Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-e3fpzsydme
Target b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
SHA256 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa

Threat Level: Known bad

The file b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 04:27

Reported

2024-07-10 04:30

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3368 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3368 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2264 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe
PID 2264 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe
PID 2264 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe
PID 2264 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe
PID 2264 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe
PID 2264 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe
PID 740 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe

"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd47c087-4ef6-47c0-a380-f82a75d0700e} 316 "\\.\pipe\gecko-crash-server-pipe.316" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7fd9e9-8c74-4201-81f3-038ec97a84cf} 316 "\\.\pipe\gecko-crash-server-pipe.316" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 1568 -prefMapHandle 1468 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6355c80f-6b34-4657-b459-035cd5ccec44} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac49e12-eaaa-4e94-b69e-c0b85f87d0f1} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4780 -prefsLen 31278 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff702d8-4717-4b35-ba9a-2bfc1060280a} 316 "\\.\pipe\gecko-crash-server-pipe.316" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 4788 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f1a325-4ac9-4e9d-9713-fe17fd9a38d9} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5264 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2615b79d-e32c-4360-b84f-6d377d5739e2} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 4796 -prefMapHandle 5300 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5af53d-542d-4465-adc0-148c434ec889} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"

C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe

"C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"

C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe

"C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:61603 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:61614 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3368-0-0x0000000000B60000-0x0000000001024000-memory.dmp

memory/3368-1-0x00000000776D4000-0x00000000776D6000-memory.dmp

memory/3368-2-0x0000000000B61000-0x0000000000B8F000-memory.dmp

memory/3368-3-0x0000000000B60000-0x0000000001024000-memory.dmp

memory/3368-4-0x0000000000B60000-0x0000000001024000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 2dff402b11d60b8d635038afcb1edd60
SHA1 c62452c7fec9c0d9e2fc85a1682cf451698a8e2a
SHA256 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
SHA512 0cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690

memory/2264-16-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/3368-18-0x0000000000B60000-0x0000000001024000-memory.dmp

memory/2264-19-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-20-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-21-0x0000000000710000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/2820-37-0x00000000002A0000-0x0000000000E84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2820-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2264-84-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/4100-85-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/4100-107-0x0000000000710000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp

MD5 3a7070b2ce5c9d7950433d3364045f7c
SHA1 ce85f9be997145f14586b473b5a31635f908d492
SHA256 b733c2d765762b3e6b9c27ae8988f99607a5429ae313e04a65dee20678782542
SHA512 789e48e31ca32b67c42c16b27ac9645893527a04618fb80c0c3ef08eee07de6a7065cdc91edcf6f0fcec8dbded0da153aeb92737234b0b89df401ee762374b85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\d31ab7bd-43a1-448e-bdfc-f9016c4abf86

MD5 46fb08e78351d5dcbd73df3c8142855c
SHA1 9cd3fcb1d20adfa98d9f0b5db16e17f7f9a131a1
SHA256 af2c4d454ab173df8fb1b57ec869f22b23279856cff82ebf3775afcc99a8fb3c
SHA512 8f91eba913cadf59d646676b2bb64978d535ee093748359fe517de795c5985ba7b603bca8ca3635c3fdd69aad5bf3633ff4c5cb09ebd80b904dbc8732aaa19e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\933adcf8-c7d7-4507-9db1-ad80bf2d020d

MD5 e4ea6cf299b2c9454e589af84fad3ed2
SHA1 481687a27642959cffd642c020998926edc9c4c0
SHA256 f1653f30a4a7d523c1b7104f2985803241b1d6173750a0c28660d2535c8422be
SHA512 43f526d518e0c01ca05e9fad883dff5af35f6fe3c1b84f4a21f5a94aeeb49613c7b5588c10b52457655e011066c463a426d99933cca35bb9cd3ab5b6226ae715

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 eec23717952b64ba6638f708f07948a2
SHA1 9e615224b93e8278e36db1afc6c3a1b00ee6b85b
SHA256 16a9a7c73e55bc673d3faa12879849d6ef020a43bbe661f9302b4a68267ba918
SHA512 933b247272bc76a75cd51b046d78bb8aa2d00a4e89af693531ee9248d63d35dc74e97f6f42c4e33a4c5c50cdfca635365d238ce53202abc448a7602dc5faf2a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\fb316db3-a536-4348-b954-9522a7fb964c

