Malware Analysis Report

2024-11-13 16:45

Sample ID 240709-3g6w2sthlh
Target 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16

Threat Level: Known bad

The file 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 23:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 23:30

Reported

2024-07-09 23:32

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3444 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3444 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3552 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe
PID 3552 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe
PID 3552 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe
PID 3552 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe
PID 3552 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe
PID 3552 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe
PID 968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4184 wrote to memory of 3668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe

"C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af82c4f-dbd3-4b34-b0d8-69db2fb9c062} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee9cc94-a1d9-4625-9748-0912c57b16ab} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 2920 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {045eb3e2-5cbe-4db7-abea-960fafd8448c} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4028 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06d1ec9a-fca3-4bfe-9269-e1d1d68aef61} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4172 -prefMapHandle 4456 -prefsLen 31274 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73f6fc1e-da7e-4ca9-88b0-faee7a923d59} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4156f9dd-adea-43af-b51d-72bb40ed3682} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a8961b6-e0f3-4be0-9059-bd4632f911e6} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7bfa27b-8085-4a22-8d80-32fe4556d8d0} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGIIDHJEB.exe"

C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe

"C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:58518 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:58526 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/3444-0-0x0000000000E40000-0x00000000012F9000-memory.dmp

memory/3444-1-0x0000000077774000-0x0000000077776000-memory.dmp

memory/3444-2-0x0000000000E41000-0x0000000000E6F000-memory.dmp

memory/3444-3-0x0000000000E40000-0x00000000012F9000-memory.dmp

memory/3444-5-0x0000000000E40000-0x00000000012F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1 173c7859c41f254327d08351f17569b2ee6b9e00
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA512 37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

memory/3552-16-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3444-15-0x0000000000E40000-0x00000000012F9000-memory.dmp

memory/3552-18-0x0000000000241000-0x000000000026F000-memory.dmp

memory/3552-19-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-20-0x0000000000240000-0x00000000006F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/2432-36-0x0000000000440000-0x000000000102D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2432-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3552-102-0x0000000000240000-0x00000000006F9000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

MD5 82a1d19edd293611329e5581b088b195
SHA1 3c630ea73ff5f234a1323ad175037bd280c14a0d
SHA256 f9850b3b3609b91b5deacca2e886f1320df2b2bd0771aea7aacde7ecfa58687a
SHA512 d3f06d7ada2139f7437971f674671c7623c2d984209fb83fd361cc0e51c40f9724d3148bafe1eb1070d27ce5bc9323e27c1a0bfec7b89b77f80d5cf6867ad462

C:\ProgramData\JEHIDHDAKJDHJKEBFIEH

MD5 434d87c659473e5e24e851770569ee51
SHA1 e6b005ddfebacfac7c9d77f031a71120ce19e4af
SHA256 31baeae197360e57ae8053a1a578b49722e60928c0dba5fbd975ee173cae9b80
SHA512 f5aa547c3b01829d11d35c571b403f1e713a33b2ee566180709ec2ec8d077a10b1bee89364e7f7564c2f36c086cbd7d29a13a88ccc3b6b2d04cd721ace55bfdf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 335e8e51ec7d6c6c94f169af6d4a1192
SHA1 143775501c7e44f5511f68a35632360ae677dcad
SHA256 14e4ba058eec572e45131d0faf22cacf4d2e3bd103b1c7eeec9e015de03db334
SHA512 c651b12ba97abf12527d86549f6d8e5d7ab62d2e404665c883aa8a7026fcd4fba307d8d115c718dc2afd0382933be6b5f19ca8eab97baa865c9ce5e6d1f9774d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 5e2939e96fa32e46c4bb64a5b5efdf48
SHA1 264ffba6ed02976f73a1c862c57814dec9d74998
SHA256 9e845be58961afb6b48944161125fe82583a91dbc442da9e8ff337b0fe5e4cf8
SHA512 3c558f0b0f28695880ea888ae16636fe6e30cf29803fee87b247013be4e83448859174d7f3ddef45219211a1363415f2dde43d03c218e66edabb0e4d83559c19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\4deca54a-ee15-477c-9f8f-a5efb0146ce1

MD5 2cc4d3b0efbc7773e2562e7d53ba2e2d
SHA1 63a5849757f410dee6f3f4d00e6cafc723d58238
SHA256 877c95d8633196f3d98bb600da327300a51706126783814399b989f25a97d1a0
SHA512 1879a98e720ed7fdf165eb282751a9fd7d737f0fe33965596799287c3e04a773949c0254cc31e2fd08d4a78b8c5ea2baf769096bc7f8731f7860f3a32637972d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\ca97463f-d196-4e61-a32f-c536bdd7a471

