Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-dpf8xsvfld
Target e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c

Threat Level: Known bad

The file e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 03:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 03:10

Reported

2024-07-10 03:13

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2568 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe
PID 2568 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe
PID 2568 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe
PID 2568 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe
PID 2568 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe
PID 2568 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe
PID 2332 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2332 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 840 wrote to memory of 4608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe

"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c5ef2af-20c3-41a2-8032-1eeddc77ba3a} 840 "\\.\pipe\gecko-crash-server-pipe.840" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2316 -prefMapHandle 2324 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a87c7f-f8cb-4da4-9c5d-bd1c9ff2309a} 840 "\\.\pipe\gecko-crash-server-pipe.840" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3056 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc809f1f-b2e7-46a8-a5e4-5413eddcd744} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3d46038-dde9-4a00-8023-978cb753dda9} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4760 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b69595-d71d-4535-b038-5174a8c293f5} 840 "\\.\pipe\gecko-crash-server-pipe.840" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5372 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80afb1a7-9fa3-4139-8f3d-5bd3aeedf223} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e33d6255-dbed-4a8d-8146-57dc7e140bc8} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1135f91-2aab-4970-9ed7-d62ff9299543} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe"

C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe

"C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:57900 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:57910 tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2028-0-0x0000000000500000-0x00000000009AA000-memory.dmp

memory/2028-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/2028-2-0x0000000000501000-0x000000000052F000-memory.dmp

memory/2028-3-0x0000000000500000-0x00000000009AA000-memory.dmp

memory/2028-5-0x0000000000500000-0x00000000009AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/2028-17-0x0000000000500000-0x00000000009AA000-memory.dmp

memory/2568-16-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-18-0x0000000000751000-0x000000000077F000-memory.dmp

memory/2568-19-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-20-0x0000000000750000-0x0000000000BFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/1616-36-0x00000000000E0000-0x0000000000CCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1616-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

MD5 8af10e7161db66cefa4f231989e8bcf8
SHA1 a3c30c20166313d48e67d73372125ea75224de9d
SHA256 4a93ca1041e7dc4fa8d6e44500fbbb9af8cce65ea1a5a7fbd5fb8f2c5a8b1203
SHA512 269ab8da3ae0a519a297ae220a8c8e6868fa4fa6e3842e83883efd7450d3c5dca56a59c8f3d3bdba4570630c3cc467452afa928ae2d90738a2b575ffe5c37e4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\59111c11-92af-4e3d-950c-c8316b425522

MD5 1c962f72cdd1d307669a3a5d5bd53fe1
SHA1 5553c188d838f90262ce121c4417acb4dd6127ce
SHA256 9990baffa169d59b4ebb47c57fd226bb0c8732fd84695a69197964f564dfd517
SHA512 aed87b172a918208868efca50cd15dfb2980a361e7ebabf14aff333b3e180b55c64c04e9b0aceca8b8450eecc608b890496754358a9407fee5cc13202fcf6bb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\b24007f0-b234-4d67-9c8b-110999955b62

MD5 c8dc05fcc521a1eeb682d2fc13dc9d09
SHA1 f3eaf07f5c8a73989ade78f1578ed2171f00bce9
SHA256 a9355821659c753481cebbfb5ea97643093a73e445497016ff1c6f10ba64c9b0
SHA512 066b2f6b52c57c3b456dd11c25d1e103782df2723cf025f760407f04b51d5667e6d5db64491317769fc4342e9dd1d0213ffb8d4ceddbc6e0d021aa57f0034078

