Malware Analysis Report

2024-11-13 16:48

Sample ID 240711-hqx1aaxanc
Target b0abfe65f6de9238e3b03b6d5e115706.exe
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb

Threat Level: Known bad

The file b0abfe65f6de9238e3b03b6d5e115706.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 06:57

Reported

2024-07-11 06:59

Platform

win7-20240704-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2884 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe
PID 2884 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe
PID 2884 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe
PID 2884 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe
PID 2884 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe
PID 2884 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe
PID 2884 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe
PID 2884 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe
PID 1084 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 736 wrote to memory of 2336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe

"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.0.859924486\1388637061" -parentBuildID 20221007134813 -prefsHandle 1188 -prefMapHandle 1164 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67868af6-3adf-438a-9401-2b41c41211f5} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1264 102f8b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.1.1539642856\1710237" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a81615e1-c71a-42f4-ab36-478d54471923} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1512 f71f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.2.1834020037\757549727" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ebbc0c-2bbe-4bb8-9cc1-464c08908048} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2136 19caa858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.3.819176481\384469569" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99c5788-63db-4edc-9989-2909ce3c24bd} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2916 1c938e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.4.134583734\606470100" -childID 3 -isForBrowser -prefsHandle 3476 -prefMapHandle 3452 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52fae0ef-1e22-4c35-a90d-f2fcabc5d3a6} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3524 1c489558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.5.1807875851\454775329" -childID 4 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c7315e-3e10-424e-82b9-0d33c369300b} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3584 1dab9858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.6.1467384971\1417171185" -childID 5 -isForBrowser -prefsHandle 3552 -prefMapHandle 3544 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2665131-a446-4465-bf32-b14d1b8f53c5} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3500 1dabb058 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKECBFBAEB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
N/A 127.0.0.1:49295 tcp
N/A 127.0.0.1:49305 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp

Files

memory/2304-0-0x0000000000F10000-0x00000000013D0000-memory.dmp

memory/2304-1-0x0000000077A80000-0x0000000077A82000-memory.dmp

memory/2304-2-0x0000000000F11000-0x0000000000F3F000-memory.dmp

memory/2304-3-0x0000000000F10000-0x00000000013D0000-memory.dmp

memory/2304-4-0x0000000000F10000-0x00000000013D0000-memory.dmp

memory/2304-6-0x0000000000F10000-0x00000000013D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/2304-16-0x0000000000F10000-0x00000000013D0000-memory.dmp

memory/2304-17-0x0000000006120000-0x00000000065E0000-memory.dmp

memory/2884-18-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-19-0x0000000000821000-0x000000000084F000-memory.dmp

memory/2884-20-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-22-0x0000000000820000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\1d2537331c.exe

MD5 e0525803e9e18b3e3a73b6e999b40284
SHA1 f92b719f6e774c35836a582cff902f3f5f54c6a2
SHA256 59d115c4f1a0035301f09d9697f988c7f667d0131582dfa7a28990fc02baa086
SHA512 dbf56d01de700a74c757dee971b146661c93d284590813b7eba336235eb32aae076060f45467a84eb2541db9926a0cdb66af1b8885f7a9c07420ebc58da2c81b

memory/2884-39-0x0000000006230000-0x0000000006E2B000-memory.dmp

memory/1920-40-0x0000000000D90000-0x000000000198B000-memory.dmp

memory/2884-42-0x0000000006230000-0x0000000006E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\02187977b7.exe

MD5 ba9b2fddc74af8c0091d45323f0dfab1
SHA1 df227f6f8ed7f146376c53286dccd7c2f5e70ad4
SHA256 7b4b96aba97bf47462ed86bb7a3dee58092352428a8aa0afc0453d28490054f8
SHA512 7f83f5805ac0dc37d71b945732475f239cf56c03ec49a5e0fd759d84d5b545ceff1d9ab845cc33250898246bc14368a7afb5b7b05b9e8ca2c7cab328a5e6b10e

memory/1920-58-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2884-89-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-90-0x0000000000820000-0x0000000000CE0000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\6045aeb0-fa86-41d2-aae3-2061eabfe717

MD5 189e41ad6ff78ce0675301f13b23cc69
SHA1 26e66b018655ce19721ee0e4bdde3012b5a1fc24
SHA256 6e422f9b2be90b7580c6efdf43818ef5bed75f66271648fb1096a8bb8c44c1ed
SHA512 1d995a0ba560bdd7db0c5bbb03e925686851416fbc9906fd18a5855cc110a2b6159fae577b3a25639227e7db98d6063bb1f20b5582c92e70a9c6f683ef003d39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\36fae0be-1250-4c30-a7cf-1af3f0c10602

