Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-a6ybzsxhlf
Target f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d

Threat Level: Known bad

The file f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 00:50

Reported

2024-07-10 00:52

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3944 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3944 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2264 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe
PID 2264 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe
PID 2264 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe
PID 2264 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe
PID 2264 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe
PID 2264 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe
PID 3712 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3712 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 3988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe

"C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f38df7fb-df01-411d-b497-c58be6b65405} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93693ae8-850a-4053-9969-e062dd29324e} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1cdaa0-b3c5-4441-bafb-50086098da88} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 2992 -prefMapHandle 3672 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548c8703-d7c7-4140-8f92-fde0518adaeb} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4828 -prefsLen 31272 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28bd9b4d-6577-4b0a-932d-11d3ebcefde1} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c17736-4aeb-4df3-b51b-196b0b4aa502} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {233260d2-b7ac-456a-badf-9e593764bbe9} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5808 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {618d5df9-f719-45e8-9e38-d32b7f3b7dad} 3988 "\\.\pipe\gecko-crash-server-pipe.3988" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"

C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe

"C:\Users\Admin\AppData\Local\Temp\AFHDAKJKFC.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:51311 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:51325 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/3944-0-0x0000000000C10000-0x00000000010E7000-memory.dmp

memory/3944-1-0x0000000077344000-0x0000000077346000-memory.dmp

memory/3944-2-0x0000000000C11000-0x0000000000C3F000-memory.dmp

memory/3944-3-0x0000000000C10000-0x00000000010E7000-memory.dmp

memory/3944-4-0x0000000000C10000-0x00000000010E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/2264-18-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/3944-17-0x0000000000C10000-0x00000000010E7000-memory.dmp

memory/2264-19-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-20-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-21-0x0000000000930000-0x0000000000E07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\76d58db15f.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/2260-37-0x0000000000790000-0x000000000137D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\7f0b21aa28.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2260-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2264-106-0x0000000000930000-0x0000000000E07000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs.js

MD5 9652fa16769724f3a6724dd96fc36db7
SHA1 0a11923f38f2d1fab5ef74c08a3b6b1fd6025210
SHA256 9c99e71c288b276e4281aa8bbaf6f8d8a607f3fd623dbb0bd0377a4f933ee807
SHA512 75cfb6711e13bfc399a67d52a9459e63f20e903ff607d028367688657e4b1ee2e73e3cb106e8e43a3e2693b6da95be03bb90de123242540fdc37240987538d64

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\activity-stream.discovery_stream.json.tmp

MD5 040309352dcaed3d439253cb74a7db5c
SHA1 54a1db87028e690bd374b64c2a495713768a4216
SHA256 f285037d0b7c812cd65db5d6820112d6cbe32044d07edc774796fa2756de81af
SHA512 69ccc819d810ca6f062e55d7ca77c6ee6ecee38d0d4c9a5fbe19404887603f2168c94320cda7f6e01f0e8cfdc4877744b909b0f6a38dca423aff279bb3e0f74e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\921b8916-478a-404f-aedd-70f50e5541ef

MD5 86cd3053f0c7b77b30e704180ec2c3c3
SHA1 1d418f152599562bdeacebac669901a58c869634
SHA256 510d4c7eb53be1b88e380129c04c27498ce4d674b2270fe95e6197a2479277b9
SHA512 380186c496ad841ee681fdc609b77394cb7b9ba6f52760cf5590b4c82e57b8208321c0e4e4d2df3a2e97395f8d7bb0406a4c3787ea563bdbeb2bb95dc8d720e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\e1b57eb5-0157-44a6-babf-3df9bf4d1a57

MD5 2e37dab325d0961287221d63fd65918f
SHA1 2f66656d1e061963928283dbd54530aa6f7653ac
SHA256 9499492f43ccc7859961552fbadc36ea3187eb23774b9a98a577c40075b895ae
SHA512 d9c2f4e50ea0d7bc86503b9f1d993ce9b1b11a60c06c5cf3c7bb746addb602660f0e7f24e437aad9aa457f0e571eee11e3c6d3e6bce7443cc211cbc8b68a6204

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

MD5 f24afb4b908ce74d088f57c0c6f4574e
SHA1 03d69db356cc186ba9fc30d403b37052191616ab
SHA256 cff9721e5ae9556d54d8e0d2d35e7482cf8f73f4574d75659bd0e39c8bae0837
SHA512 e45d8a7de9984d31345e4151bf9e3bb0f46c9a4d175f508c4b0d33a80b180884d6fad37c692d05964eb1d0c580fa6500ca84c4350eedce287cfb183856b897c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