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 e9bd8a7f4aad41c3786fe31d8c891152
SHA1 d20a88cd36d3b1e3ae940c7453f97b64ac45a006
SHA256 3d27ec7d8727873552690aedee2bcde0726b3eb43f5affb49812d46d16de1207
SHA512 859a5dd3af67e73ed046168eed5d7566c4ee654ff7529c040a85c44cb5c8ae65cda789242256fe0d3f249cf7052fb63603dc2c5d31159e9ffea859aa29b99cad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 04e3e59e973ae5645ff4a4889cd48642
SHA1 8f78fb7025874ef4e422b4c98a71aa5e4b56bfa2
SHA256 126576ff29d414743913df06c6df74d9279f80c3f845fdf4a3c8ae9d892f0361
SHA512 3e61bb08628a38e359e54e3d3823207eee27123e24d38f817d2f4f7600ce605c732225a6c8c73a982b8f667e845047ef5e01a263d111dc5fe2cd2b761f034167

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 9744909ca94b93676d3a39e0942c4630
SHA1 b1ce283b978e831e56c9d37a9633701d65371437
SHA256 184aceeb475dbae39d16345304a30901428d09b10eb67fa17c9f8b00551c8775
SHA512 c7a7e13ab0950bb076430849b1b9062ab97ae6e768ba0805e4817a085453289f6a7cab09518eb26d2eb50e2e6a36a980cf9831bceb16e7c6e90223b93dd90d33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 a49e8417c52a8d141b8fbe799efc2e87
SHA1 2faf0923f2e8d70248a030d77e58832728dc7315
SHA256 93e57f87593efdc3f1e4627a404168be9182a86634b6ac50577b4f02ef686d9b
SHA512 d889bf61fa408a88d4ea853ca80d9de4c2591fee451e32c05a013ba6ae0b749e5fb2a2b62810a406571b6b32b1fe5d129f64ae9ebcdb1dcc5927cd99c30fb1ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 0096e87fa1869d8c6c34286e13764041
SHA1 ecb192d49c299593062848a8b8171a75231de67b
SHA256 b782ca5544f959597ee808db0c90dd5f0313964d4a7305bf75907a70f296e92f
SHA512 529d14a4d1a82253f4bf22035afa19fdd17aa88da2d082ae4c3b0df05472a53261fe998e696dd0c81df1205de5fe7d39e3828c418def90f3f22059b037906b79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\places.sqlite-wal

MD5 369b898fa7d79941e5590ade83d47d71
SHA1 9d0146d1c0210e3688bb442ac3da455557770b61
SHA256 b77529455b46d0d12ad13655d99b639d0286bbf7ef67326a04b365c86e73cc44
SHA512 68938d105234d7b6c07290b289e2ca600bb5d9ac991826fc58da76ea3ad9e6e536b8d9f4cb19854075ed624198017958793ce4b299ee2903379ff29f789562ae

memory/2568-442-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/1616-443-0x00000000000E0000-0x0000000000CCD000-memory.dmp

memory/1616-446-0x00000000000E0000-0x0000000000CCD000-memory.dmp

memory/3336-452-0x00000000006B0000-0x0000000000B5A000-memory.dmp

memory/3336-455-0x00000000006B0000-0x0000000000B5A000-memory.dmp

memory/2568-469-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-470-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-471-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-476-0x0000000000750000-0x0000000000BFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 9e8bcbcd1eebe611acf339d4b1cfa36a
SHA1 add6f0494764416bd5485da583455340c5dbda98
SHA256 1f979b0ae921ca51d5d20878c8d26c3dbe56f3d28a186ddc37f9377df7989964
SHA512 4a9142a84d16be9947a60cde208aeeef028bd8d7518a38a9bfff1ab314edf0db035cb1367fc868b33f171abcf0af310427f1abe756b9ad9f71760dbd7ed7ad93

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 fb209dfb85879e476883fe587f0d9695
SHA1 903bf4fc8f6661885031887cd5fd76228be447ed
SHA256 74a42fbbd36f16078eb6aa6b28bad4379aba5a4c927661fe92f0d5bba2a84a68
SHA512 bd877f275c942b315bc704e78cfed3d56dd490de77b7f6b5b104910cef9169a633164c5860053e6403422bcebe725d3c9e2c8ab454f2a51cd3cd37973f32d3dd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 3128be3dd927feb42ea42b02b95916e2
SHA1 72446b589f2f7e5438a3baa6c548b9e0264fcf48
SHA256 1f6eca32d86c7bc10096825f1b8c2e1feaecb99e9e03c9b7be1d6ca85f52e01b
SHA512 09feb14369918641a221870c1575db839071ae27a03af53ae2b8f804080ae327fff050d28940b53cb7d794ea8ec8bc4f9d1ad9253ea9bdaf7c3a0195fe8f8eaa

