Malware Analysis Report

2024-11-13 16:47

Sample ID 240712-gyrb2a1gjm
Target file.exe
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 06:13

Reported

2024-07-12 06:15

Platform

win7-20240708-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe
PID 2472 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe
PID 2472 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe
PID 2472 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe
PID 2516 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2516 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2516 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2516 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1352 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1352 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1352 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1352 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1352 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe
PID 1352 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe
PID 1352 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe
PID 1352 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe
PID 1620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2632 wrote to memory of 2016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2016 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGDGHCAAK.exe"

C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe

"C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.0.1240254163\593162361" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f16b1cbd-f4b2-4dd5-b83c-b391c3561d49} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 1316 125b7058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.1.356637937\1641676447" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9795ea2e-d668-487b-bc70-f0cb365e0d8e} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 1512 d72858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.2.558668285\524023642" -childID 1 -isForBrowser -prefsHandle 1860 -prefMapHandle 2028 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b3d396c-2d39-4445-98a2-19cae4a90793} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 1920 12558458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.3.1483882125\65569536" -childID 2 -isForBrowser -prefsHandle 2856 -prefMapHandle 2852 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {507b295c-bdfd-4387-9f07-f7180ca86493} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 2868 1c4ee858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.4.100646598\1922573435" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27a0de2e-1139-413f-ac9b-e3f5c1e35261} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 3940 202a5758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.5.565233800\99366682" -childID 4 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63c35420-6fd6-411f-a4d3-ffd7ac373fde} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 4036 202a5a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2016.6.1243308342\846186833" -childID 5 -isForBrowser -prefsHandle 4216 -prefMapHandle 4220 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6e94798-e7ea-4514-943f-2064ab744dc3} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" 4204 202a6658 tab

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49354 tcp
N/A 127.0.0.1:49362 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp

Files

memory/2024-0-0x0000000000DD0000-0x00000000019B2000-memory.dmp

memory/2024-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2024-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2024-64-0x0000000000DD0000-0x00000000019B2000-memory.dmp

memory/2024-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/2516-81-0x0000000000870000-0x0000000000D32000-memory.dmp

memory/2472-80-0x00000000021A0000-0x0000000002662000-memory.dmp

memory/1352-117-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/2516-116-0x0000000000870000-0x0000000000D32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/1352-138-0x0000000006990000-0x0000000007572000-memory.dmp

memory/492-140-0x0000000000E00000-0x00000000019E2000-memory.dmp

memory/1352-141-0x0000000006990000-0x0000000007572000-memory.dmp

memory/492-143-0x0000000000E00000-0x00000000019E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\2704f8a68f.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

memory/1352-158-0x0000000000900000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

MD5 868d5d80ea863673cf19d3d80aaaded1
SHA1 a6d413b942b679ca582cf2dc6068ab57577c8a68
SHA256 94b980a1127d4d0fb25cd9e5fa7c9e49bcf16aa0182f52f659fd215e16420d51
SHA512 55b9e97621465ec6323371fa24fe727f4b2611b806974496fe6bcb92dcb019d57b3495517a6d86036b9344a6aa1b2dcb3a5cd65715411aaae0e8750972104335

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\e98646f1-d6fa-4de0-b704-5d033b9eeea2

MD5 60b26ba9915abea0b1c885801ab95994
SHA1 05f08d5c17a39921e985d56ee4b6d79b3acab396
SHA256 f561202840373498a2434832fef76edc612e55b4bb37af25366e56ed89b44b74
SHA512 5f9a1ed19815327ac8cd3317b19c10655964ca15aa809d24868eddfa85291f533b8d3ba64522c0473940c5710c285c6f98b88156f1d503366792f1d00a03e7eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\630494d9-361f-49e7-bbe9-5acc1d9989ff

MD5 dff1d06838e8157b0f7644c9f95bf077
SHA1 12202388c1e72787158fdd37b55f8d6e06783131
SHA256 76a5e875fe7920e6ab815036a497ced16d2caa9aacc7ad07b083d1acf8fba020
SHA512 a3de54bfe6540893cbdc3815047514f0feea4e9c9ae49d0e43377268ab105056c5f6f84687f6de445e80e3f9c900b2d8cf03a33319e1713f6028015c9c291d41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

