341c009
SHA256 bf0fac13b99d55aa8656da4997cdd728e82fff0e909b48782bc8c34977a510a0
SHA512 3033def83c11490067026e37c4e6853d1aa7e69d0a3386d63075b4ecd32841e6f303a9e8a540e5da27a8ca7346260d0000face51e82086d694d3891ca79fa29a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\7afcd1f7-c67b-486b-aa81-a52e2ed85751

MD5 ab65c2f9f9732c0bea755d187869d4be
SHA1 66827e7ddc98b225852e42b797db17f3921b3e08
SHA256 67afc95690c446ef71856ab276de69a411072413eb58203c70ce712da1faeebe
SHA512 91ad8fe9fbea969ddec75ffeb3a4d9084938ffd67300b34d758d406f91c30fc9306c3f80ba0e23c5268ca4c49522621f68688a162ae6a2517c312ff5c6e4bad1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\8393e8ee-d98c-466b-88c5-3fad8f84961b

MD5 ff294a66f3610ad10d487ba9b01c7ba7
SHA1 aed6cbabccb90270cec253894fd1f4800868cd38
SHA256 8edf13f7cd463ff9875cd6abd3330013393a3ee86e7cb15064317260bf202ad4
SHA512 68d1311f14a9347b3c1e878d79fba0238ee265cbc6e840f84f7f7486a10ce0326a6be3eb3122ae08964d879ac7ae9f73fcb33d6c119ad9ff996c8e767c8c517a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 950eb95688692c4bd780fca40a1b2a62
SHA1 1fb0318b9653165de3b847460070525cc6773748
SHA256 7152e66f823107c5f709489a03b4c18d2e8327e6dcab6ffae609d4ffd82d7466
SHA512 8916a54a499973f30c944ce819b5da15e306d38a8785bc0af765ffba6bd9fb7e5f5feef74bb9217e517080441ef7283d69a48a825f0edcb56bb51ad0dca963e5

memory/4540-396-0x0000000000F90000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

MD5 2a016e819c666314d39be6ededf0b857
SHA1 7f6456eb08bebd217e2be2e96b689452cda69afa
SHA256 99afa1966876f9ead41fa952e6bbe62900ddaf790400202081efc7ded94170d5
SHA512 cd3a2b698dd753cb981b24982b5a590fe39d237d6d167822173a7b74d2916630d6099c2fcc46a9bb31046e7e95a7520cb89d4d9224b18bf8545443eb2cd61b1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 0a440a38ccc4f72ab6a92c688a46c25c
SHA1 9719678c7ceffc0c68ecac57a831f9e2a3b6c35b
SHA256 d32f44724e51f9aeb4193d0992ee139b253ec1687ca4964c1ac9099f89f07b8e
SHA512 e9690f1d37443529fc1fab310590bd815cdc908fca83e7a32d1e6173c9166327fb408df61bfa456f5f4a0ded44fbf360dedb38a9206d3ce5fd886b36ba202daf

memory/4540-462-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-471-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-480-0x0000000000F90000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 2709984be9594e1ac6fe672bcd0c70b8
SHA1 6d9825cc627bd895bc52027b8eceb27a51c7c3de
SHA256 349bea1cc4aceccae2d889e99bdfc20f2bfc531da8f6e7ff9161e6e06a6a0a41
SHA512 80e705593f6b3a20ff29a1cec09f61dd99d66134f11cdc93cac09d82ac7610b490bfa6cc6e36e81a5bfc9f0f4f80e3cd69bdd45be6374c1f7c2efc45a9d54121