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 31030a2e32d479d0e3f8cd8f5c9600b7
SHA1 ecddbf47d0c5a9a7953dd73cf19b0f3360211e42
SHA256 50e760d68bea699a8821d26e6ff2f88d46cb6ab91d7b77b7bd0103719b9addd3
SHA512 85df0ce194d4c720f15cff3d6a0ed9e84dfe80791183a07c0e91d60bbc0c7d6d85fd59d17c2d76655f7d85a8a13de758becd512c1472c61e31999c5205412c48

memory/2568-845-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2688-1205-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2688-1354-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-1777-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2538-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2546-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2548-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2549-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2550-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/1040-2552-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/1040-2553-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2554-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2555-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2556-0x0000000000750000-0x0000000000BFA000-memory.dmp

memory/2568-2562-0x0000000000750000-0x0000000000BFA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 03:10

Reported

2024-07-10 03:13

Platform

win11-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3824 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3824 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 412 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe
PID 412 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe
PID 412 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe
PID 412 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe
PID 412 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe
PID 412 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe
PID 4940 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4940 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 2120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2120 wrote to memory of 2880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe

"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 924 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ece89d6-1b50-4ba4-956e-f0d6cd685729} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b7f029b-76d6-445d-92d4-f76c5ac8de7f} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35bb56bb-c197-47af-9bd4-444d76e71f56} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2896 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d382a09a-7998-4e47-8b85-7f777325b851} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4604 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5222380-a57f-4002-8273-8de4d4554bf1} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {610979af-2dca-41b4-a906-dd850cdd334f} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3bd39e-2548-4419-a57c-727b0f0a21c3} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5868 -prefMapHandle 5876 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bbf5b7b-0ade-40e9-95d9-30ae85ff3de1} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAFIDAECB.exe"

C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe

"C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
N/A 127.0.0.1:49864 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49880 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/3824-0-0x0000000000690000-0x0000000000B3A000-memory.dmp

memory/3824-1-0x00000000770A6000-0x00000000770A8000-memory.dmp

memory/3824-2-0x0000000000691000-0x00000000006BF000-memory.dmp

memory/3824-3-0x0000000000690000-0x0000000000B3A000-memory.dmp

memory/3824-5-0x0000000000690000-0x0000000000B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 fb26e404f23d62125f6a4c9a0a62c9e6
SHA1 43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA512 82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

memory/3824-17-0x0000000000690000-0x0000000000B3A000-memory.dmp

memory/412-18-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/2524-20-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-22-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-21-0x0000000000791000-0x00000000007BF000-memory.dmp

memory/2524-23-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-24-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/2524-25-0x0000000000790000-0x0000000000C3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/3056-41-0x0000000000AD0000-0x00000000016BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/3056-60-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 2f956493fb350dae7a4bb7a021f2c6fd
SHA1 92a3be42c0d665b0a91d7d6a12c03d75354cc9bc
SHA256 62d32c2239217b19d1169ac561eb6694597467c5d8e43e6b0c590cc4443817ae
SHA512 b906d68d66c8e63156c19a20b5e347c9d099561d55fd9ded1697f58604cdbd1052df6c3a3e1cc6eeaca0512e3be1c19132ddbf9d77fd980b30c33f24c45bfb19

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp

MD5 76132b713075794c82b4445157016ad5
SHA1 fdf2aa11c39859f3d39ed905e264cb363e44bb57
SHA256 7887777a0764baac7c04ad230b27b63f2b6e489a0025f8b0f86f7cc771f5509d
SHA512 1f21ec32b71acbee83d241e1853e951c49ec365ff18e740e9d9c7a05d0dbee9f3388fb0bb402d15716fb8637fdd404aaa9ebff443d68e19aabfb5d40841d8c02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\bdb4268f-d96f-4629-a14f-53f605ca146d

