Malware Analysis Report

2024-11-13 16:46

Sample ID 240709-1h4f7sxcrl
Target d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0

Threat Level: Known bad

The file d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 21:39

Reported

2024-07-09 21:42

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2044 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe
PID 2044 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe
PID 2044 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe
PID 2044 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe
PID 2044 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe
PID 2044 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe
PID 1824 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1824 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 3320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3320 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe

"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd91f5a8-5621-43e9-a702-ecddc524e1e5} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250a24a9-90bc-409e-a7a9-d53cf34a153f} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3356 -prefMapHandle 3116 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b89d805-0651-4489-918e-f849e7445c0c} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3708 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8208ad1a-7ba9-4a55-bc94-4df8fe7bc0fe} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4800 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c72562-75c6-4c78-bde3-1e4c89db90c0} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" utility

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJKKKFCFH.exe"

C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe

"C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5400 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b895eba8-e4ad-463c-b360-8f09bd8757d4} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d495aa09-d790-40d7-84ba-e78098e61950} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {884cd622-aacf-4862-be45-2f72de411222} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:63372 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:63382 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/884-0-0x0000000000B30000-0x0000000000FCE000-memory.dmp

memory/884-1-0x0000000076F64000-0x0000000076F66000-memory.dmp

memory/884-2-0x0000000000B31000-0x0000000000B5F000-memory.dmp

memory/884-3-0x0000000000B30000-0x0000000000FCE000-memory.dmp

memory/884-5-0x0000000000B30000-0x0000000000FCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/884-17-0x0000000000B30000-0x0000000000FCE000-memory.dmp

memory/2044-18-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-20-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-19-0x0000000000B91000-0x0000000000BBF000-memory.dmp

memory/2044-21-0x0000000000B90000-0x000000000102E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe

MD5 b6bf96c3900b28a9970323938a1752bd
SHA1 fff9ac5ee2a9849759bf02538f8a431738a894c5
SHA256 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
SHA512 475848394c20823bf0c05f3d66ff27422b22670babde769f936791881d0da800cadf3ae08e0e99fe0a85abeafaa072672575d020de9267d87142047c1e1033ec

memory/4212-37-0x0000000000880000-0x0000000001465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/4212-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2044-117-0x0000000000B90000-0x000000000102E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

MD5 ac6e4c459fb32c9507fa7bfcfc4bfa01
SHA1 d0e0c0e5ca247c1859dc56b5358adc1bfc19b50f
SHA256 fe40b584501915429da42e9e1fa6d56bfab95f058410777f87f005ec7d0f9e82
SHA512 357e5be327a0689dad3446822f0802d1ffaba258fea53e0e7dad5e2a99aad283dcd0e19ea020ed64d96998d9f2039efe6dded7e92018f7e836d194af942494b2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

MD5 7ea3e10b98c98c1c73d305fad77660de
SHA1 faf60c3f054c9139be99c5a86625988b1f4faee7
SHA256 61430008c20254c039c16df881dac16420eb1bc80c6fb9d1086da48a6bea9130
SHA512 76819ad0278c205fa39d38d332fe11b88cf58fff8e4e89fd66d4540b4aa8866e710cc07984ce8f3d83405a71d969e434071536147b1c32a530e1ea43a6d054bc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\339dd1dc-5200-4db2-8d50-31486e18cb3e

MD5 4905c14b56671e5815518bf39e3d9683
SHA1 6942dfe7816a8145c503acae773fc95128eee6c3
SHA256 c11bf7572d7b5eedf48f7df0ee1f90320f54e343bb0154c1ae645fb3a3edb257
SHA512 0c4778c2311413ed4af97a5ac270ea06c336633e0f7f921269c7bce0768ab014a6ea415d66b982e1c7c000b783f0aa8c4a4de7565df04cdf270a998a24b572fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\e3364892-0ed6-433f-b1d7-274e5f6aade9

