Malware Analysis Report

2024-11-13 16:47

Sample ID 240710-evspksxhrd
Target file.exe
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 04:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 04:16

Reported

2024-07-10 04:18

Platform

win7-20240705-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe
PID 2992 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe
PID 2992 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe
PID 2992 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe
PID 992 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 992 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 992 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 992 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe
PID 2272 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe
PID 2272 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe
PID 2272 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe
PID 2272 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe
PID 1508 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1508 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1508 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1508 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2040 wrote to memory of 2240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCBGCGHDGI.exe"

C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe

"C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.0.1517476713\973479585" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1236 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {203c9a93-e3d4-4033-ab8b-dd3fc55e3794} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1308 106da958 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.1.1987134665\190776280" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a645df0d-d3ae-4343-aec8-8daf468c93e2} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1504 f0d3e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.2.1975082481\1871082467" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 668 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29455c1e-1d25-49e3-828c-12e34cb8723d} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 2084 1065ce58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.3.768118803\1555943127" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 2820 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 668 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {821e4500-e7b8-44dc-82a2-d1b1b3e5eb1c} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 2836 1d760558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.4.1559285978\1477743263" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 668 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dade930-685e-492c-9c84-e4f72b40babe} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 3740 1f62fd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.5.706482466\1136311650" -childID 4 -isForBrowser -prefsHandle 3856 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 668 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c946fe4-0cfb-4e6e-a409-cfb09573119e} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 3852 1f696258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.6.1122889202\545252196" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4060 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 668 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90d886fe-6ee2-4521-b656-03adf87483a4} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 4064 1f696558 tab

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:49370 tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49377 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2704-0-0x0000000000A90000-0x0000000001674000-memory.dmp

memory/2704-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2704-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2704-65-0x0000000000A90000-0x0000000001674000-memory.dmp

memory/2704-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/992-96-0x00000000010C0000-0x000000000156A000-memory.dmp

memory/992-119-0x00000000010C0000-0x000000000156A000-memory.dmp

memory/2272-120-0x0000000000E00000-0x00000000012AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\c843ffaa07.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/2272-139-0x0000000006AF0000-0x00000000076D4000-memory.dmp

memory/1384-140-0x0000000001220000-0x0000000001E04000-memory.dmp

memory/2272-138-0x0000000006AF0000-0x00000000076D4000-memory.dmp

memory/1384-143-0x0000000001220000-0x0000000001E04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\ea3d5b7b36.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2272-158-0x0000000000E00000-0x00000000012AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 f3db0fcc5984387f9b069806017901e4
SHA1 38d91a04cca13e700142faa6627c28e31041995b
SHA256 d2ea9433ae266de2627c38e07979e29d4981be5aa2b67c3001e62f020bd49575
SHA512 1a432bba8190d67c35fd714305e23edbaf63f51bb1d60a486c463e9bc5603aba3a88686568da42cda0cc680036cf8a6d6c967cd5d43bcd9bb528a1ae6f786327

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\db16150b-ca93-4cde-b745-18a2f7d96fe3

MD5 f644ec306f88417713075996a7651e2d
SHA1 2df2b3afec89f966a97c348ee87a8ec80702bc78
SHA256 a24c0a00a3cd2b707d949a37fd4881192cf186cf7e6ba46f9a8197e02d18c861
SHA512 ab513f926271faa2deb4de286ff6600dac62d910158a17cc5ae9fccd2fab993198a9d7318a5bbd1dc3057b3018dd4c25b746e655ee4f19d633cdd609abc55153

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\d3c90fb3-c377-43f8-9f79-91d5fe6d6627

MD5 768c90176b66408eae3ae8b0522b15d3
SHA1 d609c9f3cc9fad9e3aee2c87cec10f69095df018
SHA256 8c43396473b53167447a62aa3238081cd60f4a291ffa9acafc886077664548bc
SHA512 a91837188f78f8c49be32235fb38ea23ac0b94c79ffeedc14d13cd319bf664535c36dee5b5f6b067a73aaa3ba88a1d5dd7279dfe12c552ac6aea497fbe89b38d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

MD5 abf3ebf1a744355970df998788d11be0
SHA1 7e44e30a7510b8ec0277abe229ffaf1ee6a237dd
SHA256 922065c20abcb463a6212d180122ad613876e145635249eaa03f212770b6df52
SHA512 6871435e2f97bb4e4058c7b2ab5d2bdd9b74f89bda681428bf24c05a4af2f0dfe9b8ae14f1788478dc93e29e5bd2c7c61d88118b2e73b7cc678123a5a8895834