MD5 c83ba097335615e590e791717112d880
SHA1 fb930a18258b080579ae62dfe6b5b7e396da6b06
SHA256 8ec76dba4328ec055ab39c041f35386a0db46cf5d29a6fc82c75ec9384c1e74a
SHA512 6de8bec1f1cac96cd1336c965a446027951b8a430bcac35d3f74f1d6a25d8a18d84cb7796c7883955a52dcfc11ed65b0bdef568112d1b24aabc1ed7d271f9e19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

MD5 b61655546f16deec9d1f3d11eaf48f5b
SHA1 c010c764fd11f29b8f4e33d3d0549ca77b00fdaa
SHA256 537699b76e7f7577f673f45ad9db831e344287f0a16bfdced24fa7c1c883e2d0
SHA512 5fb6710df3a560df9793aca7308b580464cd65aa377f1d08e7f8e73326e2413a24ee808ee2e020e51a6bf7abe0f4f624f0e9c1d236b5530681f5ac137641eb96

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin

MD5 663bf32091c9f7f0e939951c9fea4655
SHA1 89982d06e6c59cb3aca92cf23c78a315ad6a2b89
SHA256 dc9dac7ddc031cbf6c705d261cfc675fe5febd17099b8591c1651c60abf2552a
SHA512 b1bec646d0b5455d55061a162b3ce876dcd283e814599fc98bf1ad0fc7cc756fe3c03b6fa6bb873500b06a39fabb779a60893f7a2748d3262c04899bd3261ac2

memory/2260-435-0x0000000000790000-0x000000000137D000-memory.dmp

memory/2284-439-0x0000000000A20000-0x0000000000EF7000-memory.dmp

memory/2284-442-0x0000000000A20000-0x0000000000EF7000-memory.dmp

memory/2264-444-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-450-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-453-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-454-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-465-0x0000000000930000-0x0000000000E07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

MD5 a78dad805075ed4ea5a9cd1b61e73a16
SHA1 61998a471ff048db5b2005b6c77a1d077b2294ab
SHA256 213fbc3cbc6ecf8a2656a5cf007936b0bf1d9a188ba37e2226f48aaf46a02f79
SHA512 1ba98050ab93f622294e99c36730935d2a621c5bbe3914a474bbd8d0fab986fa182837f96b763243561469747959cb22268fb4b607722c72de93be769100a5fe

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 0e3b9d4b2a856c251c0188d0b2392cd0
SHA1 c8ee129b88d2b591c1274cdc26c6a12b1f6b73e6
SHA256 2128627299c6c689c0a74d0ee7b1fb5543034c0b2ad702ef6ecbbdbdfa118837
SHA512 7cc8b80240c27825387ae5d1dad259e0431600873f8965b7579df033462ecc662291bbc4a8ce38f1d7e99119fce674d692d082e18a14876359745a9d16b57973

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs-1.js

MD5 b6ddcc66dbbf6f545a3ca7d377a10a08
SHA1 0688f8a7f021263b76f1e77082718154957f5edc
SHA256 e8d8eed09d49e8a15ddf055060385767278e4967f929041b07aef1cc06d44daf
SHA512 78a88d5a9d3a49cbc0beb547e92f4153c9739bc4dbd683f8f921c0c24864dab8ca17272908aa71c5e1d184b58fe692e298882c7f48f40e8a882f23a641ceb01d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a805667237630c370a61f6b6030d0418
SHA1 8b4f224f0a87318549dcdec8b0ff16261c942edf
SHA256 5a416a2a6676bcd7c9e4410316fbbe3e23b541a735fd11216b4be9cd345972d9
SHA512 ea771baf15754c9995ae9f5effda0896e2615d9f188a63c0f7e80d023633a96dd09b5ba89f6026f8e717747ec915b26053547b547a60fd9c1b4d68e36b00da86

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 33337ae55eaaa81aa3adcda3c8ebf8c8
SHA1 86bc21e3b04190231b9893533ea87e8966d86647
SHA256 95c08c216595e166758ef31d639f89742d4fb934027e75d4c16911793b93e4bc
SHA512 5c56a0f7e2c4cc2a39fb7d359df31c5fa0d18b0dac7a24f09651ce875e1822b24be6bec5eb67514b380107e243c6168223e970daefc20e1239a73c8f4d8ee932

memory/5060-712-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/5060-733-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-755-0x0000000000930000-0x0000000000E07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs-1.js