MD5 43d342e777a25206961cbbd73c12e62b
SHA1 67447c8d0785c957f0884b56758d4be30be78761
SHA256 5ff4fb5b24e8f0d2250206e93f654859b72b4694edb7f9cd6fa86a123f19f294
SHA512 03f1b205aa2ed44d1fb9ad9ea63f6b8e2734c32d0c113a5abf92d67a956dcf084f00b2dec7716c0704b52b0bc90121ee1820fedb0cf2d1e957bd57b841e316bb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 70feb73ff859f0fe211d0db53f9738df
SHA1 ad565054f2fad533f485d4d7e1c2181590c5e517
SHA256 177d77d4738e2317f76d063ef87664cd3715d27b1526c4f4c75b6228f3d5b11b
SHA512 c613b267c8ce4163560c5c4ad60dc451f4c11924fa3373fa85afc9df2c667f277323ae97c7e4b70cc3f5b9d7aa53a9c6fcd993185911892647b8749c5b1e18b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 7e5860d20fdc848ea9b27c931f344efd
SHA1 504a29984346fcfc690f460090e35421da5c6f38
SHA256 ebfc45b0768909b50932145b0f11dbf905dc7c2f0338432b71fcabad07b07ea8
SHA512 ce69307085c9f79dede2dc43b330b4a71b1a7599de789e3be390e58611cc867a66cd9f509386b3bc1706edf5a79e3a023a87159ec03cc9023feee52ed167873d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 7b1018646837b3b174c806f92bf04606
SHA1 16149dd84d2aad8329153222c88a8f9b8b8e5613
SHA256 2f9fb60932ee8f43fc712c24ee4f427d594ada9efd1748b1a8b50812aa90d756
SHA512 717c78b69f6d20f231aa2cb8087fa522aca5c768304f4d0fd3f7d7f8ca7357e9ad70eee42270ce50716f42bd353c856998aaa6f07e66a7f643e72c6596ad2704

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

MD5 4d0db225a5582c98dcc4b61a393eb693
SHA1 ebe6013aca7e9ac09defc34ad507d63b595d1269
SHA256 d4650254f7922082125237db68f994f8e8c889890fcebd9634098c248bff1bee
SHA512 4135ec52d0f1561b227f31ac2c53f44ea11a5cff70d92d5d6bda9aa19e5953c9a769c49b50be4811b5dd69f7eaedca27da8e48feda997e4c3e6498e51062d593

memory/4212-408-0x0000000000880000-0x0000000001465000-memory.dmp

memory/3688-415-0x0000000000520000-0x00000000009BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

MD5 30cc00d0a48ef3290836a675631eb5df
SHA1 e9c26ec823d4fcc0e6a8dc881e8319d439b3315e
SHA256 d0c823d6e9ba525033051684fabf1b48e323f0592f24be1e5e84699284737a12
SHA512 7022f958a4ca2edd8d1cde68b55138cd3508210d99573cdfd3c8122aa22353a6f637288b886251b847ccd6ac458774438a74c497b6279e2c7f1cd3c4e3f32236

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 defcd451dd76cffa2c2ec80c1764a530
SHA1 c9096964e6db388270ed829006705bdde9f85422
SHA256 509259ce8b3628611cb21f4817c12db332b975dc38b6c0055998efe5e3f8aeb7
SHA512 b2db0f214ffc728224baa8763a1b7d0df3717bcd1b0201a241faf0496a502c26f2d557e34b3e3d12278d68dd42ece1bc96c6c23fc5d6255831d1009163cbbb56

memory/3688-454-0x0000000000520000-0x00000000009BE000-memory.dmp

memory/2044-458-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-466-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-473-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-478-0x0000000000B90000-0x000000000102E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 e80371adcfe9b3d7a88140999af436c2
SHA1 7276084580a32ac982753edb95773dc728eb65f7
SHA256 489ac07be0b2adcbe09bf7faca1b34d8f696e9cbe21368cffbeaee8fbb1d2e29
SHA512 65d29d64de74018ce111a21b9bab3e182ae31779f2f784c423a69380f7f8494a20b92570834b395e7db044bec19a471ff3313d5cde8c9613ee50360066e9a5ef

