Malware Analysis Report

2024-11-13 16:46

Sample ID 240709-3fd5mstgmf
Target file.exe
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
Tags
stealc hate discovery spyware stealer amadey 4dd39d evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

stealc hate discovery spyware stealer amadey 4dd39d evasion trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 23:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 23:27

Reported

2024-07-09 23:29

Platform

win7-20240704-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
RU 85.28.47.30:80 85.28.47.30 tcp

Files

memory/1824-0-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1824-2-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-3-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-4-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-5-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1824-6-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-7-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-8-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-9-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-10-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-11-0x0000000000DF0000-0x00000000019DD000-memory.dmp

memory/1824-12-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1824-30-0x0000000000DF0000-0x00000000019DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 23:27

Reported

2024-07-09 23:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe
PID 1748 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe
PID 1748 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe
PID 4428 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe
PID 4992 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe
PID 4992 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe
PID 3412 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3412 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3412 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4852 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4852 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4852 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1448 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe
PID 1448 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe
PID 1448 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe
PID 1448 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe
PID 1448 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe
PID 1448 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe
PID 3452 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4168 wrote to memory of 1828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe"

C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe

"C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe"

C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe

"C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {330cf3f1-47cb-42e9-84c2-567e576e0cea} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {333eb995-8b17-4267-8ede-d1eb21705562} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3308 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df8f4685-f59a-4a16-943c-173e02795a78} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 2728 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb809c3-0e1d-4d40-af18-92a834c92c65} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4288 -prefMapHandle 4896 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e68f125-5306-437a-b337-0d1f59bb08de} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa01016a-366f-44e7-969d-9c7d0ada8807} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5584 -prefMapHandle 5484 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16e69399-19ed-4138-9aa5-dd7db847cdb1} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5384 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e390b318-0010-4761-9bb1-2df7111a8ff1} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:51522 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:51534 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4428-0-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4428-1-0x000000007EF00000-0x000000007F2D1000-memory.dmp

memory/4428-2-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4428-3-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4428-4-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4428-5-0x000000007EF00000-0x000000007F2D1000-memory.dmp

memory/4428-6-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4428-7-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\GDBFCGIIIJ.exe

MD5 e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1 173c7859c41f254327d08351f17569b2ee6b9e00
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA512 37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

memory/3412-86-0x0000000000200000-0x00000000006B9000-memory.dmp

memory/4428-85-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/3412-90-0x00000000779C4000-0x00000000779C6000-memory.dmp

memory/3412-92-0x0000000000201000-0x000000000022F000-memory.dmp

memory/3412-93-0x0000000000200000-0x00000000006B9000-memory.dmp

memory/4428-94-0x0000000000330000-0x0000000000F1D000-memory.dmp

memory/4852-98-0x00000000008C0000-0x0000000000D79000-memory.dmp

memory/3412-99-0x0000000000200000-0x00000000006B9000-memory.dmp

memory/3412-113-0x0000000000200000-0x00000000006B9000-memory.dmp

memory/1448-111-0x0000000000120000-0x00000000005D9000-memory.dmp

C:\Windows\Tasks\explorti.job

MD5 267dc81ccee301bd21ce0d00f1d511ab
SHA1 4210a87ab23dd47ff773f442eecf0c2942fd4301
SHA256 87acbeffc42f53d3eb43d109b828cf5fd6a53c8960b402686b4a9b27dfb06441
SHA512 4701894d7339277e3ec26332afb75cd286c16a3bca354c0426a7f10f2e1bb1d559843416d6ec55853f4b62ff557faa9dab760923e85d57c28d0907c9b9cce73b

memory/2316-117-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/4852-119-0x00000000008C0000-0x0000000000D79000-memory.dmp

memory/2316-120-0x0000000000120000-0x00000000005D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a1621309e0.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/3948-136-0x0000000000ED0000-0x0000000001ABD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\0a5d0d41be.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1448-157-0x0000000000120000-0x00000000005D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs.js