MD5 0b3900103612e3edaab2787a78ecb62c
SHA1 f906ad697e7e6ea4e0324dd6e696ada6291118d7
SHA256 f2add1a5013b8de384fbd3a4c5465e547c7dd1401bc1f818fb8c07fb55938b21
SHA512 7ab87041b35f544b273955c032479cbbd9aa098a7968410c49c859aaefe108f3452c43cb598d6d54bec902eae05775ad85b14bb5b7638fc1988ee058b9853a3c

memory/2264-2247-0x0000000000930000-0x0000000000E07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

MD5 3285e461d0f414114af093ea5c7561fe
SHA1 347317d57a490c0e589fe98c09e452fc13b8c15c
SHA256 8e139e5eec4316b549eef8d0b45b0d4bd9a19f47c10f0c244194f4b95137ac96
SHA512 026c37cf2948da62e5bff6175b51d9f451d67da624981e5b081b27149834e47d77ab3b36a3d93dd0812bb75ef9a45c6e6b7d9ae5a5f3237d12ee6f09e424a89b

memory/2264-2697-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2704-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2706-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2707-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/3492-2709-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/3492-2710-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2711-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2712-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2713-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2714-0x0000000000930000-0x0000000000E07000-memory.dmp

memory/2264-2720-0x0000000000930000-0x0000000000E07000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 00:50

Reported

2024-07-10 00:52

Platform

win11-20240709-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2340 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2340 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1176 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe
PID 1176 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe
PID 1176 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe
PID 1176 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe
PID 1176 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe
PID 1176 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe
PID 864 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 864 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4968 wrote to memory of 3548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 2296 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe

"C:\Users\Admin\AppData\Local\Temp\f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ad1f3b5-d5c9-488a-a3c1-810786fc5219} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2268 -prefMapHandle 2280 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ce26c80-affc-4b4a-8780-3eb31579ee20} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3304 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 2708 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f06c22a-59b8-4fa5-a31a-ca20f9e36fb7} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3020 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0d5723-7aee-4d9f-ac96-964899a41d9b} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4740 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0fbae2-a6a4-49e0-90c0-90b8c7d1172a} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" utility

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCGCBFHCFC.exe"

C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe

"C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5400 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6667ba7-5919-4e66-b490-a59436d4afa2} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42795587-9478-4c34-8d57-8cc17edcbc78} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab849510-396a-45c3-8d1c-fd642ce8fee6} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49831 tcp
N/A 127.0.0.1:49855 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2340-0-0x00000000003F0000-0x00000000008C7000-memory.dmp

memory/2340-1-0x0000000077666000-0x0000000077668000-memory.dmp

memory/2340-2-0x00000000003F1000-0x000000000041F000-memory.dmp

memory/2340-3-0x00000000003F0000-0x00000000008C7000-memory.dmp

memory/2340-4-0x00000000003F0000-0x00000000008C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/1176-16-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/2340-18-0x00000000003F0000-0x00000000008C7000-memory.dmp

memory/1176-19-0x0000000000731000-0x000000000075F000-memory.dmp

memory/1176-20-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-21-0x0000000000730000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\bce405c08f.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/2772-37-0x0000000000BE0000-0x00000000017CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\952b3d79e9.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2772-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/1176-125-0x0000000000730000-0x0000000000C07000-memory.dmp

C:\ProgramData\JKKEHJDHJKFIECAAKFIJ

MD5 c7aad42d86f8c85251624b52f888a8fe
SHA1 3eb9736275f2552002785660b21b2a8f44f42013
SHA256 a59fb9f7722f47b3d52e3098ccf0f5e34bb9fe1beb53c33e5d795c0401ee0b66
SHA512 8514bce2c9df4847c298ba6c0fd1d0028988639a21750b8363979b018290c32d3b6c46a775314e1d787639f661f4d36b1f32717d19eec65394a491f139c223ee