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 a49ade3954ed63f2c3f5ea8851c42892
SHA1 6c8509577e513c550c110aaeebb620dbc5e1f320
SHA256 c62a266532313c81c30575f1d9ae993058c49c27857f9de55164cf3e025867af
SHA512 e710191afaeb9f0d22dc0787b77fde50f667f1df07def57a4774b31f56e07a0face678847167229f1e2db06933d9c441fcaee96177d188be8dd66193179011b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 5f44311da1fd7981add55698cf510943
SHA1 0f6e61fa51ca5fd9e1546102483f9baf9b115d39
SHA256 672dd494a1f5b1fc6eec424d0528fe023174d6a81e50cc404f162ab98318f302
SHA512 43b58ac868c73bd7300d35affd5e8df0b8fcf92696c3c8a9694fb14152d0c46d078f7823fec31e23988d218c451688cb10362a6f4665337450809c5b582a131f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2044-953-0x0000000000B90000-0x000000000102E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 ff6769a6f8c7823ded3e76700ea90673
SHA1 3b0fa98ce962982de4badef7d8eaf23bef8fadca
SHA256 231d0aacbadf0ef33df175bf6ab296839daf248ea04731c1d94369b2c2bc2787
SHA512 6cdea18b00fed4c7ab8962e1fcf86f6daaf6ab5dac9d8f7f4dbd0d2e0f226cbf023700bd91fb9816bf212f8af80372c7a108607ca5326bbfe5c1865d07b634fb

memory/2044-2627-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/4052-2629-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/4052-2632-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2633-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2639-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2641-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2642-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2643-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2644-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/3520-2646-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/3520-2647-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2648-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2649-0x0000000000B90000-0x000000000102E000-memory.dmp

memory/2044-2655-0x0000000000B90000-0x000000000102E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 21:39

Reported

2024-07-09 21:42

Platform

win11-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1104 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1104 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2952 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe
PID 2952 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe
PID 2952 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe
PID 2952 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe
PID 2952 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe
PID 2952 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe
PID 3304 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3304 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 1748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe

"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52f1e5-1fb9-48f2-baf0-eca4fc046135} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {418cf5f1-a175-483d-8ae7-956355ffc0b7} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2872 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dc4f10-a52a-4957-882f-42efe3278b6d} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3416 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd746f1e-6ab3-4c8d-aae4-f8b45d8d42eb} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2764 -prefMapHandle 4472 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7e654da-45d1-4821-834d-529c21efa911} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 3 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcf82f7b-0041-48c1-92c6-0a5cfb57a14c} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e775935-c4b7-45f4-ad7d-1d8035d8e11f} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf07e4db-e8ee-4f6c-8fce-2b58d3dbdb42} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AEGHIJEHJD.exe"

C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe

"C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49858 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49869 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/1104-0-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/1104-1-0x0000000077386000-0x0000000077388000-memory.dmp

memory/1104-2-0x00000000002E1000-0x000000000030F000-memory.dmp

memory/1104-3-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/1104-5-0x00000000002E0000-0x000000000077E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/1104-17-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/2952-18-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-19-0x0000000000551000-0x000000000057F000-memory.dmp

memory/2952-20-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-21-0x0000000000550000-0x00000000009EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe

MD5 b6bf96c3900b28a9970323938a1752bd
SHA1 fff9ac5ee2a9849759bf02538f8a431738a894c5
SHA256 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
SHA512 475848394c20823bf0c05f3d66ff27422b22670babde769f936791881d0da800cadf3ae08e0e99fe0a85abeafaa072672575d020de9267d87142047c1e1033ec

memory/2148-37-0x0000000000880000-0x0000000001465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2148-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\activity-stream.discovery_stream.json.tmp

