Malware Analysis Report

2024-11-13 16:46

Sample ID 240709-2nvxpasbqd
Target 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913

Threat Level: Known bad

The file 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:44

Reported

2024-07-09 22:47

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe
PID 2784 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe
PID 2784 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe
PID 4064 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe
PID 4064 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe
PID 4064 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe
PID 588 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 588 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 588 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe
PID 4068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe
PID 4068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe
PID 4068 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 4068 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 4068 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 2996 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1520 wrote to memory of 1120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 4392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe

"C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe"

C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe

"C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe"

C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe

"C:\Users\Admin\AppData\Local\Temp\CFBAKKJDBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1896 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d601fb0-7583-4aae-8c09-b52239d96b18} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e9a5605-2e8c-40fd-8be5-2731d1685ad2} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 3296 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1416850-ca60-4242-a793-57f84edc2ddd} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10191bb9-2eb0-4abc-b991-6c7955abcf2d} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4748 -prefsLen 31272 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37c7126b-20d6-4f2f-9c31-101ea0fd88e8} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2580 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5352 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d526d17-8db5-4694-8b5f-a7926ecd5aa8} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad41eaa4-1ccc-4cea-8afc-474cf55a197a} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4cfe406-f588-42a3-b942-c418251c5145} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:55362 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:55370 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1740-0-0x0000000000590000-0x0000000001170000-memory.dmp

memory/1740-1-0x000000007F1B0000-0x000000007F581000-memory.dmp

memory/1740-2-0x0000000000590000-0x0000000001170000-memory.dmp

memory/1740-3-0x0000000000590000-0x0000000001170000-memory.dmp

memory/1740-4-0x0000000000590000-0x0000000001170000-memory.dmp

memory/1740-5-0x000000007F1B0000-0x000000007F581000-memory.dmp

memory/1740-6-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1740-54-0x0000000000590000-0x0000000001170000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\HJJJECFIEC.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/1740-87-0x0000000000590000-0x0000000001170000-memory.dmp

memory/588-88-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/116-92-0x0000000000760000-0x0000000000BFE000-memory.dmp

memory/588-93-0x00000000770F4000-0x00000000770F6000-memory.dmp

memory/588-95-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/588-94-0x00000000002E1000-0x000000000030F000-memory.dmp

memory/588-97-0x00000000002E0000-0x000000000077E000-memory.dmp

memory/116-99-0x0000000000760000-0x0000000000BFE000-memory.dmp

memory/4068-112-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/588-111-0x00000000002E0000-0x000000000077E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\649ad04025.exe

MD5 e43a0ac327404f3008b679e0b1293c6b
SHA1 9a2461c520ccc44840c1bd041467ce084dadab51
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512 804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d

memory/1388-128-0x0000000000D00000-0x00000000018E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 cf5a9093ad8d09334ef68d9a636a033b
SHA1 6b3dc1ffafbb3658785b1ef02069b7a28d59c56a
SHA256 481bb922c4eab0da8df533ad78e2c9c90cbd813ca23ca1052120f64edf00ef2b
SHA512 5d0f42b962d3183a88628e5157580a0201630758b3411343fb4cb78909d8f79822f85422ce17a2879b7d2d8e41c949c05891cc8c850a1272400d9838e1ef7ca4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

MD5 5f5699fd1807c2f7e0232ac4bbcd4af8
SHA1 f3628e7d8f184db0950b3af2961e17ba58875dd3
SHA256 165dd4f4f10845fba987a1468f9f3548ba830c7d5b00b7234a216b5dc124e331
SHA512 8c6b6522bda4f51537f3149aacb6e4d94f42c9e283db5b8b3bb129e8faf93252f3eeb6980d3cb7853399ba0d8667faac8701e166c3c0d5acf3b0b233f68d67b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\fbce5d8e-78af-4661-835f-000c133f5fc9

MD5 5e805efd75f0615d8db4fe647a81276b
SHA1 d343a49d1d241423b214657c6e6db2b1c8daeef3
SHA256 b64494289c362a63892bf1f42c693d1ddd97c0ca9a1a6516133b88fb60d0455a
SHA512 823feff019eb72eddcf99fb8821338631e936efc1932d41e71fa19a4c80bbc6e10f38cec634714b42981a09f553ccfefc09ab38a7e9c513f0224b5dc3406bd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\2e1a78d9-ff38-4842-89e2-3de45827ce50