MD5 e2085495b3015aa8d0049f5cf417d349
SHA1 f1439983e3ba2ed3d260a5c310b6104db3400a65
SHA256 a0591066444cd47ba4f4299fa5fc20c5423910c6f12736fb45ea8254652ee4a5
SHA512 ada3a5ee97806227958e05d3096c68957fb140ac259f7016852e9ea961efbc663c69026595749020e91790b76c7547ed035d3a9ad30e1a81d23da87e6420b90c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

MD5 1014698bc5e230eb9b3f483efad85ff4
SHA1 3ef294f3679e84a145d1c0a33bdda39e75d6f1de
SHA256 00b03660040dc8e195b1205ad6dda058b0da127fe28002933ab4b1d03b2ab6b8
SHA512 298d91e5ae078614d87191e071bae1e663b661b27d5c591161b24c970c2d8068b2ce753bcb3b9ac302e28c09a9e5a010083404c608cbc227db103393b198f60f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

MD5 ff4599bded03c19292ee3f60e906d4fd
SHA1 ac5bac71b8aa1ac0afb70b3fcb626fbcea3f7534
SHA256 962ed0c68619556fb3d57236bff99426360dae1dc1cc0981566b7b26f62977fd
SHA512 2f9a787b5e6ff78e29c147bb0dfe9140a237356786e4881be3eb5f600afbb40d448ea52e276ac7a6696add51eaf4fa8a8121adbbdb3739b9ca0f0de24ea42e3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

MD5 6e7d1a1ee9fe351477a440b4f74eb05b
SHA1 798f4f750242f8fceaa0a5303e6cd15a568e3307
SHA256 4f612ea7ca9d6b39e5b10fcc9f17e26106c309649c46a201f627fc1914551109
SHA512 272da93279dc50742756ca3b3e8071e19f972519160ae5dac09c7d2fe30552ab2e1ff9799b035bd181b2f682aa5a2980999c8b0c6fff3d933439524c6f6d545d

memory/1352-304-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-307-0x0000000006990000-0x0000000007572000-memory.dmp

memory/1352-310-0x0000000000900000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cbbd805c106398bad903020793f2e536
SHA1 b7fc7e58a41ede45c0915a3ddeb22bc44d875c15
SHA256 90f2216841802ce501831befe4d86af2028597341370d38ddbba20d595febb2f
SHA512 3569250ee7e37c7d77a3ac948540e1ba51a06ea2558d58af86715300f87e53edc873f86cbf401dcf8bb28195047c965fde6b8e27d6e25d03e6c5b3df30aa2f02

memory/1352-326-0x0000000000900000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

MD5 9c3530725f09b4c371ad17d21d70cacf
SHA1 016f904dc77edc690fe0c64429a78b4610132a78
SHA256 70d706738d2fa596a8f91a918865c9795bb5a822b85f14e53b75e48dc14cf5ac
SHA512 07ba295cddf96f8ba0ec21611d376163e44f749e8649b2367dfa51b25f1f45b71e05d01a41f7e3e3f55101d303196fe6f68f9ffb18db3318c999c3e27d65758f

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

memory/1352-367-0x0000000000900000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

MD5 188c84883bb9c06fc87f7e644aa99b09
SHA1 1db1611ac054e215383caac66bffc8cc517ac16d
SHA256 2bd7f6bf8dd059b11b6d131b2a4889db4fc05f40b03cd7799f98a82904ec8d0d
SHA512 4181b6a588dae7874e0fd761e86dd1206ff73ee56180af5ca8725187931cdcf9495f58345005116852c95c26f64172f70ee6eb0cd02f0162855a5e0b655018dd

memory/1352-408-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-410-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-416-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-422-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-423-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-424-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-425-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-426-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/1352-427-0x0000000000900000-0x0000000000DC2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 06:13

Reported

2024-07-12 06:15

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
PID 5008 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
PID 5008 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
PID 920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1436 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1436 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1436 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe
PID 1436 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe
PID 1436 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe
PID 1436 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe
PID 4160 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4160 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3536 wrote to memory of 4256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCAEHDBAAE.exe"

