Malware Analysis Report

2024-11-13 16:47

Sample ID 240710-nm3z1sxcrf
Target 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04

Threat Level: Known bad

The file 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 11:31

Reported

2024-07-10 11:34

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe
PID 2544 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe
PID 2544 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe
PID 4784 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4784 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4784 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4268 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe
PID 4268 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe
PID 4268 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe
PID 4268 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe
PID 4268 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe
PID 4268 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3996 wrote to memory of 2380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe

"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECAEGHIJEH.exe"

C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe

"C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.541825479\877364806" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8ff3cc8-92fa-4210-a4a9-48c1feae9ca3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1916 2c0f8a0dd58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.1947422746\428782767" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2dd696d-1dce-4ec3-8054-9e10446dbfff} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2488 2c0ebc8a258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.1584513867\1437349980" -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f3b7c2-2b51-4d56-ba37-478064e8941c} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3328 2c0fb345858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.179733119\730169197" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a3a97f5-5aaa-4840-ae13-4d19a43da483} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3148 2c0fd642c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.1776923757\1797230845" -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5360 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b23a66ff-c273-4800-998d-bc4614c5239f} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5384 2c0ff539458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.1875677492\623806062" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5340 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {557311bc-5ecd-46f2-83e0-d851cec296f3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5604 2c0ff53a058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.688010373\887647161" -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade97585-d101-4c48-875a-d1741bd7b3e9} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5764 2c0ff53bb58 tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:52388 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:52395 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4960-0-0x0000000000C90000-0x000000000187A000-memory.dmp

memory/4960-1-0x000000007FA20000-0x000000007FDF1000-memory.dmp

memory/4960-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4960-50-0x0000000000C90000-0x000000000187A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4960-80-0x000000007FA20000-0x000000007FDF1000-memory.dmp

memory/4960-79-0x0000000000C90000-0x000000000187A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/4784-84-0x00000000005C0000-0x0000000000A80000-memory.dmp

memory/4784-97-0x00000000005C0000-0x0000000000A80000-memory.dmp

memory/4268-98-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/2796-114-0x0000000000120000-0x0000000000D0A000-memory.dmp

memory/2796-115-0x0000000000120000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/4268-133-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 a916eca6b7a760893153ae63c5c7e7c3
SHA1 8e36ca798ffc9a9df0e7053fba74bee0417046b7
SHA256 9d044a27400ef3a36b52c547ba8351b90ab784c679ff63fb083aa13ab4f966b0
SHA512 cf3bda43429b66d2ef557e7ba1a9a3fefc4b3fb83b038a7f2ea26a66a9a8f9816c65782e52a111725f9b555fb299d0a716a07b7b31513c886309171239aafe40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 ce0c457dc80de85714adc15046e939c6
SHA1 a6db1dac12ef091a094d3b1f5db2b73d3050b4ba
SHA256 6578f4e4ba5dff5d2c1ec198176548c784ddf5aae1af22fc892df15c777126c8
SHA512 b65f99fa58e89909158933d435fdd099868a5390a3918fdbc713d11af7d7dc6500f5a732b01d2e353fcda567b94301cb202d6aadd5ac06d36b8d0028d1d1a457

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 f22e74b68589141faa7e57fb93137208
SHA1 5dc69ed75f6db48424b6860dc9c5a6ca43154398
SHA256 857175863d2332e4eec8a37847ebccbba349613ef0695d3d577a57bdf8a9dfd7
SHA512 2ffc19d03b0a7f7f7b8c022974c5b2ea23cf62dc81ad15024f10c4e8f2298282234ad8c14433475f2a05a929ad81cde71f496ca3e936344c879dbe525659e160