MD5 034fa6dc88bd0c70a59fe0adf2307374
SHA1 a81bcc33543f7ca741ab9dd6765584f2f3c6a9f0
SHA256 951f9f0c528bf297ec73faefec554065605da9ae82cbf2f86f7943e28b4072a6
SHA512 887effe4a32dbbe9d6614393746cd09a705d6af12540da20a34fc5f77f8fab2c835831444a623e0054c0c2c8be0aa7325ec3b73dd6ed9e6a438c4bb9c6f5a80c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 b039bf85fc0dae9052f3e8cfb391e856
SHA1 cc7d4153bb6176f91be9372aaa5d05734859c1bd
SHA256 d165d63eb58b15c10820dc95a32d81880ae34586ecf917f22d32a116a72ea879
SHA512 597a5ae69fe7ec1246f4b3244ae214a04cbdaa40d18a1bb85c02387740e0cf81122aeb97c133c61f302b4ad61439afc80aac4db6eedc3e6d5a4a0681f96f2e50

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 042fbc5faa9d185de5091ae62c5f2912
SHA1 8d44d3d6fb20a6b09268ebfdd8b4ce011d2c117e
SHA256 b2fc210df714f56541e8ebb7d68b093825bee31ef63f32b1b0c4c36eba37b6ea
SHA512 27be9c166115eb907511bd67460ced6d3b73e393f1eebd43e17e523d24a871af87d3b997ae632f986ec99c648d691c892bd9b2c53642ce212beac59668b65f51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\cookies.sqlite-wal

MD5 1998ea2238b846dc00da20b370cc8dbc
SHA1 9221396a66f963241d29fe65930ea4df8c4b6905
SHA256 9ab8bb11df703b8210b58a4169b0e2001d7e2f5b28175d7f326f23ace565c053
SHA512 30e48c3f857dc7d7b5abb1641f83be208e6e5aaa21b638a81563caa4d925e2a9f438eae9c3d024725326136801a700b4780105f2f71bb2265cd1ab57f7f02c5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 0422074ec07e41f701f620fb8082031b
SHA1 1b549cac3905ce2866ade82f9d50c7395825699b
SHA256 1b79805db031de3b30447c3060223e790cf969cd759e3693cb1d1b92581b4dc3
SHA512 8a41e42217a73f2accd294d8562fb2c57500211482d369e900bfc90f76fc86ae760c5a6245a1c551e5d94572f2313281f038821a6881b3c82498db7ca9b7d52a

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin

MD5 764fa98164c24da50f6c8d7b51030adb
SHA1 e680d41c5f5cb00f530ab239920179a1d13ca436
SHA256 eb31eee4ae42a85607d58ef4a7b8a10401854d1c1c7da4416b242d94939c1a18
SHA512 bfe6fe998d35c301b277826a4beb01e71c6a2ed85edcc8013df509cb6f604c5fd2647014b3dd48208da2e52cab48c3879ebe0ce6aaa482bf36e98a19d790b293

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\places.sqlite-wal

MD5 508ebce803db464fe5459ae99a3d9de1
SHA1 724c4b550cbacc761552ab3d146b79f6715f43c5
SHA256 21a16cc399dfaab8b1c46958ca6e9489980d1daaf9ac7073ffcdea83befac3d2
SHA512 9afabfbdd65e419cdd99c34eb9c26e119341e876d3b1c4696b40825367ef595fdd89e6abe1e8f306d6d657747602ad66751420f35337345e3cb935d6475b6dd9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 bfb823409a973511d073e9f4fa9c8a71
SHA1 c86de5741d4c02dc420489e4e66c2c21ca809d8e
SHA256 cc2a942345c3b7484cc6805accce291bc14b0ffec335d1e6af1edcacfb3d9af0
SHA512 0803a27df7048a559faa82ccea5fe7d8fed9fdec390c7fc7462ecc4ede878e67921ff23c53d057087d497ea143ede36d76778e224eb47b833dd46f0837623084

