Malware Analysis Report

2024-11-30 22:03

Sample ID 240704-zcnccszekb
Target 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246

Threat Level: Known bad

The file 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 20:34

Reported

2024-07-04 20:37

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4832 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4832 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4084 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe
PID 4084 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe
PID 4084 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe
PID 4084 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe
PID 4084 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe
PID 4084 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe
PID 4856 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4856 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4780 wrote to memory of 2024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2024 wrote to memory of 2140 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe"

C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.0.643851433\1007466036" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c3888c-37a1-47a0-bea2-99ce24d14aca} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1848 24337c0cb58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.1.1516988238\674867168" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb67d9b-bfd5-42e6-b60c-fe6488bb48b9} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2444 2432af8a858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.2.1397578693\1335886132" -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 3068 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7857de0-76e5-48b1-abc3-2ab80b0045f5} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2956 2433ab14b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.3.1596819700\1410889714" -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cc3fd76-fce2-45fe-927b-bbfda4ee99c0} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 3876 2433c6eef58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.4.1632639423\2100028813" -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5036 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bacda093-3c97-44c8-b74d-b1637aba8b7e} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5116 2433e86d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.5.1164072145\1616090573" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5264 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2915aa2-e3cb-4273-aaa2-d27bf6332e6b} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5248 2433e8be458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.6.2023250144\1634984019" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5140 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a48b0423-0b42-4b69-b088-baecbd06b154} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5476 2433e8c0858 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFBAFBFIEH.exe"

C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe

"C:\Users\Admin\AppData\Local\Temp\ECBKKKFHCF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:49826 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:49835 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-4g5ednds.gvt1.com udp
DE 74.125.162.198:443 r1---sn-4g5ednds.gvt1.com tcp
US 8.8.8.8:53 r1.sn-4g5ednds.gvt1.com udp
US 8.8.8.8:53 r1.sn-4g5ednds.gvt1.com udp
DE 74.125.162.198:443 r1.sn-4g5ednds.gvt1.com udp
US 8.8.8.8:53 198.162.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4832-0-0x0000000000A50000-0x0000000000F3E000-memory.dmp

memory/4832-1-0x00000000771A4000-0x00000000771A6000-memory.dmp

memory/4832-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

memory/4832-3-0x0000000000A50000-0x0000000000F3E000-memory.dmp

memory/4832-5-0x0000000000A50000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7ede7b1ad45d029e9528612dbb1e39f9
SHA1 fb3beb2812cda7c3e308d1db9c82320bf781a0b2
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA512 d79a3a6a283fdb8856f56dc6377a57cb9e200c3de1a1b6a676a446d39d7c8b1124a7124d778b335b2eb24dffc6988f7f8fb8738fd60be6045ad7f05562d9bf59

memory/4832-16-0x0000000000A50000-0x0000000000F3E000-memory.dmp

memory/4084-17-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-18-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-19-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-20-0x0000000000620000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\f158587c0c.exe

MD5 de1d8c161d81ba79c888fef77c75db93
SHA1 55e3b5e658d41d98779214afb48d34c66bf17346
SHA256 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126
SHA512 4d243246e4476555a4b018d2df63ae93da8c64096523c8f8b20ba616b0dec97c21e4bed7dced51da50c0908ad3da6b882b11de6d668b71852f2290850a6810ea

memory/888-36-0x0000000000C80000-0x0000000001873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000007001\90e1500f90.exe

MD5 13568994c781d91876b7872bb8d78695
SHA1 f8d67728b62db1894fa7d13185bf1ee7d3f7f6df
SHA256 8ab116034b11d986ed37b7ed41966a95c607cc80897872425762ebe101b8dd7f
SHA512 7cf6227b2e3dc05ba200825f21cc2fa266ed6b3b653ebcd282cd70ae9b40dee6db44e841d3b014c183269339fbe30c13efc2ee1a6c5857df172f282206bb867e

memory/888-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 c72f1f9c29445056dc8496525a1eacc0
SHA1 0a49dd819c2d652377f2917845dbb0f368f3e036
SHA256 c5a2199267e3786eea9a5646080e868ba4be91ce6e3ef7946479791b9516a64d
SHA512 5b343a17e1fcbdd02604ebc1d624b5a2ca9d58eea3a375a4374e74af7817dfc02064f052b91e0cb7901a6b51eb30f8e7e0581273757d1b0043e45696b4e85774