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

MD5 343ff8afb6b0edb35ff4e931ce4dbf19
SHA1 3bba53433d27e413e72a189dbf3455d1676803ca
SHA256 41043552f9ac78ccaaf085ad353a07c30fae17d703e3380e0b73f4e86ba1eb16
SHA512 5717f4bae8659c74091e94c70e348559a2da0c5956db98e4c0a9fcdaf7b9c93d81199a1e769c5f9c4fe2cc11da1b47bc3b922bf59e712ed29dd971e9893c79c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 d0ecc203e39e52a908077f22c8ff1122
SHA1 8caea3890d76846523cde06caea1c5fc6a11b5e2
SHA256 b25e5f540beceeff23887476e62318cbbb4831b06714e5060bff02e9f1c493b0
SHA512 400f26cd3075044efb69d9c5cf41f6dca7c4db8a5877b3e1fc4dcbff4718ea5ddb92c05932728143a7dbc9a8081f997235af6bf67160f62246ac24b54321e302

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\efd99782-0bcf-4bba-82f8-4b4a618fa92c

MD5 99e4ea723c0cfba15bf335985311e180
SHA1 1b8628a94144b176055422609bad586d4df7e24e
SHA256 99a29cb57d318afb862fd984d471323091acb7c9a87f6675591d9037cb5c1218
SHA512 6184cce43a6cfb269ca66cc1a2e1978ceac7678247d1334206869bf150d5c4920e67513da4ef5b6ba43e01bdd2960236edfd8b83f1da5674c24ea23bdc623c33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

MD5 450d56e5076cc8e531708e0b93bf2914
SHA1 fc60ce3227b9de55a4abaf21a5bdbd83b56cba97
SHA256 b7344450d9fadf25a106a6b47b4cbdf59ff32464153730333f15cf0820020b6c
SHA512 fcb4c3a000f512a5595cdf670ec89823072f0741690044541abaa2be6134ab4e7484c0af49776ff18972c0d41ffb2ca7da92014bcd1224e0dd9da64eadb88af1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 ea9448513163dac3dde627b2a6ef37e6
SHA1 b17e12a72e678407c12285c4bbedbd0b89efa2db
SHA256 c4fdb98e0543b9c99b9fc06c65105bb3c16e9ca27db079b2ee5dd3b16702a680
SHA512 8f0e27eec54892251baa47122b7a0df94e60b59ab956ec9c72bd17e240cd45e80d264392ea63c953c10616b8707cc647547b3c62c53642f5012a9e91ac7cf594

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\16e5bc92-2eca-4468-922e-a755e37790b2

MD5 530691ab7e593e5cc5cfa2c01fe70bb9
SHA1 d323f452f082958a5d68211bb311b44e7a49e966
SHA256 7e53631c3cfa73a5e36f4741383418ac7c3eecf973cc813347147f0654a98857
SHA512 53d52136cc73039d79e2e3857f709ab0c5709bc60a77626140e7b49dc746364da506858cb9c13705f4d9479f2d6f6d0ad39e115bbb45b115614d72cdfe3de078

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 46676a3f9edc989d26482c82727ca638
SHA1 4b23436ce2fdca479ee8842d87728993d5dc022c
SHA256 216319d8aa5fa0a315b246d4ed704033d04c3cac37202d9bcd17cf3eec9f4e95
SHA512 f7a29eed9745beec744bf064350c5846a124745bc7fa09df0c7adf71cc18c7f654b826815e402c3db469218819865a5b82dc842b0bf6548c0e99ce48d0d7ca50

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

MD5 577d0754e8d7aa0af20551db8e9a4cf1
SHA1 114d37d850fe8e58f6a2edc2075f9bff30ac3416
SHA256 408b422312d9c50cf3b59e23354c8a34282be4e3361383776e3657b11e7234ff
SHA512 eb5c48d915e2bc5d45a2eb43e9cbafd7383843013192397e0dfc009b735dd82b0154859cae2b1bc87d570f5219f16e32dcae3f2941a3f03656fb009a8213b5b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

MD5 fdd95b839d2a9d2f3ed7908cd6cacece
SHA1 2f69a49a80ef6b996dc7c686b55f226776104f5b
SHA256 66de6be15ab07bd77f70ae4128107f9cebf46923b8fab5f41cccf7c135f838be
SHA512 aab37b11ef1339e96745d9e1907b4474591182ffe5f6a350142705a8398c30d83a4b0c7b66464c87245da4a52a10a8cbf79bac924c61c913016e825fb54edb8f

memory/2772-440-0x0000000000BE0000-0x00000000017CD000-memory.dmp

memory/1104-444-0x0000000000B40000-0x0000000001017000-memory.dmp

memory/1104-453-0x0000000000B40000-0x0000000001017000-memory.dmp

memory/1176-462-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-463-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-470-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-471-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-476-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/2464-478-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/2464-479-0x0000000000730000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