MD5 037029813691f331c8c4fc1a7c7a1111
SHA1 89d540b0a690a88c5d041a3efefafc5d56c2af29
SHA256 7f9ef744a36d027f6474aef1255bc3084462eaf92361657180e01dd35e35b123
SHA512 d4c1018b357c50d877f92c5e9839c39843bd1727b632d7f8d7ff9e864e46adc206deae0c70a03c1852846240f957d5aac811c11e24ad4ef87f6cbfffb202c3da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 bdad636145d8f010a0b42aafa309585a
SHA1 5ded8b3b4d78f520a1c9b3f1b06175933e2792e0
SHA256 cad2686cdfc918cb20670c6f0be979988f18a101b7d17deb1c426c1e8c0d04b9
SHA512 8a6977f7796f6b8ffb93a5a48ed8a65d767b12962c74b0aa028145b683db3d2cd1178d7688f9d5197f6e9a238093c7ce2124fcb744765be011515040669735b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 781c6671e4bc0a5024a474931fbf7697
SHA1 a80fc7fb084e0ac6cf5f26079fc13dba10ead0d7
SHA256 f3ddbf732cb112043ef6be490167ceed5f21fd7a90121f9975f6be1eda64c2bf
SHA512 52b063aed1063597f0df486f95786dd16c99ab6b89f6a81caf1b908d0ecdc062d39b6496659ee33b7439f6fe438f38a3a93756906f7fa8d8a64e0ce029905e0c

memory/2432-434-0x0000000000440000-0x000000000102D000-memory.dmp

memory/1124-438-0x0000000000840000-0x0000000000CF9000-memory.dmp

memory/1124-442-0x0000000000840000-0x0000000000CF9000-memory.dmp

memory/3552-443-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-449-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-452-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-453-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-464-0x0000000000240000-0x00000000006F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 0c263731b3244689974edd7d40d293a7
SHA1 836e8f271d1876a71f3cafbe985afc2ea1db2e5e
SHA256 feb555bf4f1a88be5a8a6a402e4318d85598440a96dc13a78967a1ab0fffa677
SHA512 d9a2e75c8f79e2e877d382371861800423a2f7f7964bdde9307a1c74d74d9f0215c67f5d27fcf938ed6762b7f9183a39f99c7dad38c8103a2e5a9c25038ed4b1

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 15f2b17506bde73362167f025f1e8150
SHA1 bb702bb19dc267976a2ecab02baad25d84a0329b
SHA256 4aa3db5a7abdca3a16d2c608cd4997d50e881da715b4e15e841f24da25a7e502
SHA512 1e55118eec3afe7354d12c840025e2c5cb45a03b748c35a0e73a8318d6e339a542820a1fbe788a0b452206920087c27a1fb1f0b63babfb2751930969ccaf7ca0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 edb8b9c4851e10459faf897112bf4a57
SHA1 7593db7bb48fd49ad79384819732d22744b8d220
SHA256 597591720b049c716cd1e3a6213ecdfbcf9faee4304de1abf490a6c2139feaad
SHA512 530817920a5df22878131585670f6fcda2086cd71728cfab49aecc852afcafd7a0cad23c3de40f4c032b2600e45f8f5854d29314cffeb193e38a4b7107d18e54

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0185b20ed1cc6ded132a0aacdff6e86d
SHA1 df519aa070aaf20ac7c5f9146e47451e4a26a874
SHA256 9f4b39086adcd77f1d4b59ae07a510c23080c495fcebf19e9157be7aba1d6ac5
SHA512 9bfe9698a47914aea081a2126672b6fdd0f95dfbbd33316592417baf90e160f5d1bc2947501a603ac6a4c429fde48d424300e2d9de9ae182e68fb1cc8b99826d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3552-722-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3156-723-0x0000000000240000-0x00000000006F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 adf0c8b6192ed27a57d6356a86169f56
SHA1 eae0ad7a968babe081449d75f2376efac640cf6b
SHA256 d3f40ae1554c1a7ee3e9fc8b0cf8f7d3b9685cc9bcae9d4331b35cd9511143a4
SHA512 535f2c8b642ffe4530711af39ebed3603e2f81531a62cbee25999144ccb86379bd64e1c5d3be828cf961b9e297a55d3a3f53e52927fc2fe80e077dbe090c6230

memory/3156-843-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2136-0x0000000000240000-0x00000000006F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 a948fc61cc8eafdc13081b50c3937af4
SHA1 a90a094362ca3e1cf22cb9d8c0c967f32fb77aac
SHA256 11f98e813795ef083e28a9d6b8b0095e88cf1efe749c91d349ec7f2a66f181a7
SHA512 15abb054c4ad87294546a2c52e2ac0ee9db30a7f07b823dae7c59e592b41f2a562e1007720bbb32d30dead863b7bbe8b696e55baafaa84301ca3bc76455a8377

memory/3552-2618-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2624-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2626-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2627-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/5860-2630-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2629-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/5860-2631-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2632-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2633-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2634-0x0000000000240000-0x00000000006F9000-memory.dmp

memory/3552-2644-0x0000000000240000-0x00000000006F9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 23:30