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 6487e2354e9a55d30b57a036bf1f2841
SHA1 5068b0cb95c93802f8124f1ba2132814954a9db5
SHA256 7ab872b47af76082c3278cfdb06bc0703cb6ffa52cfd9a957ecb196c40524892
SHA512 71aedfe8284b13629b336c3fbd7b98b30e343bf1c926ae2d045438aa7b13cafa0faabab1583896590d58e36d60238f42337f98414dde6c56b4f3c6885eea35ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cookies.sqlite-wal

MD5 be1966686a33a405ab575663edeb9b13
SHA1 68415861849a1e162545e148bdc692bc94e3a35e
SHA256 af8b667b6cace4077450de65d19995f833c0dec265746fa4c92d99fea0194f0a
SHA512 02ca244dad00b333ccb8678fe70d5aaffba3c7cf2493b5548f352c7a93a4481db5b36d342e72b46edb75e14a6dec343d19dafd75c91753f1125253eedfaa5a92

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\places.sqlite-wal

MD5 9193fbf06768039bf463c8cc0bcbcf82
SHA1 25e32c37626bf1500d6a3f38068cb5470807b0e8
SHA256 c91bec54ecaa331f1a5ff2b1a3409e598a32aa536f5e295ab041340d81217d54
SHA512 1c65da7039b62e04d38fd8eddc581991883d297f1f402ba68c8ac935003eb18c63aebff461cf3383ffb87368563f535123ab04d8e76dd3d2fd102a240f919278

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 6c6039cd82ed618ce4a97c66d9a5a549
SHA1 3624bb4848f7ee4caadc1a9d99576edc6ebe248d
SHA256 a636cf0c2aa17c1878fdbcfa11860f2ff02a64f9c9e59d56eadc80d53206baaf
SHA512 1fa6746c5650aa06e0c205d31f3d650d4bf394f471e95260fb31fbda378d3d04c15d76c5069556e01ee648b9be8f6e2c19221275ba2c4f88933ecab41d6d4936

C:\ProgramData\GDBKKFHIEGDHJKECAAKK

MD5 733954ee2b7a187c8b643c22e6da712f
SHA1 3949c75b2013b47aa7b4927e43e08ed059b5dc72
SHA256 ca2d8ff3d870b1e9592cacf4050887aa89db90927c7b165dab40fa0f9012c4a9
SHA512 db5dc540ecc1467c5e5a4d34d7de2c8bf770312f046cfa46d3e4b3b147564bd72fa6048d547d1375e1578bb0737ed19a50d9456b123b97cd0adbe1fda5d48616

memory/4084-213-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/888-214-0x0000000000C80000-0x0000000001873000-memory.dmp

memory/888-223-0x0000000000C80000-0x0000000001873000-memory.dmp

memory/4084-227-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/3768-228-0x0000000000D70000-0x000000000125E000-memory.dmp

memory/3768-229-0x0000000000D70000-0x000000000125E000-memory.dmp

memory/4084-236-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-237-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/2556-243-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/2556-245-0x0000000000620000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

MD5 33e12faca70b22e6e83b6941ce62751e
SHA1 60a534499f3732c7f84898c563ae80809d7c4454
SHA256 366a2a055361cfbc6a3e947a95d225b827406fb35399370bc8741836a6483d2d
SHA512 2d5fa5f782c9c3c442e4c35bb2c7bbcff7630c9fc0177ddce4744db93d33d1d5f4583b956e9d408bb1f15192b007280f6be0920b9f8be56d3937351a0c1b44ce