MD5 00bcfba0bb027aba51fc4acbce721eea
SHA1 ce4fb837eca71a843dd5e743c251686023955b49
SHA256 ce6c46a6094ec592a4d97c33cec2381e6386e510e5d702e97cc72f3d0ff3f56e
SHA512 2e0f8b6d15bcb101932346e6890a0b823482d297fd308d2bd437dc3682212ef6c90f5973fdcc1f736dec08dbcdf60e1536c0d5169e3ed2ba1b4d9ed89a6d47c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

MD5 835e683bf81ba5c7082eb4b26f25ba62
SHA1 72a33ed304de324402a78e354d8d6279730aa590
SHA256 34347ffaf545e0ab8d0b4a17f9ac249ab24d50872d8cee07924ec5b3e2cd4e07
SHA512 3d1cd0ba6392fc0088fe1314fd988065a10fbe7564287189eead3e95a770cc6bbc724afae4a7bb12eaffef7368f638642d4e50e5b8ec6bfffd7297532c756450

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 e2e4452381ba17ec22516615cb296e5e
SHA1 89abcaf95aaf2219e38bc2751fed76336c3587ec
SHA256 f79bac29b1aff3ab4e531e2697b3a30761f24e26faa7e0724f7d934eab5ff7a9
SHA512 834895faf50bc246339052907cca22fde612465ef0fe16db94366133ac602040527739bf55c232a228b4a6e7cc3f4b33834207fdbfa0c805279309e2794ff979

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 15ad8dcbe49c8c95de77c855e2096e0d
SHA1 1b8e2af06581d35a7ecf8532a58d0b4e320807a0
SHA256 66c97fce672dbca4bf7726a8531cfb0b82e2e736ef5eef060ee24a5b4c168b1d
SHA512 93b10f5713c765991acef87516c6ef31363666d794cf72d6c7138ecc583e005393d43d73b6b47b5cbd81cd8cc74b8451a130bb6369bd574878d9060e4803ca69

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cc7cda12ccfc5015404466898145f1c4
SHA1 6023572655dab656ed907d53b694e9f992aeb132
SHA256 0a55759d366944e6ea1c39778a7706dc5778145b0361b5d7b9f2afd4cb06ce4c
SHA512 f3b6767886b8be9d37fb54f037548f34d79ab15ba86726269f7d49cb5b0b11c58db637e492f2a54f9dc522aba47a9df1c75448ca5f906399d4f9ae707403f18f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 499c5fe4074e88d5543d676715dcf475
SHA1 fb1d47b43625b378ef3fc3dc6dd6b0e5f4dde0c5
SHA256 93f810d97611165dc170ae3284fb230a2f70f55aa9ce385f8383c96e3d63d3ea
SHA512 45c1d561c6b322819901e9f28792d6e09fbcde1b3c726a50ca3f85f72523ccd6134f99fe49f6d5119ea4ca7dcc4919e2e8379e6e08bee0ea889c0c335bec4955

memory/1176-788-0x0000000000730000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

MD5 dcc047d517ba2e13fcc526fe4cbafc0d
SHA1 d04b8bfc484c2b62ac5258b4446a2aa3a9dd2716
SHA256 8f92df11cd758ce27d22a9b692dbdde5eed828ad2bc53f4ccb71c1088c23601f
SHA512 6b0e5e8a1899df9dea637715257e47bb89a50ec8395da8eecf755fa008c76b6a9faa08589fb44a17eeaa967c92aee8687d226e0ac2cec2874621113c830d726c

memory/1176-2007-0x0000000000730000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 22d2951e73aaa550a7f572456228a2a5
SHA1 4aa8b18660ff0e12515a33fe83fffd2d4fcd6ee0
SHA256 c7336961385b333017bd8d3136aadb05a1304e23c906a5d2ddd1f1ca0ddc3c65
SHA512 ca53c2547dd69f3340dd96f69c400dc6e721fb747b73ba190c1a49a97055c592f06c16c9b152fa47f1c10733ce826791f2b278e35cef3c06fb78d27955034f7e

memory/1176-2700-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2704-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2708-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2709-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/4812-2711-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/4812-2712-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2713-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2714-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2715-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2721-0x0000000000730000-0x0000000000C07000-memory.dmp

memory/1176-2726-0x0000000000730000-0x0000000000C07000-memory.dmp