MD5 ec5ab54403f3bfd8dfbe0bedb293187b
SHA1 4c528d9ecf196ca77f45751aa2b74fc3824c0e22
SHA256 0f987553bea0419ef24ba6e0641d2c89504e989c2218c2fbe9240933ac822c87
SHA512 c9c7fba877cb212945a5d874f2ba5ace93145c8070ff9fa6039cb6aef428d1c173b5ebce77990daabaca23be0f9f72ff88d73b480f2a0c15e7e2d6bf7e0fe7db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin

MD5 a8102baa61b00eb45d06c8857ec5d2c0
SHA1 362971165edd770c6c93150ff105e379f3c78d4b
SHA256 2993432dd224ecf07bb7360c9420589fc17642bf62a3f8b1f092c48b089bb435
SHA512 bda80fcc2c5fce39e13da498fbc1a1a8018c369c4d325f6ca2e18c3c79b0f6655f4ffb040fa6da30fc3aae435512d0891b4521d359f103a9bb4a7fe2e086e302

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 d25ede32c8ecdc8e98ae673eeac4fca8
SHA1 fbb13a71995596ca710ba6562fcd40c8c6a7c5a8
SHA256 5fe9b9ab5366eaef025944ecc0e65e3c38d58a7b5a1a61b094c3e605eab76c59
SHA512 53b3dab4ac9c0b570e61c26524ff0572b0980ea6e21018f939a7cdd25a34addeba01a4d2d4b7d50a1ecf2c5d6375e13f8491d44ff6c925aac69501ba24960d61

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

MD5 f48f64e9276eac235b0cf64889bddcbc
SHA1 fc05c0a425a535b13ac5cd6e31b2ff91c73114e5
SHA256 cf19e90a3a875bfc76e3a7dd69ad8387dfd8eeb0d01f3847d57f039117c8fef2
SHA512 e097eb956656e8ca4d0fd10d3f0ab5d9cdb732a3e9eab19aa6386ff18929cf27e2fc456ada5acfc95e0b53aecfe877d26b539d2692847e1d66a964d679e8a5b0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

MD5 8438d0e5b5e5b8ce7c32c935d78ea1fb
SHA1 fbd9c873a65f53aa5bfc6878688673f868c553ab
SHA256 a46e0e08436912ee6cc00dfbaab1f560a98ec90a09a158f1f13caf5535732b70
SHA512 332dd1b0b1ad2c6c6919b180dd2588f72f687f8de601c5f48dfed80d158b20c1aa38c797d4a6ffe75a09ab0182615afb132679d7b4d0a0b7b17dd97971b9fb41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\cookies.sqlite-wal

MD5 ffe5815cdd45c780e2dfacedf1267a7b
SHA1 36d4e0aa02c542499b3f4b1823b7fd6b53bf3cc9
SHA256 661c6907375ad6f7f9ab94be9e7c846c0993259bc070c212d810e0219c8f3d58
SHA512 d45abb346deaad4ca3878a0edd2efcd9c47d7b8fde0d3897343781789c77ae8971d33d7f268f0787becfd3b6b2dcd03c22f1e7e1c3e3aa4452b1a1876077f9e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 2aa2428eb089b23ebdb179c5a15fba56
SHA1 018e0685a8681e4c1063f333fc696141db0b74ba
SHA256 f166105f1daec4ba2cdf1ed74bb3dc19356aa01b59514e3d0a99d14af6982e5b
SHA512 7bb97688e5de86b6e2fc3b3f69fb41e135bc5fc78af0d1ce161d20064f870c3a5b4d7730ae1349b82363b66c25ef844ad664bffb5962ab365df66bb05ce9ac97

memory/1920-251-0x0000000000D90000-0x000000000198B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\places.sqlite-wal