memory/4084-251-0x0000000000620000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 875c8daa4b9c4b9a5d8739ff18ea70cb
SHA1 428f7e842fecd24443eb6759e47cfc928a02c546
SHA256 250a7e4889740c5695a409d82c57ab7fb82bc11149e503cfb55e2975240da305
SHA512 3f27f9b82599a1cc4f9c80983d694353193a3cad0621fefa5d6a6ae0ab473057cc495937641d37d804df62d9b998e50bd752bb9532dced011d7ba035fa141fe1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 c1381d3468a66bb6d1c34c59bf0cefec
SHA1 66e0ada4d7d89702de9976168bcd73936d082fca
SHA256 aed27a3b2ff93ee96af92065e6f2378135f002fa9b9365812e6eba45d25f6932
SHA512 20764d861e9a1e0e837bf8ddd423943bb28fd3e60ed53437dc7381a89066f0caaa4c75632738446019901d7d40057f7fdaf2163ebf1748a814c442c08220cde5

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 2e10197d7f6a45fe92ab29bbca032abf
SHA1 d3e4e583406b5544fcbdd4ea9e6b4d986c6e9fd2
SHA256 bff1012013243d9499cd62135da8dde456c8f9ca4fd475ea774cb628d160b92c
SHA512 eed7c4cabac462c78cf4750f2db78ff2e2601ba12eb42f2bb8f3b588b0dc0fd63b380125acfde3937a26e26f590874b85416637a03a344edfa748608e6f71be4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/4084-428-0x0000000000620000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 f2ed7fbaa3b3234af524ecee732a2cbd
SHA1 056f831cc8cf280a4e357c1b3e2ed288a710cc9a
SHA256 5e62f715370390f79624a0ee0b438bc3b59441f17369423b34ea04ecf5714f86
SHA512 88bc8ea36a6b630ab22e5be76a81490047071ca2589b5cbd677cf7b96a35d4a3216a56b1b12290ba27aaf5e97a10b86c2750cd435bbdbc0539f57d28ffa896e1

memory/4084-1420-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2218-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2238-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2240-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/5008-2242-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/5008-2243-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2244-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2245-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2246-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2247-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2253-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/4084-2254-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/512-2256-0x0000000000620000-0x0000000000B0E000-memory.dmp

memory/512-2258-0x0000000000620000-0x0000000000B0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 20:34

Reported

2024-07-04 20:37

Platform

win11-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2416 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2416 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4420 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe
PID 4420 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe
PID 4420 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe
PID 4420 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe
PID 4420 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe
PID 4420 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe
PID 4052 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4052 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 2200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 968 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe"

C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.0.1608173321\1511066485" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {356a9c98-0551-47ec-b3ad-b61046fa50fd} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1848 287e3423458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.1.1227463858\1313948369" -parentBuildID 20230214051806 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {635dc5cf-6583-484b-9a8a-00808b9be2f0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 2392 287d6689658 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.2.466463982\444521472" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2972 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f9e211-125e-48a6-9d97-fd42e3fed4c5} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 3024 287e623c958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.3.1070391169\1266939188" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 2860 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5874d322-80af-4cb4-bf15-0a53b690c49c} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 3660 287e925b858 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIEBKJECFC.exe"

C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe

"C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.4.281566863\1605852617" -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd05caa-ab46-4ecf-96e0-e13b5093351b} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5444 287eb70be58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.5.639538416\259266911" -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931baebb-584c-4524-8eae-565d5186148b} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5564 287eb70cd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.6.1705268908\1267888097" -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffcbace-6326-4a8d-9331-85b95d297433} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5688 287eb70d058 tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49857 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net udp
RU 77.91.77.81:80 77.91.77.81 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49865 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
DE 74.125.162.198:443 r1.sn-4g5ednds.gvt1.com tcp
DE 74.125.162.198:443 r1.sn-4g5ednds.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp

Files

memory/2416-0-0x0000000000360000-0x000000000084E000-memory.dmp

memory/2416-1-0x0000000077DE6000-0x0000000077DE8000-memory.dmp

memory/2416-2-0x0000000000361000-0x000000000038F000-memory.dmp

memory/2416-3-0x0000000000360000-0x000000000084E000-memory.dmp

memory/2416-5-0x0000000000360000-0x000000000084E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7ede7b1ad45d029e9528612dbb1e39f9
SHA1 fb3beb2812cda7c3e308d1db9c82320bf781a0b2
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA512 d79a3a6a283fdb8856f56dc6377a57cb9e200c3de1a1b6a676a446d39d7c8b1124a7124d778b335b2eb24dffc6988f7f8fb8738fd60be6045ad7f05562d9bf59

memory/2416-17-0x0000000000360000-0x000000000084E000-memory.dmp

memory/4420-18-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-19-0x0000000000C81000-0x0000000000CAF000-memory.dmp

memory/4420-20-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-21-0x0000000000C80000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\c71a3596bc.exe

MD5 de1d8c161d81ba79c888fef77c75db93
SHA1 55e3b5e658d41d98779214afb48d34c66bf17346
SHA256 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126
SHA512 4d243246e4476555a4b018d2df63ae93da8c64096523c8f8b20ba616b0dec97c21e4bed7dced51da50c0908ad3da6b882b11de6d668b71852f2290850a6810ea

memory/3940-37-0x0000000000010000-0x0000000000C03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000007001\329686c681.exe

MD5 13568994c781d91876b7872bb8d78695
SHA1 f8d67728b62db1894fa7d13185bf1ee7d3f7f6df
SHA256 8ab116034b11d986ed37b7ed41966a95c607cc80897872425762ebe101b8dd7f
SHA512 7cf6227b2e3dc05ba200825f21cc2fa266ed6b3b653ebcd282cd70ae9b40dee6db44e841d3b014c183269339fbe30c13efc2ee1a6c5857df172f282206bb867e

memory/3940-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs.js

MD5 d138ce8ead6c6e57f2fc7a762de21bb4
SHA1 cefeb1550df1de28f3c2e6c4d43b8c951d1b84c8
SHA256 3e9c3674235718601b719d0c2260357c11eb474f9d4fee8e7e0bdb2e05c46c4b
SHA512 6adbd849066910e4e08ae7f7719975ee1ed6e89cfd6b1802f366b6430b2524ce46108308c08b9530c3a242c0a61e40988e41adb3d6664fee791e725bffe03fae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 51f0a3fe3bfa6ad9801acc6320a74f55
SHA1 e5512dbca910bb145127bc2c083e9acc9ee92239
SHA256 330ccf3bfa6ad85d15b7aee5cfdaee8897f68ef7ae841311676859fcd149bb5a
SHA512 db135f88a5ceb532081a7501e0d624264aa500beacdad9fe5631b6e5ceb046104110167ba5c2b3394f00802469e3727524f9344141b7429448fc2ec1bfac5985

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\activity-stream.discovery_stream.json.tmp

MD5 69551b7d939899ed68dd03cd71a27774
SHA1 9b947f56b26f16173e407e89b873cbc41ee0ecd1
SHA256 41c5ea7077c568be41bba4efc33619cad0cd739f71998d97dab6b4675e3938b7
SHA512 6872ca3e225a5324bca683966d0344bfd1162e74035da9568f820f5ef6160faab27789945efe7cfe383fe2ae3af17a9bc9b2006b332ac8daa9aa1084e225bafb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs.js

MD5 bd8c2588e5a822c2e50abc0ef95f1f28
SHA1 56d223351de2041264556f13e4cb375f9463d3ee
SHA256 cfc83dbc968855913d3b6b5f61b736dc8e95476a8444a850198d4ab6c050c64e
SHA512 33241ef8c07b7f5d0bfedf752349907a4fec0d5a86cf5456dede9695212b847f037364e456074aca78482e48ff0de26ecb62a65d1b474293d251ad733082a7d2

memory/4420-220-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/3940-224-0x0000000000010000-0x0000000000C03000-memory.dmp

