Malware Analysis Report

2024-11-13 16:47

Sample ID 240709-3ebm5atfpf
Target d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d

Threat Level: Known bad

The file d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 23:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 23:25

Reported

2024-07-09 23:27

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe
PID 2640 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe
PID 2640 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe
PID 3408 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3408 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3408 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3080 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 3080 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 3080 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 3080 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 3080 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 3080 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 2436 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2812 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4360 wrote to memory of 4216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe

"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHCGCFHDHI.exe"

C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe

"C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {548b8f68-8d08-4582-b5d2-448ae5df9991} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c522d834-821f-41c7-b07a-2eb0fd87d481} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" socket

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3224 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc54406a-1b89-4c68-a282-8b392bb20efe} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 1260 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a0d8942-953f-4173-a1f5-107968e645a0} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9d59616-82fd-4394-82ab-b22457ba7b1f} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5276 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b4614e-d9e7-4eba-8307-f5671ad0920a} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5440 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4d087f-521b-4009-b469-595a39eb8826} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4564 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a86f973-2613-43b9-8d31-a386fe7fa2fa} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:54459 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:54467 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/4004-0-0x0000000000B70000-0x000000000175D000-memory.dmp

memory/4004-1-0x000000007F770000-0x000000007FB41000-memory.dmp

memory/4004-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4004-50-0x0000000000B70000-0x000000000175D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4004-79-0x0000000000B70000-0x000000000175D000-memory.dmp

memory/4004-80-0x000000007F770000-0x000000007FB41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe

MD5 e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1 173c7859c41f254327d08351f17569b2ee6b9e00
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA512 37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

memory/3408-84-0x0000000000730000-0x0000000000BE9000-memory.dmp

memory/3080-98-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3408-97-0x0000000000730000-0x0000000000BE9000-memory.dmp

memory/3080-99-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/1696-115-0x0000000000CA0000-0x000000000188D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/3080-134-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

MD5 35b70d6d082c4d8ad2caabe9883895fc
SHA1 84bf2e554c0fc4fde0def0a94d509605ec15ffaf
SHA256 79ee22834a66a7ac9b76b7b43a0cba5938d29a0906a0d27d87d0874ef8c43e40
SHA512 6d6d4d80af9b9389be49c3211bdda9670a96a2fca00248f8dfe5254dcebd9a2f61260551c1abd9f9442aea77e2fbec5ce05da4e0d01373b7bca780c5d9c941e5

memory/4940-144-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

MD5 1df1250c05332416621b397d94ac6f33
SHA1 7eeaa8a16f461590976eff10bc6970e39aea8f05
SHA256 bc5ac04f768bc530a50e820d444e21a5174764f97e4a6c912d0c7c4e428e21c5
SHA512 9252c9d388234aa81a8ba2d0f2c5e56730cdd77b64ecfa09a119a4d87e8746b08c42fb69f6dade8eb84dad1fd140705fba61dd443545d41d0ed6bd638424d616

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\7559e813-6b52-498b-8909-90fb0ec7dee5

MD5 d0d2ee8209d4714d6ef55633d109a8fa
SHA1 626e2ba8af31cbecd43b26dff02a53fb26f48a68
SHA256 1b69fec1437d4d0691b8752673a5aa9846001db9831a331fe7d215568b6ffdb1
SHA512 a4060fecf3147f2fabc87ea5e61c9c512b27fc6b256770d18b67f996dc51cfa0765e86fd8f2294486e3b4e704447c5acee333c3a35bf9360a2339fad96a6627b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\51c4944b-f924-4921-978a-8a694102e6c2

MD5 bb48e4d9b4ae1fd2d9b289d7fb19719c
SHA1 2438607ffafd4ac4788d86836d33a4b78c765e91
SHA256 060338d0447ea2344beb10da494ff06c158ff3d50b538a915ef07342c2463b10
SHA512 70af85081674f88a790d7f312a17017eaa9f6fc0542be5c5d199c764c3f68aa99f78bea90988a7e5c5de9509616c45f525619b2052621d13a070512da1e7e34b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 644a3cb25ba72f642bb1c26bc42db894
SHA1 17de6fbfb487d83e5cd22104daf5c17917fd9627
SHA256 698763cbae117c75a366d19c72c7e6f9704e2b3cda2b4f161d796f06c4604096
SHA512 65856e339147936db052210ff5d1c368c9279f1efbf453da953ecdfc80f883c8e4fc2f6dc5ee4cdf8275871866a4a30c89b809e3114921cfc3cfa966c6a3b5ed