MD5 39c3019cfd0160d443c2ec73dd393435
SHA1 daea382b00935b995afd2fa3665ec406a0ac34b7
SHA256 c82de96340a4b5ac0a18aaa3609db3b535689f06a376c1508f8ed4e564c411ba
SHA512 86efa9fc517bf5d5f40b404b7d991355fea779bfbefd3a98745f8128d7d65702e3000407dfc334b559e116325a89220ef9c9dbe49f30cfc1b72163238009c450

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 2b50cb3019de9cb1b1591715127daf8c
SHA1 eb4726913029a69df5cd268fead0ebef801af0a3
SHA256 aa80be10d8764de66b8712d63691044840b52a1416b418ca2791b4f39d8eb50c
SHA512 2ead094b465168ea6b4de56be4f5172c6281c1c5828a6f0b3b2c72c591ce0e64e0f282a62b68d831247337b9a424654c5b866a53338a133f5601fc96b2818dc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 330f34c38ce3fcdcf81410b6ea1f8969
SHA1 f08a8d1a2b918f8e3f5a706ff55bec4d869d4401
SHA256 0d6402abb2f4e70cafa4ac7442fb70a3eb5eceed5671931966f26efdb13193e9
SHA512 a795407d1ccb7c0ba49ecb2d7a7a88f7feff66e3b0d14e1af6b433787662b3f1f3bd0d964bc2541b8777fc3a9a24b62d8250ebbca8ece6574d0c180a25ed4f13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 a4bb2fc459eb868203e3942a70e85c24
SHA1 a543e28067f8edb4cef5d3913b9773ea0b30689f
SHA256 faa1d6db081dc0d591502a9aefa85a749d4596f71b064ae5c84cfdc6e3ec1e57
SHA512 d426d370537078e81b6b653ba40e28f53b7d51f15902a7fe6eea21d6d6e5f1f1b8a2b1bb623a046797f90d71961fd6f2eba22533b564417d0e4b9d3353c9f167

memory/1388-387-0x0000000000D00000-0x00000000018E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 40acec14159623ec84c235ebadc1262d
SHA1 a97ac88fb4f299cd057c2aa4e040910066024990
SHA256 d4cf8cb8daf231e0a969063426216b3cb4d6b44f2f22cc094c9b81762325e968
SHA512 1a92d6811b125bbdffe839326c10f0a5b245e41abba33db0e1a519001247b627f9c9eb82e24de2af683b6b9eaa7a3a5bcef552b400c59fb7f2710415f56399d9

memory/4068-472-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-487-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-490-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-495-0x0000000000110000-0x00000000005AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 da6d3a39a12ecc3d36f6086460f3ae77
SHA1 f6a65131ed2e33ece008ccdc8237b963e4f5a46e
SHA256 a0f17a71153cd92d59e83eef0abf762918ae0ed055c5f2505cd284d870590388
SHA512 0e1924bf38d13e932f905e3e1d61715fcfa7cce440f0bb22b62b8058177ea0afc9eb7a84b0aed430d3da3f2ad4498e56cba6bbb483257b15932a7eb3cb7375f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 1bacbfac62ee3d0a0540a3d60145f9d3
SHA1 bbf5da9a7e5281f72cc3ca3c18ef28d4c330d6e5
SHA256 f2e7786541eff4f89c605d1991573dae0a380dfc903088ed7ed42b44aa564d87
SHA512 458512f127f34ade886334d8821c580df7c2404eaf98eb18ff9e53e48f9674a48abbddad847456bd588d0b255e5c215875d991362b600d1365f3cbe5ab205635