MD5 c431306c3c5b871f14bbb44e9d595288
SHA1 fb5d6a8df169b790552a0c26bf94c7181d5457a6
SHA256 bbd9520a42f26110ea54532079a71f7b0a5bd209ff64cc2911dccb704cb9784e
SHA512 a3651874f9b6faf1dc1acd23a04b45788b85e69317971f2087e87d4ca160b4d47510c080416ecc8d736f4e1f73932d8986c45e2a772e19add00b2f4217d09c8f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\activity-stream.discovery_stream.json.tmp

MD5 96a10a61ba2ee1d80c675176855e7cf0
SHA1 396fe2fb1d9b8c9cd61dc153b5cc29e635591177
SHA256 757ae750818bc24329e27f3afd48cd40a2e3eb1bb3a59244a3d64a369bf3c922
SHA512 9d37916fa423edf393d7ee960841c95ae6d8cb9bb08d6e54c11e01bc46b0d693664f0045b76c480ae336fd927b243d5b502f7a31085dd9dc59e3f54e03351619

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\18e4714b-1078-478c-ac34-c2ea0daf9d96

MD5 6af33560f9a91539e4a90709f8b688f1
SHA1 c3ae20c2b2863151e4eeeac82b095cd375f0808b
SHA256 fae17fa9eb1e4fbb950a7784bea8c26af8996d0ba2333baaf50947d0db941833
SHA512 fc9659392c7d18996d33c248c45dad49dd3b49fcfbd5f2fb423684fc77a3a7243f29579d7d208d878c65ff8bf7a90973fcf21582d5349842b0eb3403eea23697

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\b1b89173-f79e-4675-bfb3-558dc4290e53

MD5 4a94e92dcbaca806614e684e56eb5e75
SHA1 d13d600c9bb8047a0da08c44f5b2749adc4f3633
SHA256 c357a4f992f53b6b3b0c780967089c71119f44e0a56104325fc25d7a2c8f28f5
SHA512 0cd88a2a211280b61e0ce874f795b1ef5a097ff95c7586990a3c7dd40b670aa11ea15829a229b3b2922b67510d4056e6c7067b5a7f8e631d77cf60ffaa63e8c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 b5e2e45f1e0f16a063f6799a4167772b
SHA1 c847df935fc5dfa4e33c709af0be21be2be99197
SHA256 4ce4bc9a20a31c274503ecf2b7295eddc2391f429656748bb6ef35af0556c93c
SHA512 2549a54e4d87281faa43c30d14ebb9a0900994f7b50f5d09fe1012d6d56201072ae1cf469ea32b441567387c667acc3bbbb573469b8ad0900997656ef2d83014

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 45cf7e0133ad682c5c5b42134ed3ac86
SHA1 7f3794b122d10f6250a38e9f26104b147f8d187b
SHA256 b9f22d5e069a2caf13102ddb8b127297bcac3f38ebc2774dec0d73172be7e3cf
SHA512 fa131de8a85e72818a8a66f4135089e540abedb3cd8376aaed698adba18d4c8ecffd524eb3c6add7c1c19be3b3795c0ebad6b563589a540c462921e4f07f06a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

MD5 cefbd163496b7e07f7653a887e8b912b
SHA1 1fc1a4bea467ce37917f5177a15f0c171d8d2f06
SHA256 3ffec97d49d305d5c464ffee7006c2738b6ad9f64dac86f2e03070f5c7ccbe03
SHA512 66ea86f3afebf17fac6f7fb84ef831d72252ee1fa56f7a24548335e9ff9e4ad03fdd4b697f3b9894cd676b53d88ef98b0842920e072a2a11495a1e687e606897

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

MD5 f48db7ad1c5e03605b27467c9b041b9f
SHA1 515a652d9182a297f6a2397a3b33b2525adfc039
SHA256 935ff067581f00573a463655fc146ec6cc95b1902c1e5c8c1bae1a92fcfaa5f2
SHA512 3c08970a8d54d8a81d5e9624d28a0170f0702313f389bd47e10d40fca352e2c86310bc38bd8948aa4f9c109f8f28140d03001236b6ae60e0e041214ec8de6f68