memory/1696-348-0x0000000000CA0000-0x000000000188D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 e9ed2bdf3574c9bbede09534463c6683
SHA1 3b26c22896915a2635f1d619b7e98ce54f21d3b9
SHA256 9f166776e93988e0525e2230da78e71c25f96b185e52bd9477201256c70f85b9
SHA512 78bb9c27610aa3e6ad07651439359814e92432ec6a71a6a6b2c37bdd7f29c72aaee44a3679b7bc391706a16526996f0afbb6e5a88559adc7297eea1bf747d4c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 fa3eef5126e73d2450a318aa594d65af
SHA1 1023d20a0d40a656086f7cb5ee6d36f228d4d1b9
SHA256 cd9904f7775ae52e1ee218b78f3b9a315111c3aaa7fa9849c8f299a7322beedf
SHA512 be0dc2a01e72559726dc01e1c39affd31ab32173e759460a1323e0cd702679fa5ca788a9a493db59ee2324933f692659e3d3a7d0f2b96cd4f92b7a7e044b9312

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

MD5 4947083034c9a2f86fc1e10ba43ccc08
SHA1 cbedbb5a50c2b1b7d317c758e177aac62478cad3
SHA256 c91863614b7f5be79577d5bdc4181144f24c34fb3155890f804aad85b0be3b52
SHA512 9025d2c15598d1a1420226a499304c2090d71fe82eaaa81cd6a23401d54234bc14ee5e4dbd95904827ce1030211bb6dd7e918343395ee83a3a5b47c4b78ec0d4

memory/4940-399-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 3807363ca9fb5a3c8abe76ccd2fa11ba
SHA1 19f64b4e6cbfcc69ce254fcb6fbb16a7bd65cadb
SHA256 91ce83218dd8680d8e53c22d7fddf1dfe7e704f4d197af2fe4fc3a2ffb7712b5
SHA512 41e0bf808b876495306f4dc9c3317734b9e56e7ca81782be93f7abc39fbd36ada3e3231c1a2cf079d29e8a98699cef2defe7b24f96d0db55886a59583d854acb

memory/3080-469-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-483-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

MD5 22beb8cd378d311bb7d227310ee23220
SHA1 a18be4fc712b5c8c01c08b57c0571fe94a85c9a8
SHA256 0e8326e9fa85c6bf4edb13cb43d45bb36a700563f26ae05384c9df2d9acb5d86
SHA512 3faabac79e6e1424b9b8b53ed46938f4fb82b0e50d02f8381e8ac54a9fff785cf580a851dfdd2f37cb46dd7c96fd46e7db57146539ba8564c6fb9c4013d2d318

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 d066482006a1fb383085a85522e0f0f5
SHA1 8f5648af238c6f388c6442410e45c6fff455a2f5
SHA256 58c5ae93c55608b30005d589ec7307919850c09efb86787fdfa097a1ceb89ec6
SHA512 22b1de9fcef9075ea602641254c6c532a41ebcdb72356b937b948d268dc5eefa05e2634ebd21c9c6bf7fd678ab83964224a5276c3c9b98b9c7576a0076cf3f3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 47932c0a8b892632f3e16b272cb3ef8a
SHA1 03d1a1cddc9b487e131b2c4d1b1a9c1c08d60856
SHA256 a32f0428cdd1a2fae076114515ea6e0ad375d3955f86b4e528e9e046d522c0f5
SHA512 443ae005eadea13a9db6900714bb0b37a48da153d8fba5481123548c53e6b368168aaf7b88e0d98aa64a22abcc31dbf04e1cb9b72bada5b53e2669905899d4c6

memory/3080-636-0x00000000006A0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

MD5 55138fd45f667c7d990a7c149c76168c
SHA1 d69c6e97cdc4763bbf8d79f3266a22b1cd32fbcf
SHA256 48aa08c9227b3370700f54bb6c889345b7cfc3c64314b77cf7530e9a59012fb3
SHA512 a70701c947e920dab8a0084d90cb7e29b15fb087586bc9425c275ac697a5997a04eec69c7a3ce989b5dd0aa4af17e1771e5486e8651cf3179a61fc343349c581

memory/3080-923-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2560-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2589-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3292-2591-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3292-2592-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2598-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2599-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2600-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2601-0x00000000006A0000-0x0000000000B59000-memory.dmp

memory/3080-2602-0x00000000006A0000-0x0000000000B59000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 23:25

Reported

2024-07-09 23:27

Platform

win11-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe
PID 2484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe
PID 2484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe
PID 1592 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1592 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1592 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4296 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 4296 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 4296 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe
PID 4296 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 4296 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 4296 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe
PID 4980 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3260 wrote to memory of 4592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe