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 3869ebb2f25f530c3163cfd1497de72c
SHA1 b29ba5774fd66130b8c9d260c7d3026055968daf
SHA256 fcbe30151d567be2b009d5389a3a8893cd330667f0c3cc9fa569f111659632ee
SHA512 8dbed7ebc791ddaa689ca18c4ea99505536d56d88454683eb4b729a48f633cfcc53509533694abf34fbb6cad400935fea2d6d52e8475f1804a6186c7b7241dd8

memory/4268-231-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f8dfd1b961127f7acf21c6f0e6108365
SHA1 a0636d162c8dc670338c4f2bdcd4bfb401db5d5b
SHA256 29fd77eb3460cd2f0558b251b66a697d0fb48720fc7301307dd829a669b84e2a
SHA512 46d2f4021fd2ee2a81a644cceaa8aebd2c9f0e27d978b58e45de421eb49893195a24aa6b2de6fd9534678dec68ff19a55698617d82c522079cc67b308816f94f

memory/4268-248-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 5e8d381767ed2e499966a65d14cb6543
SHA1 113e968d1383718435559436d5914c8a740b35f0
SHA256 cac4dcc7105f17f0563141baa9b5fa120ec2129915a008bd13143aca0813664d
SHA512 cce89a0773b328e3b8e16b953b986dcebebdef86ff61d67244ac0b4bb62ae42a3f453e6944aeac66ebe3d37a4471df556e21a34ac7a9a222d220dafe3f449e1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 86f7d5cb5cb7a2666b52057b8d22faf4
SHA1 379584d0e3c76d6657d89dc95206581a35e3c812
SHA256 a90cce99dc581ea2aab0493adcae1f0f428811dc5f522ba14caba4ac95430c95
SHA512 40f4c59fda80c5edd3cbde1899a6bfeb8bbf28234238c0234b7191ad4532ca47d17cc0542a359463dfe387c761a55b212ddfedcc58449fd9ab5a6f295b0e5dcf

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

memory/4268-432-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 aa74c13cac6036d610e3b8e310373626
SHA1 da8e5c905dc2f3739a1f656970280196d2874fe5
SHA256 daa90e28994069c0e4238bb8694840fa23b8dcf1d112098b3a94f2165e89937e
SHA512 690bda1b42b955c4c5f287a40682a5b2de56707175845e73116f3247af6384bea1be25dfd882543eec573a050d41cc82f5a5642ad67fe5dfed45789453cb7bc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 b361ed769abb5d459963d8ed98b3036d
SHA1 3fefdac0e72834dede5a0c2a1039812d0cdfe457
SHA256 88427c58429dd8c595813df470c5175bfffd699dff2fddc2569dc10a9b2b4f77
SHA512 e463d502e14be301aedd99bd8cc55c06a5922677fb9776754f417bd3a84d9b3cf9330d701da47938c30c1710bd67d2f7595a079990f7808ae3a9935539bb080a

memory/1268-1320-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/1268-1466-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-1555-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2232-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2238-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2254-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2257-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2259-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/3900-2262-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/3900-2264-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2265-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2266-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4268-2268-0x0000000000DB0000-0x0000000001270000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 11:31

Reported

2024-07-10 11:34

Platform

win11-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe
PID 2000 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe
PID 2000 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe
PID 3008 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3008 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3008 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2028 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe
PID 2028 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe
PID 2028 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe
PID 2028 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe
PID 2028 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe
PID 2028 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe
PID 2844 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2844 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 480 wrote to memory of 1260 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1260 wrote to memory of 4888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe

"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"

C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe

"C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1856 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20431212-bf67-4a1a-a91d-bda426c97ee4} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e156e7b3-4b5a-44a6-a41f-1679d9af445c} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3168 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ace6cbd-0933-4d7d-a57d-0af371835da9} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2760 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c473927-3f52-47a6-bf7e-4496a023bb78} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4656 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46f92c1-ac22-457d-8237-3504c6e3d025} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5388 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dfedde8-8e09-4276-9730-968975364040} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c9ff399-1f28-4d8f-ad73-0e9d9cea9358} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e992255-12a1-4629-a481-64ebbf177e15} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49919 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49927 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/3592-0-0x0000000000AF0000-0x00000000016DA000-memory.dmp