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 c5558110ec35b882312b9e44843bb693
SHA1 b3905e3ad73a0a4240be7f3fc5929ce6e14d2889
SHA256 5ef9c31a9599177435dff1fd097260f25da60fee8028ce1967e0a8c8a05890b5
SHA512 322d1e25a1e11cca9c36fab4a02ea1c33980446295e9b6588872292b334341278c83b9958fa96c48b066feb273c7f2f02070a6dd23259ce0ddea567b737cb7e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 0d2ef93ccf8f58519524a93bdc372c16
SHA1 faba9c1a08655f4f8c4866ab067afea15de19a5f
SHA256 f632450e164ec4bf4cdea3b1c295161e82554eb3b8c865efe2ef34b058af616d
SHA512 3506d825b7777de300d4e23e0dd0fe670d4378e8503c0c0540adffcc50b61fe0abfa9a5fdb06b0189134c26118a8fbfcf5fd7f18ec6d6d7a69765c174d881570

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 dd6c78d6fbc471507bfeaa75619924b1
SHA1 e7d1b48cd6ce8a32d681639f99af88804f9fc0e2
SHA256 99d2b318ed7b20e7ec7a909d9c578ee664670a38a4d0c4cf08ba1144c49e414f
SHA512 4e5627f2f0695036d77b8ab89149f01a85b0d9770fe4a8d9815a9066db83ea64beba7dc5782234491511178905b6b7e37beb444bf37db517b9dd24c3962e9c5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 30ba7c8c0aba73ef0ba0e60f029db91e
SHA1 95d5d4daf6580983a433785be1cecbd44a3f662e
SHA256 675933b24adae1e9b5975cfd32ca3ee02adc9792b3778c7af26360809a197fc3
SHA512 6602ef130a03de17eb590da62bfab77e63de0fd1f16d7db088355d609d3f065ec59a15880e7a43c8623427e2bd7fd96ea331a59968522e8b7afabdf821e49c1e

memory/992-306-0x0000000006DF0000-0x000000000729A000-memory.dmp

memory/2272-307-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-310-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-311-0x0000000006AF0000-0x00000000076D4000-memory.dmp

memory/2272-323-0x0000000000E00000-0x00000000012AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

MD5 dcddf933aaa67f209cc3a14d26da525d
SHA1 a82058d7ef1df5b70c5d7c28a61666de6799143b
SHA256 89d6f7707d216ae5fefc6431151cc04003d5445c4f93dff6520189293853b3cb
SHA512 a4fdca037937471ce42fc2d5d1aec8a7559ad174ab23cf6352f22075fb03d6cfa959979091043395842ad4898e68b361855f10e4c471b6ef6653e2a2f6a8864b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 718f07078399c37d2af3ea3bc60c0b73
SHA1 ef6d23d08ad86d11457119b830451e16528ab87a
SHA256 beffa589e2b14e3fc343fac0d649f0c5a51797364cac484f65a54e09e93d99cd
SHA512 6cca04afd8f3c435b763f0bcb24d4706cb32c3e739d52ba7bb55afbdb9e2c117bc176f2642372fa1af7683805920d469521f57bb3ca56ffaf530a68bfb9e9dbf

memory/2272-364-0x0000000000E00000-0x00000000012AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 9fdab0ed5a2701792f03a8297c247f71
SHA1 ad7be47e4985f2ef8e7e2cfdba3b1f4e2dd21d72
SHA256 2501a612b2b4a5919b3206ab3a52f217e2c02dbe684f17af24de7ede31dc941d
SHA512 8a4c445ceb3cce9cfde83bdd4d6d3a07183486effe274c6b98735910388861f8d23ab76b05e299f93adfa62f64fcef3bce05a5b2a88061f989fea36e6cc83953

memory/2272-411-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-413-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-418-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-425-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-426-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-427-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-428-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-429-0x0000000000E00000-0x00000000012AA000-memory.dmp

memory/2272-430-0x0000000000E00000-0x00000000012AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 04:16

Reported

2024-07-10 04:18

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe
PID 4444 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe
PID 4444 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe
PID 1468 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1468 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1468 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe
PID 408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe
PID 408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe
PID 408 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe
PID 408 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe
PID 408 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe
PID 4572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKKJEBFID.exe"