C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe

"C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f328a4-ea5f-4aed-98ad-820326900c16} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14d60418-55c6-40b5-9f92-e5613b8acf00} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 3328 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2b40d5-4d59-4b31-b457-bcabaf1bbbb1} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3156 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4081d0b8-68d6-47b9-9b1e-d9300d4c371f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4652 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de107624-ccd2-4890-8e68-81b0c9f1a463} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9f99a3-34f9-406c-8b65-b041965f93fd} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03756c4-4165-4c27-a5a8-31f05a753b9b} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc53733-c106-49a5-bcf0-a5a05c8f177f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:57188 tcp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:57195 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4476-0-0x0000000000190000-0x0000000000D72000-memory.dmp

memory/4476-1-0x000000007F590000-0x000000007F961000-memory.dmp

memory/4476-3-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/4476-74-0x0000000000190000-0x0000000000D72000-memory.dmp

memory/4476-78-0x0000000000190000-0x0000000000D72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/4476-79-0x000000007F590000-0x000000007F961000-memory.dmp

memory/920-83-0x00000000009D0000-0x0000000000E92000-memory.dmp

memory/1436-96-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/920-95-0x00000000009D0000-0x0000000000E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/4912-112-0x00000000005D0000-0x00000000011B2000-memory.dmp

memory/4912-114-0x00000000005D0000-0x00000000011B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js

MD5 e1f94fe9b9e4022d3691a5abd30e664e
SHA1 46027280e80263bc5ffbde0d45bf85b4f2d3fb07
SHA256 d11513c32d1e63957802b7b7a33a9bc88f93eeda3e8982e640d8380d1cd24d59
SHA512 8fd13e1292b93846a44db5944b9e926de99b36282ebcc8d0891496a9c99801f8cf44c3d22195ef6ff41d3ba2dd24eb8f5077680b166198a37f5ff5c875892cc9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp

MD5 174f1f9a205897a3e69c59f3fc60fa94
SHA1 00279f2834d989e9c37bd30f0cdaa40032ac530d
SHA256 d2812fb17da22bec5ec60d075e3bed69273b6323e0fc1566cd45ba38d7351b33
SHA512 6d02bc665aa3190a26625171f997f655291c483c64ab4c4213ba21d02180542173acc79c042ba537d330d82673d1a8215cff17fee2eba995b142ca2321e5d122

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\9b778dcd-602e-4ae0-b26e-7dec69540300

MD5 81c2a03e7a0b66de1777c8b28e207a8e
SHA1 f0b160465bb2c123b86eaeacdbc6990c5a6b7c44
SHA256 d2106578f97a7a55781634df6568a5a9b283a47f00129f52e59d72341b5bbe92
SHA512 1e9afcd78859658c253c71ad5eb4ca554fdc6bc8b6e57723c5c1f9e3a311123820ea9a9504c2dca740cd84d92a79fc22fd77247c89b0a29ff98941fde33924c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\2875ddf2-6157-4f6a-98e5-80913a69c037

MD5 710fece3068d1d52cc665a86835320a2
SHA1 0774844d45984ff1f0c6d21b6fb9b29ba19a3094
SHA256 ceb274fcedae3cc66e3aca3d4c9b42c92a12e2f323386ebb579f2053081b07a6
SHA512 b80516d232c091bd7e4b1999a30b04106ea1e881c3c5ddcbe64fe4cbd84bbe0224501f030475a7c5f496c4f73cd36ff7cf253080abf345287a0e4101690ab188

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\01865d60-8ae2-421d-83ab-e5dcef4ef788

MD5 d177572272943e1ae6b3692a5bac72ae
SHA1 f4facb958f88363f177a31208f42f1c27174a208
SHA256 3782297be1b0520efcae15d14477be7d51218bd1b280f342ab5c4c063b8b996e
SHA512 5c52cdcb9de0f31f27b6964c5327278488540dc1b6f6ec47d354ee1b145ff253359c8d5a43440b86f1edba90face4fe339fd110c701482ebdc48f008c659cd5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 655a6f2a48d6c325caf96f0e8db6c939
SHA1 92da97693078489632ca8085f61435d70abdacf6
SHA256 eeea4cc24461a4edd589ed0d9f6f3d3b4a20a1c4ea5db89c4697e74bb012b39c
SHA512 7297983ffc2d9271d26c974807393a3276e05f0f283a97ab2ccca1076a481107cae95405e141846829f2b60c67ab9021cfe31c7596753277dc96474fd0abfa76

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 f23885bbb7bbb1b098da0adff139af8a
SHA1 fc9b36798589e633419799b810d89e7f6a053e00
SHA256 030ef13090444b14b8b57e406489f4a3344ae2171407f5bf0bdbd588fec60cef
SHA512 dac072f1d898aca49125dabef3de5889f4f61edce8573f79e6c00554a8c5c2ab140426fb9972cbcecb01d487aff830751c1da901f6ee97fd990ebe709a921dee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 37e16f81c9c4658866a07831374a0108
SHA1 0af3ff8135e7f97ce358e00d7c7d5c3894ad35f3
SHA256 a02a87186f9af508979d8dec0f5f9e744361e5ec0d81ed00999d914f03ee4b83
SHA512 70d1ef2e34582fdf9f500735628ef9608a34821ff8da374d68746e41b2f11f49d96161c531419b1d46e3caaed7e6a026e00b779a7fc42874fcb7ff6abaa60009