memory/5004-228-0x0000000000350000-0x000000000083E000-memory.dmp

memory/5004-231-0x0000000000350000-0x000000000083E000-memory.dmp

memory/4420-234-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-243-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-244-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4816-245-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4816-246-0x0000000000C80000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 94f5414871555243172804e4c5e54580
SHA1 d8547fe74e5a4f90276da22806e880db1ef167a9
SHA256 1cc56a6964fdeea56dd49bd57dd37c5545af500dff222e8c2c51f2017aef9f5c
SHA512 829e2146af3601115420dce3382c7a2cd4eb5c5901a7d953829d8af6a33647de4e48f159851dc904571d2e433a74f3d16ac6ab1706099515758701b804f5845f

memory/4420-256-0x0000000000C80000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 156941e9e05e141c46d8ac57f8a4f34c
SHA1 5918e3ebda0cee3f2c32838fd1c810217fc9cdc4
SHA256 ca698bb2b8deedb0147785380784b8c76b15f20fd4ab1409ec743d4e20c3b971
SHA512 ef31ebc97f27f041c5d0df270dd4dad4b3e881bb2a71320e4f40b0e455d40520e6d1010b26eba53e405d8335642fc4b52da85333ddce21d135095da8b12c1518

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs.js

MD5 ae0f73af66d103dd773ebac48eca45e7
SHA1 1cd0397715e966358ac36b5ba6dc02e20f1a73ca
SHA256 7266567744467ec83f60c03b55de427db869afd43c95fc96d43e80cf87e85735
SHA512 ef2cf246aa8649b1f1474621a5ba800ac959425851ac8820910f7b550d4618b597cb6671d705ff7cd51c1f917cda07da112f9f0c94ebb5307befb5554736ade5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 5670d8c79dbdbdddecfdc5c4e2a66f8c
SHA1 63da03c0af6cb84b595baca9abc8b6ec028d2080
SHA256 909c7c4d4b59d1c72c6b4cfa44f8128c85d4d05b9dc5ff8433bd2c18822aeeb1
SHA512 d812ba4c6dbf70ef3ac32c3038c61e90f9c138c8d12f60b594178ac77bd6a49db9f3e4679f9dd4ca9e4824af36cbbac5658fa042e1ce9b35ceca4f3b0e00d5f5

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs-1.js

MD5 48b58d46cfaad3501ee19e0e84ddc8ba
SHA1 a656c1dc52fa4ed53e29d423a7a26ff2928a920b
SHA256 1e58173f47104c0bdb4c0b65c4022691c2f9b34738d9344084090b3448778a73
SHA512 ad9c1bfeb6dde9f514f820b27478e8ab67e2e2d8cfceffd0f392923ad6c6da70b36e1b665e883b8c8e1dde148be6bc889d366031540c45abb4ce9ed1b2edc592

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 2280b9cbc85336c05df9b65a2ae18367
SHA1 d43541a9a26710777803bc8683f9e8a7c72ae9ac
SHA256 a752e1098a263b552b2e23644960ea341a79775297f86d4c2065edc8451c803c
SHA512 750c552f66a6c279c5b4e424c221c90f0e79016122547d241dc05784c34b09814b988098f78b9a2ebe1737c6212e48f5955ab2664c32196131a47aec6ef0730c

memory/4420-595-0x0000000000C80000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs-1.js

MD5 246c159f203a297fd6a0a93b54f956b7
SHA1 19f534f6aea7b02e12fb4e57889081302639b3dc
SHA256 1c0687c94c47ceb3076d313e2a43323f2f2181683d621ca40554886446503cc2
SHA512 f2c10fa025e59f335e05528c73384f601eb115989d90889cb7a06a2bad15231c777ae48ee7b7757f5d4ece10cb1000501c239d9a56f18c5a8729ea93d82ab5f1

memory/4420-2238-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2240-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2259-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2261-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/1924-2263-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/1924-2264-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2265-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2266-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2267-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2268-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2274-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/4420-2275-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/2192-2277-0x0000000000C80000-0x000000000116E000-memory.dmp

memory/2192-2278-0x0000000000C80000-0x000000000116E000-memory.dmp