MD5 6c2d18f1bfcd87868436de70c19e2161
SHA1 aa0d9adba6adde227454e2e847dd0a1392f0f0f6
SHA256 437e2172cea46c43c376d72c08fc6bb8c2aa3a0127086a646a62381850c5bc72
SHA512 4e822a66f1a44c181b265841422eb47a0781dbdbf6aec65626c5ae01d50a6197c8d5567709d523f267d1770deeedd906b4688ab880dc7629df1c9aaa38b5f499

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 f3af70a9f1611e454da80a85ef80a55f
SHA1 76196f4f2a4fce7f04d4faa4e02d7bc25c8cce06
SHA256 81f215e0a5ae00e205e21f20643e69915d71ff606f2abbd26b1a94a094eab480
SHA512 7c2b84452f52c94f9957601ff57a5837bf80a15770dd28f9d504e891dfa48b9ebf89ffecb928e5c8921419c8c6d65dc7936a6b3e202d405352a13df414750a48

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\55720806-8297-4d95-b11b-1309703a1603

MD5 90e549796e102593351c4c7b18b6ad79
SHA1 27ac65b64c4a4f47ee8e7cf6083bdffd762f60c3
SHA256 e3ee738b391e614a12f41fcc9e7434d5b89b9409da90d1dccb3bac917f4633ae
SHA512 7ad465e85176dd210fbb208ff998a20283255ee7abbf418a91f7313885c3a9df5cab51a97eca888fa2d1c6a11904106deac6eb6d756e7d8605c700712b7200b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 fb91b8aafd27dff67efbee06ee010c9d
SHA1 7f0f71003c150d4d53ec96f0d5af1f615ab7aaa6
SHA256 7c8826061462cfc3628ce520b9e8c9388eae54ba9d23629b720f940d60e1e3f6
SHA512 e5c6bc3fc848329cb0e813270e1e428d4cee0fe49e37643d1427a51d850303cd5235e64b1ae7bc6868ad5fe50493e26904a433455cfa7c862343d2a1e74f78be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 6169ad84128e8e9aaed4c6bbb219283f
SHA1 0c5956e1cdbbb0c8d71d6b4f0f6a9363111a59b4
SHA256 142f4343b90735554f14dc5723cf714619317a50afb19a5828fc2d7afef41b06
SHA512 86c54a7e9c9b4e2fc45121b759a354a9886f43274f23ca9cff03ef2ab4c7f2d27212014c890808636ece198d17a72a34c4284ab7990bd9268e5bfc240b3fc26d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 a33fe7a82b17a9e4696d3ce5c7f02bc8
SHA1 d7b30d9d6cad963f172681fd0a8f3e812c5e8a65
SHA256 c6e7e9921e6162330e314956d91a187eaee866408c40ce159d90ce57bb968916
SHA512 34ab5eaf6a27a39ceac1285552504ec3800f0579d08fc25d4ae3eff5d819a6fd94e8fc1ebf29e0682322bcaa17fe3454b475b9855cf6f59cd6444a7e45f8a147

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 b90f5a65d4ca2d76b82c4f01e0e4f484
SHA1 a2bf739824b69bb400b82f4995ec341c8441a525
SHA256 fab331d0bd0b1b808b9b5aec6419296e276a210bf92409f9905c66009b73149a
SHA512 071ca736e5a94095ecc2cc05fcf9f7089387bc2c7f72cefdf4f1467576a471efb89e71933ed66b0ea3baf6f6661fefbfd6609eb3393f27e59d8eff4ea3cfbff1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 0c3dc6a05b74a159b3a37a507ecc95ac
SHA1 d077902dd06f2a6438cc1e72148425cb7e7d7d5c
SHA256 3d31e94f4ccc323caa0f0603d4e10dabbf549e3516c6571843eea70dd9c5157e
SHA512 96ebe161171ea4087cbb6837d747edde160e2faebdb73d346c9d2c95835750ea15b3acdad95a5faa2e7792d37e0de57a4a6b3d56fa6ddd2c7d4aadecd896953c