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 ab5e5f561629ab64f6bddaf8699cafb2
SHA1 fde930fe5b3484d8052bed9a7c1191adc9c1731d
SHA256 082ab1606e5a77f74008842d8e4ec8b6a74436d1ad15a0d5610d11dd95c1515f
SHA512 8a82c6335c75f6442d51096848cff3a138cb7ce5839e5b6fba7e7451b7c796ab8ce1beee15622258ce4ee930d3efcec17f2e9b365035b7e1ce68ee9e88e6464a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 83ae8d3c1a2a0d693a7091b2a725c629
SHA1 1ae3f8f0844673223c042614424d1641ada9f7c6
SHA256 47ec6107245f9f59a5724770aaff4f437e0393aa889458e0b8165470e90906dc
SHA512 06407fd92473da2801cada9bab7a1f39a0c51d005f0f276d024236e21c061c154e602e11797903908591315c1b74b433eadcdd0abc3eb3c1ceee5cc9e497225d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 a4d720c8184cb31500d5eaf37771558c
SHA1 df22b1a5472d62925ed836c56286ddb3c8f9ed61
SHA256 93129f6a6d33d802914969c9f7c9d3736516e5269cd989205c6408d8a616be48
SHA512 2d63c0efbb69f4ed7341bba5e07a869438ff1f681d0fcf50f8afa4b0761bffcef4b76ae84024c90f1531d0e11dcff2c8d419825c826bcc466014db23a20444e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cc7cda12ccfc5015404466898145f1c4
SHA1 6023572655dab656ed907d53b694e9f992aeb132
SHA256 0a55759d366944e6ea1c39778a7706dc5778145b0361b5d7b9f2afd4cb06ce4c
SHA512 f3b6767886b8be9d37fb54f037548f34d79ab15ba86726269f7d49cb5b0b11c58db637e492f2a54f9dc522aba47a9df1c75448ca5f906399d4f9ae707403f18f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 d032ee9c78cfdbc6dbbd74089eda9ab6
SHA1 6d7501ca99a8794192dba3d01b2e448714bf10d6
SHA256 5329841859e7be83073e803c39d52f83549270fef9d227f37700105156f657dc
SHA512 0c3ab3fd4d400ee49493ace385cb2117e2109785b5e23d65a74e6b05bfd87a3253dcb3dbb159d0a7b12c893708b49c9930980171bf4db2f77787a51f773b2747

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3588-853-0x0000000000F90000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 fa8afaff242248b3d884ff90ad990e50
SHA1 e34dd4ec777293607a997619a4e2d65050168c0c
SHA256 ad8600ccf626c83ebebab00ed86a944b0b61579fb4ff3cde331b3aadd7867348
SHA512 ae25e0edeb5add52ff0188e8e3e74b8ed10d0babe9162c5c9958d3b1a26e716a408cf6625bb697befd9cc99ea384534479b160ac61580e9605e04eca5e8727c0

memory/3588-2401-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2670-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2673-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3640-2678-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3640-2679-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2681-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2682-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2683-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/3588-2684-0x0000000000F90000-0x000000000143A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 03:27

Reported

2024-07-10 03:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe
PID 2692 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2692 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2692 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2396 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe
PID 2396 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe
PID 2396 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe
PID 2396 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe
PID 2396 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe
PID 2396 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe
PID 1980 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1980 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3188 wrote to memory of 1580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1580 wrote to memory of 3564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe

"C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAFHCBFHD.exe"

C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe

"C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1928 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {126e670c-64b9-4fcf-b9e8-5cb3d98c33a7} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6c0990-ada0-4026-bf7b-c2f970f2d6bf} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ba307c3-b377-4b91-bb45-0dae3bf1b729} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12043376-dc6c-4cc2-8fe6-6d6c7cb3c237} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {933a9f8a-d8d3-47b3-b036-e044373cb19b} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5544 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a1ffa12-c7c4-4574-a8c0-a378b23c460c} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5573a0e0-e7de-4689-b0df-a9bde9632633} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a72f2e1-91af-449f-8e7a-f35c99d3c708} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:50052 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:50059 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/5104-0-0x00000000004A0000-0x0000000001084000-memory.dmp