Reported

2024-07-09 23:33

Platform

win11-20240709-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2496 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe
PID 2496 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe
PID 2496 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe
PID 2496 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe
PID 2496 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe
PID 2496 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe
PID 4516 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4516 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 1468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1468 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe

"C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9938a030-0a00-4838-9af0-af2ea030ec8e} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {358b37a4-3451-4033-954c-2e1fc7be78a9} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 2584 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df511f52-7381-4662-9bb1-c17d58b2ef27} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3988 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a51563ad-b248-4a75-9627-7e46078428f3} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19b6d6da-a322-49a0-bfcb-589e389bf9ac} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" utility

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJJKKJJDAA.exe"

C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe

"C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f428fee-d46f-4a37-af77-d355bdf63234} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c93c4726-5cc2-4c69-a2ca-c624ec28d0cd} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b929eebd-1ec8-4b7e-90ab-a95d2b43ce98} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49884 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49896 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2992-0-0x0000000000D90000-0x0000000001249000-memory.dmp

memory/2992-1-0x0000000077106000-0x0000000077108000-memory.dmp

memory/2992-2-0x0000000000D91000-0x0000000000DBF000-memory.dmp

memory/2992-3-0x0000000000D90000-0x0000000001249000-memory.dmp

memory/2992-4-0x0000000000D90000-0x0000000001249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1 173c7859c41f254327d08351f17569b2ee6b9e00
SHA256 60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA512 37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

memory/2992-17-0x0000000000D90000-0x0000000001249000-memory.dmp

memory/2496-18-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-19-0x0000000000651000-0x000000000067F000-memory.dmp

memory/2496-20-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-21-0x0000000000650000-0x0000000000B09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\edfec36487.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/920-37-0x0000000000D00000-0x00000000018ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\c2c1fb8bdd.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/920-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 ba06539b4c5c657d053f61aa25a16a82
SHA1 ac7f6ce677602dcc48ad9e2e1e848787b2de2cb9
SHA256 77cd110ae39d8298ff4b6fe54a45eb5e6bb631b94b6b31b1ff283567c95f4c30
SHA512 82bab10bf1a717137e852156a3707b0a6d2519fb90c1539afde9b64fef6ecba29a4ca202ec2028079a6d7c5cc07d21838dc3ac2a45d04033951a1df77b0fcb88

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp

MD5 e2f10c15c8c932c06f2d8d4bdd995135
SHA1 e1bf0f607ede730ee9421ad7b87c12352e1d0cd1
SHA256 2fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d
SHA512 894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\0c2675e5-4d9d-4cc5-9414-07395c9f006c

MD5 82889b9535d91c600d26f6ea12d7b0f5
SHA1 f5dfc3dfea742ef77ae40654e6ad145e49e4cf74
SHA256 4d8e96d73fafc44ca4457edc4dc847f12fcb38a768377acfda23a31ad5ce7d5e
SHA512 defaf572bfc7bdae29c45765325dfdc120de577f64c6dced001e5e1fd033c3f7dace437abf0cdde0ca56ffd4f1645671da82bb72c9b10f05a316d9becdb792c4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 403023f2d9f27d21d7d2dda6691b601d
SHA1 eee20cf2365d9f3f57f5e31f8ba6a8f02c6d2c9e
SHA256 c6ad99d6fee14fbc1732d2e3f574163f904b22d67065e330a864609e5069c89b
SHA512 1382eca88958d92378776f028726b6dfc9af7cff62ce6d71a3328d6c174dcea6adab638b01e71074908b2678cbe968590af5703925ed401e459b612d7dccd273

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\8dfe2ffa-22bf-492a-b3ce-711ee73f3d48