memory/3056-464-0x0000000000AD0000-0x00000000016BD000-memory.dmp

memory/412-463-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/2276-468-0x0000000000870000-0x0000000000D1A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 679e1104084c62c07a800731f050e876
SHA1 15f3991a2286a78520b598c41cec33a89ae998d6
SHA256 40cc925b8fbd4815d12d2e16df51158f53411455b58da1f824b93aa52bbacc7c
SHA512 39b3fb88ea9653fb2ec795846b6325c3d1d6bd267927ff2a8f9b522ecf2f1fec1b700c57342cefb16cfd209eb31577b2736e3f89ad63cd22738c26c8ed84cf8a

memory/2276-476-0x0000000000870000-0x0000000000D1A000-memory.dmp

memory/412-485-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-486-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-493-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-498-0x0000000000790000-0x0000000000C3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 ac92d554bee0a18b19536f76ffdc30e6
SHA1 a0dbbe8cb5ed12095304f9743b703b7ffebb24ae
SHA256 d3b858184ac9f508f16c57e76c75f784c9760548ce0e58d98c3c3192ec88fdea
SHA512 16a7f7ac76f7d71f739207acb6fc759ee67c67c6a1ac83b4b8215d9712e8f2513cc6820715cd7988b6aac6dc4b4128fd78198ea9045ebe31425068c60e753ae1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 b31c1841e222bfa1b849ff83162a5336
SHA1 e35f6e038d19e5a62cc3a2c3e2a7e9dd14bebf2d
SHA256 7f53d7a8c339d06ba74f11d662604652bcf039f32b8abb605f002087cca01c0c
SHA512 372e4cc5824cac6a2e9f35a9b58d389c020a4fc7a9927e332714676b07c423e85e8d3c9a5ed638179f22385fa180d744525ad9b1930e754104811c2994839f9a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 cf1f563ed396f3b1b43182669af10b93
SHA1 1f101724e103b7db020e58d03a2e105317a1161b
SHA256 10c2666f5a56212c6533f917ecdd8e897fc2c152c8c735a9d7fa7b984abede3a
SHA512 13a446acdeaacfbe0f47e52fdf8c3aebeb0c855a33a8af54a661edbfffd1c6a9f5642d40f7a25017f2fab467bfbfa8120bc04e316fed2d96c58b05efb1b9dc73

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/412-785-0x0000000000790000-0x0000000000C3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 a05602a9baf06059c9888f71758fab12
SHA1 e77aa0f249c11ceb21b5dcec9b79799b0b3a1e61
SHA256 797be1802a160b3c8bd4efbb6f553b7f7a46766b89d1305789dc8077dd2e8c25
SHA512 9c21f6b215cd1ca4f5c857ff9be1bb92104b1325254c8572b571f0b7836bd778d591cf798c07c744705730395b9b6ae9bf19726a04a6df1c099484f66da4da24

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\558F8F9C33CCBA6CC64740164FBB23EBD5D2F029

MD5 b59683cd54206496c5c04bd110da9825
SHA1 4936fb3d805bd1dcb869e52e4115e71a1d1d9446
SHA256 5ed36de5280a20e520128b7e0f992447fe6737e978234e8bbef0d0eeef8726a5
SHA512 49d6bac724b519a170c9b1471d91fdc4c4adade2f31aa358a7cd170b6f8e2e8c394f19b3bf786921e387d5e495839a7b2b52a3bb9a2aa876d7105636c90ce63e

memory/412-2186-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2622-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/4612-2623-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/4612-2624-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2630-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2632-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2633-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2634-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2635-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2636-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/3100-2638-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/3100-2639-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2640-0x0000000000790000-0x0000000000C3A000-memory.dmp

memory/412-2646-0x0000000000790000-0x0000000000C3A000-memory.dmp