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 bd95694a5c1c23a09bc01808e71d17d7
SHA1 6a83b0ab005ee4efa93bd6b3fbf42e7afa00610e
SHA256 4051e303a1f38180375465fa3965ed43e5aea45331e4b3a5cbc9dfced2e4a39e
SHA512 8b237626a49ea6b8ba38616bbd7bd8025cdd39636e62477b4483d9d894a95de0053d034797d9d1833c815bc8598468cc80f2ef9062c08cb9d88073fe8b1f8fb7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

MD5 072035c1353246b5bf16a0e77c2b0c1d
SHA1 586df3e8cd2ffbf4cc9c2a703dcce70310586185
SHA256 dbcd60c56ac761ce05c443a4510aa8a81ccfb0d4a5dc145b1cb51dc7d4a86146
SHA512 b92e8f11de5e258caf211fd0a8310b1970c94f483a81272f69a421653adabb1ce672eed6ff1fff0b2169b2600dc3f6a60609a73153546254092e20ee18d2c64d

memory/3948-487-0x0000000000ED0000-0x0000000001ABD000-memory.dmp

memory/1448-504-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/3948-505-0x0000000000ED0000-0x0000000001ABD000-memory.dmp

memory/1448-510-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/3948-511-0x0000000000ED0000-0x0000000001ABD000-memory.dmp

memory/3948-512-0x0000000000ED0000-0x0000000001ABD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 e27867b3930d2489933f744a77b2f39b
SHA1 020ede5fe848fc3a96b8851b73415cbf878c6f1e
SHA256 27ee041c91869310ffcf027d7d5903bed3ff76a435acef82b91d2f787dc4222a
SHA512 1f96d395b039292c71db897fb16b91ab89662aeb2ebc593b9df6be1baeab4ac2abcbe64b195aead9ca68f06b351936981bfa5a61f8cec2ea8086301a7600a8ca

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 61be80ea4ba71074cc8422aa17ac525b
SHA1 d115ce2fc5bc7a40e6aab96cd93f68c7b77e61ec
SHA256 8cea8ab481081ec2e97b07b18e9493508fcb3e0b0a7483f8ec73edd8a66f3b77
SHA512 72fb8b9150c5322618699f89fbaa9f9efb304817847e8a5466ae56d8cfeed2e5a88d2e13a94919506ada46f0377212d28ea58ebde2209fcb493be501d3c4b266

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs.js

MD5 5ad5dfcdfd6611a48b75fdd261ffc46e
SHA1 1f76e1de77705f9e163ca44bd762430e81b397c1
SHA256 e3fb9158255c499ffec344ff21c2712a4cc1e180f5a9af96e75064ee8a434f0d
SHA512 98d99f3c6204f40f1b8408d244dec257bd42f9370e86e13fd5372fd26f6d02fec3782ee8200fcc2da4a6e7389c5a7ac74d82e2a6c6f293e27e3b0bf22a71640f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/1448-768-0x0000000000120000-0x00000000005D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

MD5 0399a0e47b63835b3bc742475e7436f9
SHA1 ec62acdda6075de8728d6ad00d1744b9dceef82c
SHA256 24b2a801172ab734335a76cc969c00b0109876a31490b3cc07e817da3f92cbaa
SHA512 c2fceec5266f1fe1d155b5e762915a99695225a5dd56de0b3edf0a3cd2e6643e09bfc2d793ee9532fa33a7c7ad606bb8b647490c8756d1b1753db85b6cf1d7d3

memory/2080-1467-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/2080-1572-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-1701-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-2639-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-2643-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-2647-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-2648-0x0000000000120000-0x00000000005D9000-memory.dmp

memory/1448-2649-0x0000000000120000-0x00000000005D9000-memory.dmp