memory/3592-1-0x000000007F0A0000-0x000000007F471000-memory.dmp

memory/3592-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3592-69-0x0000000000AF0000-0x00000000016DA000-memory.dmp

memory/3592-78-0x0000000000AF0000-0x00000000016DA000-memory.dmp

memory/3592-79-0x000000007F0A0000-0x000000007F471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/3008-83-0x0000000000410000-0x00000000008D0000-memory.dmp

memory/3008-97-0x0000000000410000-0x00000000008D0000-memory.dmp

memory/2028-95-0x0000000000CE0000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/3320-113-0x0000000000580000-0x000000000116A000-memory.dmp

memory/3320-114-0x0000000000580000-0x000000000116A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2028-133-0x0000000000CE0000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

MD5 640d68c3e1cb2fa84d7798cce5ebf112
SHA1 8886844ca2ca8c4bdd4f7b14469f39e73b03c893
SHA256 5825160fecd0ff6e05aab7aae659a132f16646263cfe2c4b20e264786bd78f67
SHA512 e8c523912a81450b8c2ba23e10b68c3c400f9a64126c162727667ea4fb9c843c5ca2a215e91e38e0cce81f74884bb7793651fab4bc9139864bf237f406029e40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s6dardkt.default-release\activity-stream.discovery_stream.json.tmp

MD5 a6cdac32d2eec42a52731a411b2b536b
SHA1 b3d7f74c64cc9aa37d55385c06eeeccaa289158e
SHA256 bf89079ac00c7536d98f0945b77af1419d7c8cd48d57df8e779a28743946c66f
SHA512 b02e14f43694c0986f1cf22cd3c35d3f40bd4eeb2eef80aaceb8ecd2540ad18bc5065d238af6eab4474cb0fd30d91074922ce0c3d0f9d103ec129ec807e796f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\751b8c7c-87dc-4131-b2d4-01676a1caeef

MD5 63724a569c998da45f9f63cf57d420f4
SHA1 bdb0c6c835cb0a2339e6bfe3bebc568471bc492a
SHA256 c4115dce71fdd8a6294b72025ba1767d207a7ab0ed2daad5c75a33fccd75bb43
SHA512 f776b3e87a5c78b4efd11a04c07d748b5c0e1acd1b29ed4f3ef3f3ec91b470e04bdb21c597a57b388e92be593507b36dd26872c046fc27e45688ffa353a330dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\80cbc8ea-8c4c-4aac-97ea-5a26f63602d2

MD5 6a17c0cf9d206ae6cad7974071a20e35
SHA1 e1413b6ad47d2d36aa6ef85b54981c7124e437aa
SHA256 e9f9cdc90d7261c986df10029e43bd5d580f613e7ab2cb599214a8124d5ad204
SHA512 adbbcd99d8c5a766ebe4506815f3168a64300a95f4a170c58fca923acd16dced849fa8409f5208a77db3ba80b90dba5b757640ac0b22bb7d8352498f9601d71c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\84e605ef-eead-4aa4-8171-3a76a925f7d9

MD5 4f5593aa27f9ea39c11aade02c84e6ec
SHA1 95e0986d95ac88498d1e3b614957f0a436f1c68f
SHA256 bb70cd59e82b4355559e2a0d35e4e89f40b1d61e0c253157489026fee3134282
SHA512 742a1405638a56b54a024fc403c7ade1924ac484f4dc201e22be3ef1113af7c0de61503516d0354a321a66b578b8be1335a027f58a2ecdc9b4775bca3783bda5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp

MD5 3a709d981d183519a3e05b6b7e0b4f30
SHA1 4936b6e9e2a5e07594c55bb7f6ebcc1cf51473bb
SHA256 a94305d13cb5010bd2e57a586acbb646b11e6f285d1ac413d13f54ae0917fa82
SHA512 987915ff5a374a475db97d68b753be25d36bdd5a86b37bf53a9d0920b7abd9685adc489952b8a99ee5759a4349ff661c5c8ea7881c5839272639424b7aa1d62a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\AlternateServices.bin