MD5 2f117db5b20f8f31cb7a0e7e2cf00fd3
SHA1 7f8bdd370ee9c819f9267c59d7c161042cd869cf
SHA256 6536839200468d165395d792be97321cff7f3c1e465384f6557ac45cb8bbf082
SHA512 92f7c2aad9af839744004fb3c2a9ed7a12ea63b5102136f81dd61328b6b3c19900d1bb1a142fcdeeb14dfc29daf58b2c8777958a4bb510639add014f6a72c1ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 a57aae6e2823a65e31bd56d87cee6fd4
SHA1 92560547ccc8ba97e216c697c0d21dc008d8c70f
SHA256 fba3d8453dab49f8f3ff7cbb9e435bf03c0eb3caa78cbec871de058dd4588c59
SHA512 132e941da16c16c739ee7bc0b87b146f365a92e91042c0a5b890407e07a39f138f1826105a675520923a908125261eaef8e4d59817649c6290437cbac806d2d0

C:\ProgramData\DHDHCGHDHIDHCBGCBGCA

MD5 02e8e0ed6e98aaa3bb4a7f474a676b5e
SHA1 129e6ecba79aa425f2ba8457aadce007fe25b0e7
SHA256 87211e9111be39ced551db13cd8bc81987654e80e37f7cf1c1509f2366e8483e
SHA512 e73aa8d05a77f590a69dff79bc79de2e42899cb1c784c1457d7221c38ece0732531a7ffefc091204db156254463a855c607d1e103dc05e2a6d32937f0619981c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 b5d0b389a47f7fcfaac901e2050069c3
SHA1 83ae7bcda80be0330d366bee77953c7d69d6133c
SHA256 9366bbecc716941c500f122198bc623fef38f7709ce093ca80e24f835ff898bc
SHA512 132b80aa59679af33f7a2fa079c433d2ac916da730b81611f91317e28e30d4bb39560b41b4c78fd54d3d651244f0f8c0aa38f0e947d2a2235ae0c2d24af4198c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\611dfbe3-7767-4c34-8987-d27b9c9cd1f4

MD5 b2932c4d15e8cbde29af4a3ae0a18beb
SHA1 5ef363d7a273df5f2c60c989cb1a6c0814a0e0a2
SHA256 799312ecaee0bf107fd22ea91ac7476de79bdc2ea042a90d13d3d6fb869b8303
SHA512 4ba4792c93f8824529464c1c5750627ee2bcd25cdb1429144f28239867d8cb7f546a869698b7b5b986584926c0586fd0549a7c21fcb40a813862bc43d70130c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\837fe9fe-b1c8-474d-a9fb-fcd6a0554fb1

MD5 a85c163e96f62fed049fcf9c176b93dc
SHA1 2c82694212400931503afc32b519a22d49078e56
SHA256 52a48f27cf75d8c28ba4a8dbb7c1051c46f02540f4139b26f59a84da2bee42d0
SHA512 bc285cc79f2128aaee6c4f9b98ea697a25b8e831950bb37ff6c4a7feb6a305ce7292ec3fbaeee2b835172570f25a1252b2cec8401f70a1613c4bd66feeb46e3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\AlternateServices.bin

MD5 5ddff2cba8a883521efe38578f314276
SHA1 fbe4cb49e1e665ff990684af6517a5c04f9b5655
SHA256 37efdbadc33353eccba6b89cdd91c0ebdb10db9546f8a88bf899f8beed79503c
SHA512 2c0ab51bde3e73267071a8c96b729f40ab4513128cd3e901b62d4fcda32df2a3a0095a0b335cbc7d7940a9cbb2ef2780bb1fd2db7d7f973ec91190689b91540e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 ed184aad95c4054c9450efb801a0f3da
SHA1 b4cc34bb76d9adae0e183bad45de1c24080dbb14
SHA256 53ad8865dde871e77ebec0293306c0cca5ad899b934c2f152928289d6ba34ff9
SHA512 cfeb8fbb48862bdc38952f3a61c958f0559ff6b084f3928b19fc904e3ef9b54577313cd25300bb51a4126e50ab817ff27edd35bf429e9a412aa4d250ff56a836