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 91ba1f2a0889f088b68fb804fc14c141
SHA1 12cbc30e8fc903d7b1467c862616c4065d75a03c
SHA256 1820a8a9f966772d6fa558e22a65727e5c97e792c3b8949610363d01f706b83c
SHA512 d805a3463bd33426df60f1f79085f6f920faca5ae61928b54915c3a2d4950a2bf6cd817a5b74aea998a8d0a03d17233556f30bbefd4a5cfe976492f022e242b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js

MD5 e3c8bc1beec433d7904e85b412d8882f
SHA1 ed7f278f61db375d272f9085aac3f710b0c1f1ab
SHA256 8ec342f040611708134031d1fd6975102e14743131f000d7026626fc36067fc9
SHA512 e98c54c3b14a1a55425eb6ca35c6405c4833b53be51cdcf6559b42689c8e0d078d24b44b575a67c1b66f2f36a67db6a4dcfe16b68cbb50221e8c887e4e348380

memory/1436-484-0x0000000000EE0000-0x00000000013A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js

MD5 304ef95e11fda9f08c2b3a7dd5afa7d6
SHA1 e4c9380e678f25b0c440f23e188d36d46cb47573
SHA256 4e4dfaa72822dc254424aa05b512841bf0bc30059e3da1dd1d81d8fd5dece26a
SHA512 4bb17ad7fdef4a31ac4627f6f59873cb30c6e3d7cfdcf5422eb86960048f58ccb88047272c1c080c9cd06a17b3690486630ad03270acf0314a2ce5f07917d875

memory/1436-505-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-506-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-511-0x0000000000EE0000-0x00000000013A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 0b36d1eeba3130d4f2d65232c16a5e0c
SHA1 5eab06d21c804733ebb3deff9cacefd60f3a4aa0
SHA256 bd4f11b723a29087ea72d488f55dd53b2a0b07c2b471655dd4d14123e11ae1d3
SHA512 320d222ecde26435cc14488f0e7646e7bad82ab11cd46cd4b2fd249ea12110e31cb384d2c77aa82771e4738946313f5681acfe701cf313fca814f009f2aeea1c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js

MD5 e08507757a65443769f898be38a0c555
SHA1 3ee168903ee0d30d4072d676c12ba41963766bf0
SHA256 9f99bdd88889615ce530a9ee0f075d91f2fd9aed9da4831860fabc205e7890d4
SHA512 ff9195ceae53dd0dd79b51d92b5f11c44349d9367b78fecb9e0df71b0ddfa88902c46180e4873b2e932e9db85d0c6d2de9e4ca992359c4ad48a62d44d0432c05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7c42634590485da9651551b364d5bb79
SHA1 44c2e486a75c841a4f6a7d8bef535de1d9388cc4
SHA256 08e10248c3869abdb319c29ff467bf5377b933d3aa3b64abe455f80eea12fc4b
SHA512 0fed55003bbb4fb58559cb4b45623b6036be283e6f42d5dbd453277fafae2c1eeead841ef493a5c20259f3e9eeebf97659b1d8920cf932ea8fab830bbfe910b8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3288-760-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/3288-815-0x0000000000EE0000-0x00000000013A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js

MD5 f95d6e6e3c45dc520e388f16be7b38c0
SHA1 ea945aafbcecfe9e05296815dcc43ecbc800f0b9
SHA256 14cc63efaa5e20b9a8afc7439884b8df1cd40384d48df2e97c1940d0f1ae94e2
SHA512 3a0d2bce0150d627e23b82ef936aa0fcadab007d32dd4b9bff03d1fa37297aae655fe10e53ab3996a3511b6c621ed3ca21ddc449ddb8b80720c7a9b8c8800806

memory/1436-940-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2098-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2618-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2624-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2628-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2629-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/5880-2631-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/5880-2633-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2634-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2635-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2636-0x0000000000EE0000-0x00000000013A2000-memory.dmp

memory/1436-2637-0x0000000000EE0000-0x00000000013A2000-memory.dmp