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 05b00dc0bd178ffef259af152498aee4
SHA1 50a376bf5cf2f9f155e82ff13b436e995bae7268
SHA256 b45ff2edb090e1b77558f861263d2805fa83c5f2ee6a106fd60c7fff6777149d
SHA512 829812dbb46c765ba292056189a8aacd55a6fbd1a3092255f2e33456846a2da012302fb9a03afa13cc20d013ec123cbba64ebb65cc5ad1a34fef4fa23c42614e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 6194a651765bcb7fe1f0d09d901bcba3
SHA1 1ac63f760ba2a8fc5729e4f8fef07c0a98e5bf95
SHA256 c43bce349cba60493a4a370aa2d951cf24a534f4c05659076da3576ebb5270f8
SHA512 8cea75f93025b43bdfc9e174618d7f0997f8fc09b1df6bea18667a9a049b80825354aba478a8477af3a1d9fea28563ef641b7f67b23302c6253d80d985b534d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 e102faa5863e7611abcb387d5f3caa42
SHA1 84a50ea48c7280fe9606691817bf87aeebbb3d20
SHA256 ce40be594d0fcf9bb5b70706da892bddb4bde789e86a5d43bf785df6de91f76c
SHA512 9e58ebdc04aeda216d7720c0a89f822fdf5b9eda75436675ba473d1cdae66d6853e15b49598eb504b2b435327b3f5ac741e1e3074bec4e75bcd78563b3633ac8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b4ddd173e88a12fd085ed9f72699cd55
SHA1 f8e6ef6de0fc1f4835565ccc2c063cd3763ad523
SHA256 1e69043306f5835fe885da3e4e51d295c575a81da411283092db05061e110ca6
SHA512 acb7b10521787100978ee00d64ff8f9cd63e0c3cca7cd2c052b5231708b8e0dc236a9ee725e21b762456177be9ba0815f4d50d32510787637c790c992751823f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 1b431b67464fcca27bdde1a9a2764595
SHA1 b12bf6bfedcd350e77c067b8a5036b2e63028eeb
SHA256 6a5133e976944cfe420cdbfdcc42c47ff9a5b3716724b74d7dcdafe89e0e41f8
SHA512 73eb051a3ce5dd45d8375a50b68dfc609a7740cf5fbde51a8eb9de47a330e671fef76d2e9ce10673a7fe7471fcfddb0529e969253aba0bcded008c4b6566f2e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 964a7f6adf054b3ae5bfd6d5ffd6409e
SHA1 017618df5ad5bb65780dc12f4fd93f5d14e09f88
SHA256 b7456faa58189f310a0280f3134ea02079e713c659ee208fbd636ba71c80a254
SHA512 147a9f3f66593d1a5a55fc772d52f6059b0638fd67cbb6af70b9c85af59071e5608605f3e0aa9816844bb49332fee9fedbf7ea80ab0dfe8f86520976d40ea85e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 572c1ad4375dabeb89576bd32f92035b
SHA1 bd4a2b96a33f569c534ce2cc36b7b0a928652694
SHA256 d128609111a4a5641415d4c9c5a3465e8693b4adc754f11926bd0f2e12586a5d
SHA512 bd780326cfe69a471d9b001c9b76718ba5e4a56e76bc60b70abd57302971f351588ec1e8b9bd54bd3b2189f4fe2ad7087e9f020462d03f6095cc94e2ae401ae6

memory/4068-799-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-1650-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/2052-1732-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/2052-1881-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-2638-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-2642-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-2646-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-2647-0x0000000000110000-0x00000000005AE000-memory.dmp

memory/4068-2648-0x0000000000110000-0x00000000005AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:44

Reported

2024-07-09 22:47

Platform

win11-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe
PID 4232 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe
PID 4232 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe
PID 3008 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3008 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3008 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4828 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe
PID 4828 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe
PID 4828 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe
PID 4828 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 4828 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 4828 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe
PID 3616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4452 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe

"C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHIIEHJKK.exe"

C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe

"C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0f40b7-66e8-400a-a033-b677b1104667} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12c59e7e-1b05-4f35-97b3-fca6f43bb5b7} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {619b7741-5b81-4642-acd8-e8a26103d724} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823c3056-0611-432e-93e6-04c2d92300e0} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4708 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {858266f4-34e4-46bf-9906-f311cd8f4992} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5504 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ce866a-10e4-4c1c-8f27-3e64e61c1b06} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72da74e7-b6d3-4234-a354-2b30044b05f8} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5960 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d411d599-28e5-4ed0-a6db-e1981ca315da} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
N/A 127.0.0.1:49871 tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49878 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/3748-0-0x0000000000C40000-0x0000000001820000-memory.dmp

memory/3748-1-0x000000007F3B0000-0x000000007F781000-memory.dmp

memory/3748-2-0x0000000000C40000-0x0000000001820000-memory.dmp

memory/3748-3-0x0000000000C40000-0x0000000001820000-memory.dmp

memory/3748-4-0x0000000000C40000-0x0000000001820000-memory.dmp

memory/3748-5-0x000000007F3B0000-0x000000007F781000-memory.dmp

memory/3748-6-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3748-78-0x0000000000C40000-0x0000000001820000-memory.dmp

memory/3748-82-0x0000000000C40000-0x0000000001820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe

MD5 8c6765fe39a0cf9b8c2ed1fb8649be1c
SHA1 1308a16f47a014b4fe35573d944f69629fbc1255
SHA256 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512 c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87

memory/3008-86-0x0000000000390000-0x000000000082E000-memory.dmp

memory/3008-98-0x0000000000390000-0x000000000082E000-memory.dmp

memory/4828-100-0x0000000000240000-0x00000000006DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe

MD5 e43a0ac327404f3008b679e0b1293c6b
SHA1 9a2461c520ccc44840c1bd041467ce084dadab51
SHA256 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512 804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d

memory/4400-116-0x0000000000FC0000-0x0000000001BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

MD5 53ecfc28a9ba6360533839c407c5130a
SHA1 67064166c4648d855dcb78c27d3ddede8225e657
SHA256 e31e9683225a2a701a5eef525fc0c00bcba0f1314ca46f860bcf7b374be0803c
SHA512 b110fac63d0712922ce7c073ac4d483b10186634c7dacd3786e915fca7a44ffe7c12ce559a6069e5a288722d3428000264ce93dbf9c2df52145b8623b1c90fde

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

MD5 751fc8c8739b847594b90d02611fb2fc
SHA1 0f14f2c0096ee7548b1a9229be1ac78d3341c009
SHA256 bf0fac13b99d55aa8656da4997cdd728e82fff0e909b48782bc8c34977a510a0
SHA512 3033def83c11490067026e37c4e6853d1aa7e69d0a3386d63075b4ecd32841e6f303a9e8a540e5da27a8ca7346260d0000face51e82086d694d3891ca79fa29a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\e245a087-6865-493f-a39b-10a207b6b84e

MD5 a1a8d0290cff3f4ab13eab00f7587f23
SHA1 b356e0bd3e81fa10cbb6c308cf8fbf852bd88fb1
SHA256 64964c529473d208062d39286df7fac9f6309dc51be7c428b43388b55dd41c58
SHA512 34667a09f1a768d1798784933710d775579b6545eee3e127a8acd9b37e483bdaf93648595337961b18ae11763f3c2e243c525d0287734bd4e57d5d0b15bde4d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\4e08504b-0201-44b1-920f-ec6f23e36d77

MD5 436b4664a39da460c7e17573b9a51fd2
SHA1 823f866978185f96e73d272516395e1cf987a69a
SHA256 85c72534fdd5e2c322de5f3f65f9865e3ed23314b5135fcca1e3022d7960f8e2
SHA512 b3186db18757dc12ee4d06a38e35a41a4dd1338db0ee0772ba6820d0f0f9bd6a287c5a98b881a107eb0704f1a060eb7bd56e0eda976081d9ed4a90621af7c6b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 a5fc44cbe83ba74756fa8c9729102972
SHA1 127c597c644e3f86d3e37b37f7bb7f3f395154fd
SHA256 7caf905e613052ee8261075402d6d2fc891be9a942c88fdd577925d06dcf0b9b
SHA512 6ba3c96dd3aed6fb3b1e01c52880c2dd863313f49a6a64a2b5b43f8a83e6f1e20d7abadbbbbd968fdbdcebd8d742f78998c3d37a3e6fcf3036b992d1b7b8e76b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 f3c3cb7402aed31485f8142f0e1a25a8
SHA1 4cb0702439143b9b5b746c386fa793cf46c60e2c
SHA256 e4a26944b2dfd6c8f32fc0dcaa0ab98d22a69c12d13f2757c7ae0b6ae5ed9dc1
SHA512 5f972f49ac9ae3b746a55332d3b56cc03aaf096f362efb0bebfca906c87798830133915794346e0142f3e22ba6804750f69518db02c430d71103a320dd135ecf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

MD5 9d4b20c757216226a6527f8497a8f8e1
SHA1 3a377c62f1729836117859152216093eba0d4041
SHA256 f5444789c98741f3d12ec323424fd36d4eab0ea1f30121821e61faf05192eefa
SHA512 9180145c505dcf7e44b47466bf013904a1529f594e0c08a6731201e355a491d02c8d3568a4de5b603a77f794e319e0401c8419d49fb86492e48163827d7e9602