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 fe0d8457465628fea1bc2b442dc90dbd
SHA1 b3e1e7d884517baf55e72493eaedae3abb72ee2e
SHA256 2f411219cbe7f4652b53230ffbc2fcacca04aa7cf7304387ce455014dc8e39b5
SHA512 9430d75d06a1a2d982993e3e01207b2dc4be352e16450a8e95719bd64dcc31c98c996626ed0e86365b6557182fdf1d41125963ea2bb41ea26db9e21c20f2f294

memory/2952-439-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2148-442-0x0000000000880000-0x0000000001465000-memory.dmp

memory/3196-446-0x0000000000BB0000-0x000000000104E000-memory.dmp

memory/3196-451-0x0000000000BB0000-0x000000000104E000-memory.dmp

memory/2952-457-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-466-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-467-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2772-474-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-473-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2772-475-0x0000000000550000-0x00000000009EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 1c14352fc114209052a204bde18d49e3
SHA1 1970dd315dd81cef7d902816439e7c8da944ea27
SHA256 93f115f6aa7f9ea4fd8aec47ad36e2b4fdbc486012fa49fbc69a5d5fdc52138f
SHA512 ed0e50f169583141f5a56c2f475f8e0933eb189e1a5bef8e1657bd6c0911578c550e23c9c8893eb20802e77fb09af93d8336cd322fe920811c5879402dafad6b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 dc0443e238b7ee9b79e9f933b4279314
SHA1 d808a6dcb5a1fe0465a42f1519fdd057f7392926
SHA256 5636ce4a9c44c88c088cb08183cd9e42b4892c39d6d5092d0ded3a206b07ea07
SHA512 622616c4668e5a232012785fd1efc1cef0343ea5ec317e840b44175b725c3ca5519e9fb61d3cfddc815b9a5b196f56b4d5942f22b9f862f87b74f3114c01ce59

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 4767d7369a106a33b883263c04a56f74
SHA1 9734fe60a2d708182921db40c520ef8c02187ba9
SHA256 526b0b28527e9ac1fabd4af6c58e5348ef958d25b97023c8279f440d33ef59d3
SHA512 f7b119c9e878061a9b84ad883094c9ad87394ae22dc54fd1883f87a3b8b4dac1426fb7392854633aa188d9fd0fa18d320a1741c434cc1aab7f80add2e4395854

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2952-750-0x0000000000550000-0x00000000009EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 17b01c1b8946bfcb030a8bf5f4d613a5
SHA1 831c9bb7c403c5e47e54d445038ba14d95bf6c66
SHA256 0a732bba25a901807942c7c41703cb5b3e791a7f7e71b5526713fbeac8a236aa
SHA512 c3e3bc3be47af594350cd8fdbf43bb6bc33edbfc94cac3d92125ffbfe06a59c3a6d44e26eb24fba8c1cdd119b8d0d7256c76ac6ec3742bee1f450bae3cd93dcf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\558F8F9C33CCBA6CC64740164FBB23EBD5D2F029

MD5 901479af599ee7034267e538f5b727c6
SHA1 3a98e6ee95001f563adade11ce9ad0aca69c6e48
SHA256 60d1491120cd2f6f4608b4faacff692b1756363bb825e4cbaa2e4711c6513295
SHA512 7c95830d6458b55f7a8c60528cda7fe72560c7afeb1740fed68a8dac8e8051aa7c630346f094950f48128de4bbccc80641d9939053d1f3cde5b89eca029333db

memory/2952-2011-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2606-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2610-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2614-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2615-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/1408-2617-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/1408-2618-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2619-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2620-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2621-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2627-0x0000000000550000-0x00000000009EE000-memory.dmp

memory/2952-2632-0x0000000000550000-0x00000000009EE000-memory.dmp