MD5 9d83a68d54753ff368aaa6f62c48701c
SHA1 323179e851b0d09b2d1334fbd8fd79de4d647cb2
SHA256 1c79eeb8767d9830e3cf36faffdebc5503db94e03a16f8f019f1e3b398dc8e21
SHA512 61bb774060796c14f9c4885ff035312b029d65e8cbe11adcd9801769fd99a836154dda1d5686dc52ff32e9d93852f7ea532e92f23990fcc98606e7632dd32ae7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 d52c0ca1555f902ba028d7f410aa1b93
SHA1 102c2d4d525ad6df606e2c150360c3f155992a4c
SHA256 27de1f14b4fd397758a3cfd4f2e88148955d5ad4bae87a4f1033a8f1ca3f62bb
SHA512 18b3cc39ddde7abedfa6edb8367ebea785a73c8444d53398884aee6ec54b2d6cf07d50e9b7502491b692907f6996f46a3a977816582e0238a09c290e790b6376

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 b6c4268ee620247d5ece984fe1f87212
SHA1 3e7fb7167f7d4b9c3ac3620f722ad9636a0ade3a
SHA256 0daf9d5a3cabcbf604d3b3a363c437f0b3b396968f1c32222f62f378398204c1
SHA512 62a18b618368874c56ecd8e76a9fbde2eb718f40a66f0a80e00477b5e79e57c300cf375216a48e95a29986ee4ef392a3e81595fbd5528549155cddcfe033a190

memory/920-441-0x0000000000D00000-0x00000000018ED000-memory.dmp

memory/2496-444-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2144-446-0x0000000000C60000-0x0000000001119000-memory.dmp

memory/2144-452-0x0000000000C60000-0x0000000001119000-memory.dmp

memory/2496-461-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-470-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/5128-473-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-472-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/5128-474-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-479-0x0000000000650000-0x0000000000B09000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 50eef9f7b5b546778706ffff3be449cb
SHA1 8a27e4fc1afc18994bc4f1826d869eec1f8ccb2a
SHA256 8601f7a6545423ead04c66ff85717923a5d7449817815a97ad4ccf599276364b
SHA512 52e98cc359589d1f2c9915409584933c9ac5f32206cacebc2f7951f2d7a5c7cb3871e5cdd7b546d3f88e37015d00b19ff597dfe02f03d54473876f01d1d11efe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 1bca07734aa2ce2a569ceff469ab1a02
SHA1 fc83896f57bbcce4e22a7cfddfc73591db36ade7
SHA256 16f319e4d357b47798496315d74f39816c78aefd393b7cb5767a127c83dde04a
SHA512 f2444083be70502a50fc34391eaa540d7d905981cb8a5767825e9ba5442abae7d63a6017346170a005a986148d10b104fdad48b3c5ed362c72521ec9996f8544

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 65fb7fa135c6bd1431ed4fc01d67a89c
SHA1 efc730889cdb80fe76d6e0034f6fe0c59336bbda
SHA256 80bcec3620584cf3a0d78105537b711dc3a1ec346f8f592c64e8992c3e0004d5
SHA512 f4a01ed9c33bf86b717ce03061b78143219d9bffaa0f2f172cf4347c3c1ba6b2ce507248ce4802bd89aa251c2eacf3e0cccf5389adfaf1ab0585722e6619d64e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 d691c27a85500ccd8ca6b33d2b7ff857
SHA1 c9f85af378974bbcaae0f73823764475dfa60223
SHA256 711fe63acc3b4f2846f6006b9c7e9ec8347f4bfc816c43c413a7649a91df3e76
SHA512 d6dac8c0535a96e0bc450a381d1aab73b8d92788a947ea0b5ab4e5b3943fe245b6234598c3d12433d2ca6867742e789c07c8f0ecb32698d67761becea4ca1df7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 51f4a45eeab6ac6165aa9e0cd74995da
SHA1 7a2e6a62a41d8186969934dd432a1e1f78c35254
SHA256 090dd4f9a22a66cbe92b14ef1295597e299171060087c6bf05dd81740d410d79
SHA512 7f49a5937cada401b4226be11e24777ed32322e93cd5ecbec290ac21559e3322accd7d09e6d288c762d56a50071940789b7aa03b9950a0ced4378bf072848d71

memory/2496-867-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2442-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2616-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2622-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2624-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/5300-2626-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/5300-2627-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2628-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2629-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2630-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2631-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2632-0x0000000000650000-0x0000000000B09000-memory.dmp

memory/2496-2642-0x0000000000650000-0x0000000000B09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 3d68be3ff8ae67c5b2147cdf10c1d84b
SHA1 9abd530ba57591e752f370b244bffe95d864fab2
SHA256 e670560296594424e6873e24c80eca720eab6cef4e3d4f34706821a1a21bdef2
SHA512 f39ca90ec867756e36d1a767123520224d3ae8964045630aa9095db2d43f7f21d3a4d13dc940ab87c82a861e5d31596202d93a9d5552e487f8e2cb2d6ad15f5f

memory/3744-2644-0x0000000000650000-0x0000000000B09000-memory.dmp