MD5 3f4ef6c2a489549de0f46b35bc7db8f8
SHA1 00ac4040dc5e060c818b144c109067f57fa95ac2
SHA256 609cab703ed579ba4f595ad9c1ee56406bb788e5c8e9607df16c8b66fa9812dd
SHA512 2d1fd115d7925ba739228902ebc962753b837696b42a4f64131ed92fc11cc0fdae9394dc1bf3d2d6384198ca1833221564e23aa275346b2ded3f11409b4e8cd9

memory/2884-255-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-264-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/1920-276-0x0000000000D90000-0x000000000198B000-memory.dmp

memory/2884-277-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-297-0x0000000000820000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5fa903dffa2dd5a80748025ffc24e312
SHA1 861334b04858a17183f7cabed78af4ee762ba4ab
SHA256 99626f46294b113a8323adcb209548d2c126c9d2a99f18cf6b56a729c1f919f5
SHA512 5fbd53231736807dccb2567828f25b9cb2ca1ab35e30b9e78ed96e42927774ba26e19f90b5f57637ccbaf8a431b38ecc5936b3b8ba6de422ddd18f1fc23ebbfe

memory/2884-304-0x0000000000820000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 471b1d431934a79c64c61bdf4aeb7327
SHA1 107620a5562c69d6d0ab2012e4b38a146bec893a
SHA256 56730906c9a359f87ab06f2fd489722dbb69db07c665e8ad70266114a21b7711
SHA512 7c509531d198c413a5334f157b81af2c0c371321ad0d6a52f086bd8538fdae0f59cedd076c2c48ee631bd8c97a5926a7ccf388d2696c9a51397b2fca01ea0410

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 f9b9d071000bc5216f69e19bc3375185
SHA1 8b0c85697b473dea14a3d041474e6016059bc649
SHA256 705490497d23b2b172371c4e8163d16eb6a4f50e9f9116eae2c7712c33d9b402
SHA512 2cd5aa7e64414bbaed890b07704d686d330df787ea19072fe23a8beb7050cad06b23202a9ab8e2696f9d9fabeff50464a864a52ca816e543b1c17fa35b50d33c

memory/2884-342-0x0000000000820000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

memory/2884-387-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-392-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-399-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-400-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-401-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-402-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-403-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-404-0x0000000000820000-0x0000000000CE0000-memory.dmp

memory/2884-410-0x0000000000820000-0x0000000000CE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 06:57

Reported

2024-07-11 06:59

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 212 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe
PID 212 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe
PID 212 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe
PID 212 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe
PID 212 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe
PID 212 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe
PID 2348 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 1456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1456 wrote to memory of 3020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe

"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a30d9d-90dd-4313-86e3-12dc431936f2} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2cc0ab-3e4e-438d-8923-f0187707e339} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3308 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2f735f-d5a0-4add-ab9a-fca7c62fdc12} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1272 -childID 2 -isForBrowser -prefsHandle 3840 -prefMapHandle 3804 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0160328b-eb88-455c-ab90-7f186ffece5c} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acae76a3-344e-4463-9868-356f9156da4d} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6186735c-d288-4169-894e-87f99fea9624} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f489f45-ecf5-43f6-a7af-7f80bf7f82a0} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1469da-7e1e-4536-a265-920cdfd4ffe7} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCFBKKEBKE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:64801 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:64811 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2376-0-0x00000000006F0000-0x0000000000BB0000-memory.dmp

memory/2376-1-0x0000000077B44000-0x0000000077B46000-memory.dmp

memory/2376-2-0x00000000006F1000-0x000000000071F000-memory.dmp

memory/2376-3-0x00000000006F0000-0x0000000000BB0000-memory.dmp

memory/2376-4-0x00000000006F0000-0x0000000000BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/2376-18-0x00000000006F0000-0x0000000000BB0000-memory.dmp

memory/212-16-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-19-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

memory/212-20-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-21-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe

MD5 e0525803e9e18b3e3a73b6e999b40284
SHA1 f92b719f6e774c35836a582cff902f3f5f54c6a2
SHA256 59d115c4f1a0035301f09d9697f988c7f667d0131582dfa7a28990fc02baa086
SHA512 dbf56d01de700a74c757dee971b146661c93d284590813b7eba336235eb32aae076060f45467a84eb2541db9926a0cdb66af1b8885f7a9c07420ebc58da2c81b

memory/4920-37-0x0000000000140000-0x0000000000D3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe

MD5 ba9b2fddc74af8c0091d45323f0dfab1
SHA1 df227f6f8ed7f146376c53286dccd7c2f5e70ad4
SHA256 7b4b96aba97bf47462ed86bb7a3dee58092352428a8aa0afc0453d28490054f8
SHA512 7f83f5805ac0dc37d71b945732475f239cf56c03ec49a5e0fd759d84d5b545ceff1d9ab845cc33250898246bc14368a7afb5b7b05b9e8ca2c7cab328a5e6b10e

memory/4920-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/212-83-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