"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEHIJJKEGH.exe"

C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe

"C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36b5872-0d16-4b17-ab73-5d32f5117053} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31311789-1ae4-44ff-bfa0-4b5e2ceff67e} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2936 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3d13f01-cfb8-49b7-b761-1dbe0ed19868} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f63ee51-6904-4da3-b519-35031dc27ab9} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cde677d-f03b-4235-bcf7-9d7cd8d5fdba} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5520 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2daead61-4b99-445e-bea6-e8f52b07ed24} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d42d340-722c-4a5a-888e-05fbe4a2c9c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5860 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7edefeb9-a870-4756-b4dd-b2edc82e3e04} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
N/A 127.0.0.1:49944 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49953 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/4548-0-0x0000000000560000-0x000000000114D000-memory.dmp

memory/4548-1-0x000000007F300000-0x000000007F6D1000-memory.dmp

memory/4548-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4548-50-0x0000000000560000-0x000000000114D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4548-78-0x0000000000560000-0x000000000114D000-memory.dmp

memory/4548-79-0x000000007F300000-0x000000007F6D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe

MD5 e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1 173c7859c41f254327d08351f17569b2ee6b9e00
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA512 37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

memory/1592-83-0x0000000000E20000-0x00000000012D9000-memory.dmp

memory/4296-96-0x0000000000090000-0x0000000000549000-memory.dmp

memory/1592-94-0x0000000000E20000-0x00000000012D9000-memory.dmp

memory/4296-97-0x0000000000090000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/3360-113-0x00000000003F0000-0x0000000000FDD000-memory.dmp

memory/4296-114-0x0000000000090000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2788-134-0x0000000000090000-0x0000000000549000-memory.dmp

memory/3360-136-0x00000000003F0000-0x0000000000FDD000-memory.dmp

memory/2788-137-0x0000000000090000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs.js

MD5 be7c007286a465516abb13401d580d09
SHA1 2920d23d42de16f4d1bd59dc0c91f96428a544b8
SHA256 ed80ec0e37fa418cca6892d58d1108e99ee7572f3c05aa9d5a769d3a2bf6dffb
SHA512 dc662227fc0b012f5a5c887e90c43a559a3c693523ebc14c208b5f2c31ac0f726c7aeb2d3b5ed163d564b687443022d5e5453844efd3eff198e8adf784841ac3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\activity-stream.discovery_stream.json.tmp

MD5 2f117db5b20f8f31cb7a0e7e2cf00fd3
SHA1 7f8bdd370ee9c819f9267c59d7c161042cd869cf
SHA256 6536839200468d165395d792be97321cff7f3c1e465384f6557ac45cb8bbf082
SHA512 92f7c2aad9af839744004fb3c2a9ed7a12ea63b5102136f81dd61328b6b3c19900d1bb1a142fcdeeb14dfc29daf58b2c8777958a4bb510639add014f6a72c1ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\ee064bb9-0aea-4c3e-ab5f-75a3d6a7e26f

MD5 bc6afd82b23f1b6ab2fff19b0dc836f8
SHA1 e725d97be1a532e74d76a1e17d3a6a7f5efe1e67
SHA256 02e64616ae6cda3248c877dc9351c96c79249414e58fa24b073624a6c2fa9981
SHA512 20cc52ae39424d04bc89da99a8f8308e04212ce8f8f6d9bdca80dee2a6cbdd7963358930bdd3e06b323e507180550b17b3b5b2cd07c2abe13f53b49e683f3fb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\54ec251d-9a5c-4db9-bade-d60737f7ae1b

MD5 48dba7139c7e20c523f81a5ced480c92
SHA1 d8381ea14706541d7c1bd646f06bb635eb5cc357
SHA256 0752fe05ca714a537e348f538f8bb9798382c5961818d4e47ee22be109e52727
SHA512 ae47e2c9ff0342f8e1c4fb8250f462423659889617c054e130f71bffa4daeb341b483ac4bb51a3e363a77e998c5e52054f80bebe0af428bcb186b116efe88be9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 09cb12da02ef09b5be3527b057a76f0f
SHA1 06d945b372747c0296f07a67ddcf70b8d47aa4b4
SHA256 532a358f94e8e69272618a94a5694f67b2d2e163c054675ee6bde5648813c533
SHA512 bbc6fc4f1186f7d2d1905f9071d6900b36e27a625538d55a81bcddb4015dce6bae7d5cf0884e55be439bd95316c31cdfc8b62357a7898aa061a880e288cfb9be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\AlternateServices.bin