memory/4400-429-0x0000000000FC0000-0x0000000001BA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 6883cf227a2bb2b576b8019e2ae9857a
SHA1 3c3bc6efa00fc18058aa38de73b2765b6a27aa25
SHA256 639823f7acd6b99220085bd47f9aacef50bbefffd91777113f6f9d9dadb2d090
SHA512 d60b83825bc377a38e69a162bcbb8c780ecc06690634999138ea75acf5d81d80287eb8e0fe9b0371d81f277f06c2bc3f5c74a8765530d6a683c3b691c943d5ae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 960d72938c9e5d43e0c625d97e6004a8
SHA1 a5c030d5f773e44cb102ab0bfd40d42aa3e432a7
SHA256 7d9e45121f095c7f9d5d88321e27548da1e4ad563b15614c00106b200476114a
SHA512 d59f992fb4e0403352884077a34ddbaaabdfc88df2f4c3dbdfd012f550fa4643e35c12a488bc34c75f6cbd1d1ffe4a53f48abe7b19154bbd23597215c8a841a5

memory/4828-450-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-471-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-472-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-477-0x0000000000240000-0x00000000006DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 f22810c356d7fe0625835c6ca3d95a4f
SHA1 fb58180f7f59192c2b2bd26974788a6bd3146932
SHA256 f8ca9276c0ab44562c048e07ce4e701ae32b66a061912ccb076176537334dcdc
SHA512 a782a846d8f44b858a50dc507987676bfdc0bff9e91e86fcf9254de75a0e7792d4e282086437e8c4c6d3b452332001d8127027acfe4d0b6f0bc543e8a29b9a29

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 9dc91611a3bac0bb665853aced5fe43d
SHA1 43da1d979011904db6dc795c849b7bccab4129de
SHA256 078d2938a2aa9cde2618d8e6d54c67299f6e4ad1a8f05fd9bcb769b19400a1ba
SHA512 1afaae87beb50beea671269685d7200b99ada4391751919c2cb3349270ff96ded8cb03156e58e10b6aabbbb744b10c7a9e3c6432e0e8c0a558b94075b0c5c412

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 328b05c2b42841899787564245269ebb
SHA1 eab183acd2a9bcd45d3ffa7596f08a7663643edc
SHA256 cf748c668cbb0f24d35dd631fd06e0be5120b6ddd03e6e042444ccba7f62eeeb
SHA512 c30d3dfda8fa760ead410c07e968510ae58a4a3b60068b6902b2dcf5af31f03b940af0ae8bb9a9cfa39f055536e0d508fba757ef6f9c3a4706e19555da0d55a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b84b898fa53079cb4a4e03c84f813c4f
SHA1 504b97a706e06256a5047ceee6a339de7981dc47
SHA256 c7233da672e8c47ca4098dbee91ad405e96ab5207e99c4be17954707a1f152e8
SHA512 e36dfdf19418c1dcb209b23128485197e9a79c24921505bc422bef5b50224904714ee43df7893b5bcfe1950bea02ea602d69055f315050a7ff4987359ac305d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 a9842afb008cadbe42b5c710eb33f7b6
SHA1 056063dad03a35e517c1c7cbb4cb163a49b82b01
SHA256 d604e8da86e8e5aa8ad638c2a57463168c026daf17e2cebed772e49f6908ab1e
SHA512 d7781d0d1f3538b9d267cbd30b7adbe8b645f39704f0cf8624a21511703e7732e38697069b722f831f0808dab8acbf550ae28c70797eea0bf9496b6369841fda

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cef48e279a547a6fe0bb8c7955647b42
SHA1 ab40a8c863e60cce72af428fd026cbc3fe7a4366
SHA256 3a5419fafdf55dc380a193368a69f4c4ef615bc41930448de132407f56ab3df6
SHA512 54b4791a1d7c40864a42f2dbe6309e37da8fc9f5475020629ff9cf08da1b163b996e449cb8fd64759ee826e5831e4704fac90f9ee01a27b56044512ae66b51b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 dc78bacee563a2187f0803f9e0626e26
SHA1 aef9af80af3065620b76dee6050a699ece3f7b4f
SHA256 5c550bf2b2931a7182ae821538adac22f956e64c4e2f205e56224aece8ba68f7
SHA512 6e4f175462aa8230697b62b296c9ce45e204fdde59f6f2b0eb93e444d6c3da44970323187432c85969406d25ef58e836ca93057602ff7cccea94640dff6f2f94

memory/4828-1412-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2654-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/2108-2656-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/2108-2666-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2667-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2673-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2677-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2678-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2679-0x0000000000240000-0x00000000006DE000-memory.dmp

memory/4828-2680-0x0000000000240000-0x00000000006DE000-memory.dmp