memory/5104-1-0x000000007F120000-0x000000007F4F1000-memory.dmp

memory/5104-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/5104-50-0x00000000004A0000-0x0000000001084000-memory.dmp

memory/5104-51-0x00000000004A0000-0x0000000001084000-memory.dmp

memory/5104-52-0x00000000004A0000-0x0000000001084000-memory.dmp

memory/5104-53-0x000000007F120000-0x000000007F4F1000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/5104-80-0x00000000004A0000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/2692-84-0x0000000000D60000-0x000000000120A000-memory.dmp

memory/2692-97-0x0000000000D60000-0x000000000120A000-memory.dmp

memory/2396-98-0x00000000001E0000-0x000000000068A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/4968-114-0x0000000000D90000-0x0000000001974000-memory.dmp

memory/4968-115-0x0000000000D90000-0x0000000001974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 afc5899a0a343f2d0768763382a5fd30
SHA1 aa73f95a8aee9ed478a24367e47fb4b61eb5e7da
SHA256 f9f17851e49959c1aa575c8d53d87673c866cc3bde4e63bcb9d0b85ac4d86de1
SHA512 678c0e334de928a0f31c68722c71ad27f43673a9d92d6b7ada001c938344360461d8fd27447e4c075404b5df230af4d51ad4819544cc8f51134b992d0c378b2c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\activity-stream.discovery_stream.json.tmp

MD5 92d5b5a0fa43614f0d6e0a932ea12651
SHA1 c779c724eca982a6dcb92001f26c024057ea9333
SHA256 292c9980f77e8df4540f1441e9ca37f113845d7fef52d1caac078003798fc647
SHA512 013b2c6c3f75b4313fa7b5a10396445e4e28f6942bfab4ababd3f4753696e8c40baabaa15d3fa82d7ea180c827a8ce44e4853a7cffbcde08b22dced07970951b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\cdd95fe1-3af0-4a87-af33-30296e8b19b6

MD5 2ff17960645285537488cde70951d2a8
SHA1 d0c92ffbdc7d1d0f4c0da41cdd7b2052b3402466
SHA256 445d57f0afb8d20bc82687cf6b0830b89d00cf53df840ef5d341d7d9bd00f2fa
SHA512 4ed616a76f2bc3bb851e8bb397926e6de10f8d0cd6a355a37eef320e0fdeef6619299fa756146944e0ad960f82762114436efacdab8cbd472218739ba425d650

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\a31c767d-a3e4-4cf0-b208-ac7e02c474fd

MD5 5f063bc120ac65d2903d1b0edd28c7b5
SHA1 d682b50e17546323ac6b0097e06d11449bde6517
SHA256 eba58b2def4849318803b15eaa0e4f08921f028f03d41bad340002eb5a0460e4
SHA512 89e97dd46d857c6aa24ebc8d7d2718d8655773840d96cdb5756282d61f5841177f1fad16d50e2893f9926050b65705619e432876f5cb2cce24440bdeda9e8f0f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 9c6c3b9f3bae9f23d145ab2f9670545d
SHA1 9a34e867ee5b6f6722b2bb7f6159fe050db4ac5e
SHA256 ff465df655b42625baecc03b9d00e1b68bc032bca49bcb815dd8459b3484e1a3
SHA512 aae0acd3b8e4dfb9d980ad697a9c462a5d8048842f38b43d88daaa8d01e189c004cb394932940d6ac1c6ab7eaead2a94595edd405f113ef900b79e8ed578acc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 561f264091adef9778c69da3a7ff453a
SHA1 97875f96a89e415394276091a4bcabd04c06b9da
SHA256 e1b964b5bd55fba317a0f44de80b34dde544f4ed6ed510f329696ee378b51994
SHA512 c1cdd84ebd6a402e2ca4e19a10623288bb7f925c256d1956c89ea8cc9ca48ceaf1fa2f42fe00af61e51a79e26876837dad6f32898fa8593bd2109e346947f7e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 47526830a8cae2ed03e8aa43a6dd560f
SHA1 4b9e64e09a3811694d02176186c91851d43ef2c7
SHA256 aa55b4ba61fac99121ad82e9ca6ce18c216ea0017aaf6910d119a7e580dbc190
SHA512 fc80f1b3124ea4bcfe7f2e859e1e8bfc56d6d4ec44150a11530399bbc42dc565779e5b07995df7389b57c3694f5d076a82b449f8908319e6976336762836a94d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin

MD5 566f24e4f3cf36af3d6ff4e9cbe266c8
SHA1 b3e3967b328bbf93511e1dac075de3d57dafe6b5
SHA256 869d85e7bdeceabebc4a213d8f42eeff3f0e3364d37fe56e9039f3335ca194e7
SHA512 7741183938d2c568b41b11d845337290c453afa91089fc0b1b9359a1c00122846cbf8f6d361fa886631feafd37ab3d2c5c508082aadb90cdcf407ea73c8f19d3

memory/2396-464-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/1520-469-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/1520-471-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-485-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-490-0x00000000001E0000-0x000000000068A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 e7c4778edc553e70212181b61acdc1ba
SHA1 9b610c86284372b27231dbc356ebc850c0ef78d6
SHA256 d78545068d7a28a129ed231f5751dd65fc50d4f80aac174048e47227630d6576
SHA512 37222123baf3ba9402f22b0df43fa0e37126b74815d42c616fecb7a49eb53a6d22e29df2bad7f7d4f0c538020ae51c51e7ebc92593cbb6c6390ac54ee94d678e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 f90b5e2951334ccf5259488a9077c7bb
SHA1 5a56b7264da1ebe01ffdcf6997f89dbd98eb750c
SHA256 d8c422a8d2260ca196849ea53d20df429f822a89211ad37b3229382a4fde1c2c
SHA512 9b7351b1f8196cba5a4cba3dd5fb2ac79d02cd9a1dc9a7be92f5c3948b93144ffa2e38a9ad9b75c16f3d50562a6f5e4fe05fbd22ddf7934d07b5059255b226e0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 34b4cd3443bff432bdf3aca3eb5bafe6
SHA1 5c8a0dd5632a8f09a16068124caea95238aea7c6
SHA256 674b7b5be5bc5b02488ed06c41c70afb68957160ed00257469e15181fc68dc49
SHA512 0902b8a5306ada3c35e8cd3ff2adaccf12c30dc3ad869aaf27944271cc5d5cfa9dbcc242c867367a52118c8cda6a93813b34556f01cde543d74a5db830804df7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs-1.js

MD5 58badfe3b1bf42e94fddd167e89f17be
SHA1 1f3ebc83797827c5e3e70d09de8ce569cd73433c
SHA256 131cbc930b6fe694bc490b87505ad85739092065da43950c8fdda510840f793a
SHA512 8a95397307c6d8013721bf540edcd4044eb9e232cb524da2ec9f54a364398bcdc7b41e81deac7a2c638797ef234dfb5978b28443df376653467ddebb2da29981

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs-1.js

MD5 e2950b9610355be60b67e539281c0914
SHA1 1124198875eeddfe1f914f143a76982ea0fd8017
SHA256 246a70a9eb9c008b06121608bf2706ecb8e0770ad855b78f5ece517d1c371ca5
SHA512 572b2b2d43a5340424361854c01bc48422410857512a281b0ebe20f281c9cf974f17ca6929f995902392bcd455499d3400db81e5cdbfb9b4cf88bbbd047c2102

memory/2396-829-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2345-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2663-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2669-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/588-2672-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/588-2673-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2674-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2675-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2676-0x00000000001E0000-0x000000000068A000-memory.dmp

memory/2396-2677-0x00000000001E0000-0x000000000068A000-memory.dmp