MD5 250e5ed20cc3e4744815f64a2aac327d
SHA1 f40e563edc8dc8e6a0d28bf10aa4431635c6282c
SHA256 350d40ca541373058c545d89ecef86e8c414f1fc552a8b4702c8a9ead3a19d95
SHA512 09347c561c899f98d09b6f14a0fc4774169f2795b9cc24b994527ced371e81f62d72031cd5670318b7d5d22629088b5a73eb5ead874b2d2e198271527b7fbbce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 5c4f616010e53fb3c0395f28af6c17f7
SHA1 da19a651e42859f43885b225b236ddd98a0c2eff
SHA256 5ea109fcdeb65d11c7c52db9f01b46c86abd4792ed242812f3b5a9444dd222d2
SHA512 a35ff5b47fa13d5c84392942d4d630cbd68bf06c4bca236fca44ecc6d42a88b46e58d3b55d684b728b5be9def1dabb0c7b7c9a3386cb40896e18911fa53118ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs.js

MD5 e88e4160b98c617df2efcabf898e8869
SHA1 a1398cdb44c47310fbf096432221e2532cb19494
SHA256 49e52f5785f3ef57966cf302e1e84f7aff36727c859072d9f91a02c6306b2b60
SHA512 3ae4138b04963e32dd367b609c8aa12a19dcfefe7741c1b385200cf15cf0588f3d73e1821cf56e0c5bb9ac2ee177ff761dd8c892283eb9f3dae166f576fff1db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 4508ab2b509f443a75f9acab5965516c
SHA1 513ff0ea3b7d1ff7457231b948dd929306a5ad2a
SHA256 d1bdd79c352e1c9a33312d4cab63a28ff3610d4b135648f49253c9e130662dd9
SHA512 80f0d4556e9774d5fc0d8a77960ff406e32c67df7ada67c84bb3a1d80915f77cb150d89369a013ea260aee127109ce4fad8a9d77cf8b37494ac2001edcd45a50

memory/4296-463-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-480-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-485-0x0000000000090000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 2b15342cfe3bb0b5a4292b52974aaff7
SHA1 7dde7717582e9c89a2d65a9e71230ee8676d2265
SHA256 16c70ac1ef1cd222a605eeca30cac8c409b3a572e3700b00e616a42eafa357e4
SHA512 77c280578180f840f75b6db57b650157ac1d3198395bf10eb36a9deb55f669dcb2157cdfc0798e1efc3aa4a1de39ceab6cdb81f6121c31753fe1e6377e296aa8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 1daa8022960299febb443e4570a7469e
SHA1 620ea1345135ffdb8af3a9076dbf266f8fe902ac
SHA256 f3e984b1519bf4852d8bdec45efede20f745ab08f1ac44f1feef900710d4b48c
SHA512 1b820742362eda8ad335d50edac9e39c1646fa1eea8e38729137c4f65e5046f8c8efec6198340ae2877df6c9e8a3ae6cb1c061a33c3d07ae4f8959a42a2963c2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 ec48ba701b0960bea88686940e649d1e
SHA1 fb519afd11f2da2882cb28429dd43eb55d81fa64
SHA256 441d7c5eb514d3e7528eb38e86da08c3822c99d001959670aa716e72c055f923
SHA512 dc1e69ec02e0383ef78cad7387d9f3d6852c0a4a10a87f20a2574244b7d1415b35df97800d99e449dd141f43ef06e49028af2b75b3b20136a02e476d376eee8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp

MD5 2e456b96a6b1e992088e2d77b97d357d
SHA1 f3b86a320ed3c167e6f3d09ed2fb0dec0de31c78
SHA256 547e79a211099a5e3bcd5fa64abec99b54f1df09e649df4321da5c05ec49f9df
SHA512 dfacd25e688d5cd6417442e6647afbb9b1ae36e7b02db19594d8028141aee703a568faf2feee36e7a51202c047183ef8752f969b917bc84d8233a4033f2b02b5

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\prefs-1.js

MD5 5607cde920a155bd08af6e5dc1e6a554
SHA1 97532c82e9fcbab2f26eb62693e52e0cea119d34
SHA256 b5d1cbc312968f749aaa9186f327ea12b60e3792882a5ef4160cb240e29594ef
SHA512 5de14e2da6ed04e675560f8bda012b247f37c7f5ab1abcf137db83298b47853d166006e7aa482f2c910bb430fa87a16f03aecd0d41d3717b0e7ddeb840826c94

memory/4296-1243-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2456-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2583-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4572-2590-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4572-2592-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2594-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2597-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2598-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2599-0x0000000000090000-0x0000000000549000-memory.dmp

memory/4296-2600-0x0000000000090000-0x0000000000549000-memory.dmp