MD5 fbd17f2379497865d3192df4b37e79de
SHA1 5388ac93add7d36396c83b3d5ac226ee11d6b8d4
SHA256 d1bf921a657843c79965b7b62d724c3dc2131b2115b9a5a718a7bd2bc9d758ee
SHA512 4404ccad01ee27c86dda5a1062333f51a32f3053a0503967d683f4f0adfe23ccfba25d7cc3a58f4c4e35159cf93f79775fc59a864a4d50be29a0698aa3b898b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\5ce19d1b-1ffa-489c-85f1-57904f47ae45

MD5 c7ed9019b11161c35d203894eea2745e
SHA1 337aa27bd4addca774f19c8c36db3b900cb99421
SHA256 ea43479cab64731e017dd130e596c922f35a1be7017d2be4419ac1c1b2a5b3c6
SHA512 f2c39f6c188203c604e0e1d0bebab79e3ee10365f48f2ec0f88b4709c0be8c82e8f4d5f0111bea8d0b3b36e2284d6abeb427ef9c5c1dc3827638425a3bfd1710

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\f4eb84c9-5dfe-4261-9dcc-51dc65804b52

MD5 77380e908036ddb99aacc1d66fae49be
SHA1 b6735c270793cb65af2be838120569d1eb7f6aa3
SHA256 38421f3376301cc718e091c8d783884e92eecc056f086dc12631cb2bd36c626d
SHA512 1cab780f25a3419de2dbe083855f348004dbe9d1e19e461153982dc51baac8b69ee8370c13d165f697664114e002c9be675b5ec48a0f4e08d9773e1cbb82cf46

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\0aef2533-a02a-4f11-9766-105e23402302

MD5 a196a80fd6638d8ad2080873654ef498
SHA1 514ee9e9715b814a1a4a3353fc660d86ea9b3db8
SHA256 9a87968f5b692e720928dd7db900d4dc4e1592b7672c6b7aaa4f1fb9a5ed4e7f
SHA512 4950c88c454404e9c6820d7f321350bfb0f06a1eeea9208858d359671a8b2acda6292c8496c12c3bf4507392e8688588dc9cf7be19b32df141360a2bdbfda728

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 ab2764dd8f892b627cf2870116426d98
SHA1 5fe4af6c09710db95ff5314c8f57f06062eae1e3
SHA256 3b25fbc1f54ee590bb614d3eacd57fe8ef9c6f325621c511206f6be792e9b40b
SHA512 d74d2b7fbe774f516ec5cfd6ab3bfcba7a18105c1c111ba20a51540dfcd0d9699cb80b677e156424112d188bfdae7c511312a2489692b0e250606086a69a7935

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 411d6e48e3d15d717529d0937b3a8ff8
SHA1 cdbc02caaac929061489216588b1312057f74f8f
SHA256 70a837a1b0d4f3283b35409df3170c53481293b5ec3721ba0823f57f91d8bad4
SHA512 40b44be8f382e593ec03aa3b305867371d75eed3e5e1c7ba378fa9b26e61ae056132d779279b62996c47aa28c848486cf1c389862b8e6c1bfedefbf9c0fa53fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

MD5 b9dc5b2790fa9be73ec939d99e0c7132
SHA1 aa1a66a6b1b7516598687fe2b5ca00b84d3d7305
SHA256 b32bbaaeb227f7bd5224e139df406165fec96c3d87b2f05488f3593961388e1a
SHA512 f1431c9822ab8f4ea9ee8b5fd766ab85806a23b49326105020d8ed5fa1e7a317a3a0d2ca76fe9b491e07285df0271cbe6c16f6e926b6217e51c87518a9fb2759

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

MD5 ea17b1aff1cbe6734592db4331a6f1dd
SHA1 6f8ce03053b18bd18801099f467ddf4282e67fb7
SHA256 bdafbf821ee36beee2bad91da5a0e177da20c05a3687ea266561a61558079491
SHA512 3e93af89b116a8d86eaa5297003fd9b731c1ec4c32a21e3d1f61415e0aebb8cc0259430a31b89afd34c3d7653e08cb535dc57a2577214e70b36e073298963399