MD5 62939609759029052206c23205ff5064
SHA1 4aebba95a60ba6fef2360e0804369b08116b1b02
SHA256 b1495134636bffdd624577a88c6960bf82af3aec0d1d71dd98084b856d60260f
SHA512 0b4951fd81e3acec26851f0de35fea50afa029aceecf6b9ed410b9dcda1d4a93bfefb11db829fd2347d5837b5eb6eced65ef909fa343fcd95dc849d9c7226add

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

MD5 61adf904db4ef752ae2141c4a704c964
SHA1 dc279781ccb929f260bd1cb8f8515b8e1167ba4f
SHA256 3389a5d4a5cf11ec4c1886cac591f987f93d64787586f25540dddb37242f9e57
SHA512 c5abc079aa33de5c37fdd3d6e5e08e80862a91b5e4c5e77269dcfdf75a589a46d3033aaf4b1e3152725b4b649f4d4a73b0a52d89fd0591cfb203b73ae60d548d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs-1.js

MD5 1dba8958f6ca15e07676c80fb5c93723
SHA1 82d0f541c61b070f9bcdd21487c10e2a1d067368
SHA256 6e57d523a6fd2b2b11b1fad998ebb366142a33afc5cf5e07299c9f1584b387d7
SHA512 1984c5b4b195632cbf127e5f37ebee0778b4b05ada52198a5a3158d6a7c1d5f9c6580d3f00ad501499dd837b3a96284dd228bbaa933dc3a63084791fe5eca363

memory/2028-481-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-480-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-494-0x0000000000CE0000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp

MD5 1818a507dac43eddc81b9a2006da0957
SHA1 55664072222d004ca77fc072e2c259d30f5bf227
SHA256 64645acb976f1fad9a05f4a79ed142e8fd6774398bdaeb37ce85f68316066b1c
SHA512 cc7291a1bcaa6dab36d054b928c8a574b0ec5ebf15bd1cb27b2785bb493c1f34f06a12b3bf46cf053eb2b6cbb8f7b5165c440a708dfdafc622b8d6e250427a3e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s6dardkt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 43b09351578423a00e5192ad32344b35
SHA1 22ceb7849f4c9bb670d09e6744032e1c55b43ed2
SHA256 adf052d61a5439a63ce5031356e697810d88c73b150a62041281409e0c7cf46f
SHA512 04384dc5d6bcbefb79be2971ba5378cde2d91b172cfc56a18fc459f856f236d3c0c1b4b52c61d0c1d53bf6c1bfd89a17780d5cefc6b66cb848ad7888f53eb2ec

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

MD5 5cbe90051677b36dfaa0605a6c349656
SHA1 ee54b45553bbc8494244df51cdbd90d1b2bf444c
SHA256 e856ab98d5924c1f28fb0a8e21f8093a4e4429e8c019abf3d4756215140ace79
SHA512 799b8fbf3acd0b68a5db65c88f2e1f280c9beaa9693ea1afce6c2a764f0daa26bbcf2289d5e70f60bf5aad49cabf3d30cf82ce1ddbf027bec1ea340355e0c8db

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2028-756-0x0000000000CE0000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

MD5 05f0a7735dc28949127326cef5aa420e
SHA1 87b9122c23e840b8600621213aab7a31cbdb266c
SHA256 2fbe867f38d8ef9d6a4fc404a08c6a48e029efc0b6d271250a4d88caed583fb4
SHA512 98c58a36ad98393ccaf8ddb5deaf1939996b8946486412ee8f5e9cba3508c37ff9c4323aa0407efa8c9227d2cf1e01a055e3ae20e0a3826c97ee0f97476c4a2d

memory/2028-2252-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3544-2355-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3544-2560-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2654-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2657-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2662-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2663-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2664-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2666-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/756-2667-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/756-2668-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2669-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2028-2670-0x0000000000CE0000-0x00000000011A0000-memory.dmp