C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe

"C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1908 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69285ef1-499e-4383-876f-de4eba9b9452} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6820b5-d0f0-4537-9622-82aef861c10f} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 2832 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {594d1349-d059-490f-90c0-966d0c3017b3} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078eb803-b462-4f53-b043-840444e8e28a} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ff1c632-1ff3-4145-b50a-88c1d98f0d48} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 4716 -prefMapHandle 4672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c722219-5ec7-4d3b-a2f1-9f6527ef7611} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 3408 -prefMapHandle 5488 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a71a0d03-08eb-4021-8128-06d68f73e64c} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5932 -prefMapHandle 5928 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe5fdc1-de25-4168-9318-fcf965ff2e72} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:52013 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:52022 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/3188-0-0x0000000000DE0000-0x00000000019C4000-memory.dmp

memory/3188-1-0x000000007F5C0000-0x000000007F991000-memory.dmp

memory/3188-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3188-77-0x0000000000DE0000-0x00000000019C4000-memory.dmp

memory/3188-78-0x000000007F5C0000-0x000000007F991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IDAAKEHJDH.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/1468-82-0x00000000000C0000-0x000000000056A000-memory.dmp

memory/1468-83-0x0000000077B14000-0x0000000077B16000-memory.dmp

memory/408-96-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/1468-97-0x00000000000C0000-0x000000000056A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\e30c59b690.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/4800-113-0x0000000000160000-0x0000000000D44000-memory.dmp

memory/4800-115-0x0000000000160000-0x0000000000D44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\c843ffaa07.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs.js

MD5 15f2eadca378076d9636a78528064469
SHA1 e532ace04dc462d6be45dc0d3da7328744efd66a
SHA256 aa14267a9c0e988da0ff440829e1d328a55c423e960f86ebb2912c53a4e58a6e
SHA512 51c42595a86af96820e7703cf81af6e79c7e1d702d76be15340532ece38039257b9f29dcbff0964e524c94dac5f31369d31054067406a8eca9135b08c4f22a05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\activity-stream.discovery_stream.json.tmp

MD5 4e9e2e2877568400e0a9e3c2c83e9771
SHA1 e594165dad79a04459ce742fc745c342eb772df6
SHA256 e4d0ad6ea1ff44db37a3bdb8d78bf58b7be7c6156e15dc424d5ba58b2138dbd9
SHA512 dc813de131e773d3da0e6b8b15f137fa7516d0902e2bd3eaf5352a523480e2f4185239f6401608ebdf4461991b2d01b8888d0df17027f1185c3d5bdb5ca3eff3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\f7f189db-20e2-44b4-b3a4-265bea4a388a

MD5 229ea1fb4699030f1d72ff45af74e663
SHA1 ac68b5559d8004cb0787a645764eb0a56fdc8caa
SHA256 0e67016c153c2fba187ecd67963f5034d069fba44f9e33669b8ad8b11cc92d95
SHA512 6aed2d2469604e2ab4e79048c2bc9b35dfda70c1ba0e9ce900f92bbfc9abad86d57681919b6f3bce2d5d439ca6e6c6268e07e1a7f6e39f370f7b95191d9e46b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\b5701b5b-d1a2-4e6e-9395-3abadf9e5d9c

MD5 081bff20c49b059793335d64488c94d0
SHA1 91bac19e40f79e309590c400fc92db64217709ed
SHA256 215fe9413c616cdb4a9b1479ad7b880eb704a6edd40697c8ec2874223dd80ef1
SHA512 e70aea9e68fa1ca5b643cad7762ced6dd3264df5efb2a2fa1392204911a539063c2d4c828f3af00163cf4aafb84a39035ec072149ac193af0af496527f69ac2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\b3030957-c273-4034-a426-8ed8bc18be9c

MD5 f0eaa1c608482ba0fec61ba1eaa569a8
SHA1 347f5c88c89b269aa107768e81d141508f9157c6
SHA256 fcff6c1466f1a1aa8ed0d73d9a5706ff5199a49bd4a638908d90850b7fbdddbf
SHA512 1e513f192b30a75be0b178a8d21d25a6470ed52ba67912238b74625233a617a050c23b6d14c6d8bcd558de7574eb37c652e753e95438795111329e5ae6b04103