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\cookies.sqlite-wal

MD5 d7fc50cf1f2f048c172a4e9af9310d7a
SHA1 a997d894331831fbf7c47deddf96e2790f23e6a9
SHA256 011c38b836293164508af64cd753372bb8ea496e5b7c2afcb6a1a644c4708716
SHA512 ee23cdb65b80871f9059c2e88c6f6be925023b88a37e9db67ea3307230426247e2554a5e5d2f1adc5ef46eb4697c4bec24a844d0c429fb4028035ded561e7b51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\places.sqlite-wal

MD5 f501101059501e1e347a03278417dff6
SHA1 99d5e6b28da6b4f142483dd4f74d3fed64c32c36
SHA256 5bd4241b67ff24cec77352e64f158ce744032f0d35ae899d1fb8564dc7153834
SHA512 fca10eb528fc5acebf288dbb5448b5fb58102b012bcf3342ec0ced75d1a497a9d9e0dcadb29eedd7fe3e4f4d86fe4ee258c0965f2606b76c068baf396cafcd9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

MD5 2687f09dcaca1f9d820acb21eb60091d
SHA1 3bc9246c724eba8d1f9c950a32b04eb0c73f76c0
SHA256 18ee7d29efa5fed2da9648fc493409e993e0a61eefc9beea5b761e15d4f395f6
SHA512 3a3d89c5c924048d79e26939ef19227f91d6e6aa4c25bd444b47386b44003ffb83c229f0bb864a0b20785451cbc34381595a77cd87c2ef574b698b7e8a8c7ef0

memory/4920-462-0x0000000000140000-0x0000000000D3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HCFBKKEBKE.exe

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/212-472-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-473-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-482-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-483-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-488-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4492-490-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/4492-491-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 10daa2fdd91dcb164716f987de96df19
SHA1 1691dc514679fe05a2f98cdf20d4abec87492697
SHA256 109632a20fae73f92f1ada54e4987914fd9145dab46aa9a95e73e569000414bd
SHA512 fb86e8f31d1a618dbafe5b5fad6beab809bf94f671baf47c3dec1452d551017a86907a6deaec87446a062d585b5cff061368ba5d320a2e2ecd4fe5fa01fe02bd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 1d70bf93e4083674d855926eb723695e
SHA1 0e18bb0a47bb34fbd87d935e50e35e85ce747a0d
SHA256 f0819da6da19816cf54f8f93f95407d028eb7e083285fd21d7d1cf1afbf5c19b
SHA512 7a85ea3a864da78b05fc0000719f1a22a3f806b453cafa57fd27ee826058914cb0e2064d2f053d0784d4b094d0a6bb83436223ec913dc5602a3cf86d8f9cc9fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 4b959cf331ebfb4f099c8c666c2d96fd
SHA1 f5478583c41cd7747f1d58167dba3dc08d1c331a
SHA256 2da15fa7cd6b499263473d420001e519b124b4c7f6f87c7db15aa099ec348bb9
SHA512 2d7a01f533e3d961b8853815380a732903511366cc0723a4442a4cdadbced441e3a2fb017e6c1d5efd07979d833cdcc64da21ee1e61fca244d2a7aab5cf48e3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 52f91584edd12db724e711836beb9292
SHA1 5444ffd12931d96d536f13d5a57a22439dbfd45e
SHA256 43c1501e05bcc992cbb8fcd75242d29804240da7678f93952807002fb0ffffa3
SHA512 90a7767bf1a900efec06c5dad533dd3cf81b6c986de3925bbe392e14c356a864d8b4cb0b3a7f7e16725d0a8f603ac79d6698cd8d6ca5aa018ffe10722d44c472

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/212-737-0x0000000000DB0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 9f2e9942fb0d2e1a9a7b715763791f9a
SHA1 a6bdb52306f98946a52341f19a280ffee1ddb9bd
SHA256 b6921e8015a58e94fe96122d6fa2f553dd92044981a69bf892084ce24d43987f
SHA512 700ff60d6ea1da090f03212dc5a162a3a43332a5111dae0292a83cad44c185610053d8647a16acc48f5b69638518e58e8f30d92c6fd1e915b877dd03ac2a3e33

memory/212-2132-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2682-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2688-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2690-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2691-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/3172-2693-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/3172-2694-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2695-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2696-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2697-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2698-0x0000000000DB0000-0x0000000001270000-memory.dmp

memory/212-2704-0x0000000000DB0000-0x0000000001270000-memory.dmp