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

MD5 e0b9ff13b64fe2e3d6049693f59ac60b
SHA1 ed9149d07699c1917a4a5b15f12aa71c591fc626
SHA256 8fca9ae4526e704fdcceb57c2f4f15ce6089186b32c8c5180fc67a948af59539
SHA512 5c98141bf1a5ebb2e436f844c930275acc3208a82860982b2108085b5d70aa3e4cd83c40ed05af12fcf9b1f0c2a67f43e21749592ec2da45e36bfbf86ffaecc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

MD5 724a2470c76c387ef92359c1e8b4e92e
SHA1 2a99bb0dadd311c4f91c5a7c680d8560bb16c593
SHA256 19dff7b9d6e5924279200872057a2947b402ce78eb899ae8dfef5d7ab646f09f
SHA512 f5c5b8f6b3b7345119df969080c489b667febba2e1240e519447934776fcc46c89cd5f2b0e3da98ccf3e4da5bdb49226aedac96996db52ca7939fc19cb2c3769

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

MD5 0d78b9c553938c6117b7eed932c346c3
SHA1 b53d2482ca488fa368dbece56c5610a1d91abc75
SHA256 d0f0c9c5ac92a54a5755f71eddb6b1e90f44f7ccfabc4f5384164ce44a3a556f
SHA512 9d5a2ede0301c740b045016ea8762f08af55abbf77e196742f6f800a440d20ae2ed4f2abb83bcc96709b713ee0e60b8c190ab6dfeb7c60982b0e17ef3d19d6b1

memory/408-480-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-497-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-498-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-503-0x00000000006E0000-0x0000000000B8A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

MD5 2b9657f7fc6de5b3cc6dc646cf0d849b
SHA1 131343454f840cfe8315c95b20b86b9037336a29
SHA256 2e67df7887e071b6dbf860e2bb94cb66c6976d72f7764efb2721c3f997f4c926
SHA512 310117563b574d6285f03d400f390c6bcda1445a1e25f592c5f9083151f2a4c514e5fd8de85e243cd5860653c1725805d72c013e89eee7b59d29d0f081b22a58

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7699dd2717c47e2ee9858ee360b04807
SHA1 66eb540ccdf59ae7c6a8f353c574dc964eff3ce3
SHA256 807fbf6ad880c8ca8e490ecf15f9842269ce1a3befef1ef7527b1cbe06a0b6de
SHA512 7f793bf12d4cdceb6bcf7594b90217ce8e4b076ae0ea613f4eb2347b91bccb2c69ed3ac932107dbb513a89c667cbd6787b0b1c142eb401e7d5dd44993eca8212

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

MD5 cb32734da56574040b71bb57a689eff0
SHA1 da799424685d2c6822303961c3526d1fd3070434
SHA256 4dd5f50da5104f9a697014aed0929eb1801aaca78a1a5751f293ecd43fd16525
SHA512 ab3d48205db67983af9bb8760aa16f078a7647d6a020f85de28429322ab44f7a63132fbc6c148576671eed01345b3d4610fd9b258d6b9a93cf070c85cc92cdb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d8c80d22ba24bb470b7e2c240a2ee3e6
SHA1 1343ff55eaf2556954f07ef2c7420739010e49d4
SHA256 a29b44f07993a144fb82a7027cb2d059cd4d9a2c01a6e0cd83575a05a27a3726
SHA512 d10d5cfdddd176ae64b0ef9076d73096d0d96b893f44e2d61a6f33ea13e39cd264c08ffba8782e13db97a4c10205def80a96c718deb75fa043c30c7a9b5bde5a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

MD5 3dabe503f4214e8784b4aef0c5f792a7
SHA1 6f0f6ed754ca14e3d3394eac450f52011fdcd9f9
SHA256 3543700207cd5fad508f0b706ec234252bacb65d693dabd3952b8f0bb0c957ed
SHA512 5d3e9bd0be70a17b6fef20f3a4a0adabb50dbdc4608e496619d38d6e637170c470a3962451a1683c735a88ceeb635d8a4cf39ac48a759d297c23c38a6439a0f0

memory/408-798-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/4184-799-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/4184-940-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-1926-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2592-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2598-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2602-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2603-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/2488-2606-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2605-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/2488-2608-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2609-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2610-0x00000000006E0000-0x0000000000B8A000-memory.dmp

memory/408-2611-0x00000000006E0000-0x0000000000B8A000-memory.dmp