memory/2820-478-0x00000000002A0000-0x0000000000E84000-memory.dmp

memory/2264-488-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-489-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/1548-490-0x00000000006D0000-0x0000000000B94000-memory.dmp

memory/2820-487-0x00000000002A0000-0x0000000000E84000-memory.dmp

memory/4876-494-0x00000000005A0000-0x0000000000A64000-memory.dmp

memory/1548-502-0x00000000006D0000-0x0000000000B94000-memory.dmp

memory/4876-503-0x00000000005A0000-0x0000000000A64000-memory.dmp

memory/2264-512-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-513-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-518-0x0000000000710000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 bdbbf322686e049a5c9128bb2401493e
SHA1 aab9f6cdfcd73597840e22f9fe49da4d621aa059
SHA256 cfeff1fbfae5cb9daf9898cd622948a057e14225f4985469f502f13e17b50b13
SHA512 3a5bbcee8d3620b8163a8fbce2d7a9f278f08b0cee81f3a5a5688178fd6aeffcefb0fd5776c730682cbc873fa4f97e13fe0a978c9fe9b7abcac2f0fc778c9f96

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 8db159c343089b17945d9697e86c247e
SHA1 f56d53502c8867c977a001d47f516b7dc4797cf6
SHA256 344bcdbc23d22fa8634c97e57e8bea35c40b9c04005af5e2891aa6a5efe74dee
SHA512 eefaea60d7f8199e402d208f4c720c1c9c76d9cda92e8066f803be2fa42ebcb506bcdd323a9e90c5721a71503cabf473127c48b540dda3beb6d49de6dc7917c3

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 cb92ce3bba640f0496591a4db622879c
SHA1 26502b6c24f19ede1bd246d188a9ad04c2866e54
SHA256 65919e8f69e8067a036896c73296a187992bcc8f95f99e04b7d4a650d1185e40
SHA512 d063dcc2d83e1e560151f93c921b84e2723be6c82092a1a03b4ebff268968f6b71b1bd4cd8a92a36ffea9cf838e0d054232118c73cb94b81c53b2323c7c2a6a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7c46c4a680c06167335ac31175cdab58
SHA1 44964c66e7ce87ab5b70f6f63ba1ed267fc810b2
SHA256 9e0db454b360040332a0dc9cc2259db33f039af1d7da54e62e114ac52d3fbdf9
SHA512 daf7bb84b80c457998cba2f65b7b390a7e12a2e4359cae99ceaad1f4e06582c46c37c55a208b80fd9bf4f3cc186f28448cce86609f5bd9e93658fb59ee3e94cb

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

memory/2264-1029-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2125-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/4900-2634-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2633-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/4900-2636-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2640-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2641-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2642-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2643-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2644-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2646-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2900-2647-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2900-2649-0x0000000000710000-0x0000000000BD4000-memory.dmp

memory/2264-2655-0x0000000000710000-0x0000000000BD4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 04:27

Reported

2024-07-10 04:30

Platform

win11-20240709-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 872 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 872 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4440 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe
PID 4440 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe
PID 4440 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe
PID 4440 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe
PID 4440 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe
PID 4440 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe
PID 4124 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1376 wrote to memory of 4836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe

"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae72c630-3939-4cc8-aa7b-b5e05e550aa6} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {859763fe-df75-472f-ad7b-a50efebd67a8} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3080 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7fb001d-db46-45c7-8809-adaa124f72c8} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 2792 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6966ead2-7a68-4137-b20d-5c7cf6025bfe} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4704 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f33b7b-00e5-4091-a369-747a82f45526} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 3 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2353c653-77d3-4891-a628-82f9f686c35c} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 4 -isForBrowser -prefsHandle 5808 -prefMapHandle 5812 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1711572c-b508-4a51-9618-4f44f160283b} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 6092 -prefMapHandle 6088 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e471780-a800-4d94-a09a-e34f4b80a915} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKKFBAEGD.exe"

C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe

"C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49891 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49901 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/872-0-0x0000000000860000-0x0000000000D24000-memory.dmp

memory/872-1-0x00000000773A6000-0x00000000773A8000-memory.dmp

memory/872-2-0x0000000000861000-0x000000000088F000-memory.dmp

memory/872-3-0x0000000000860000-0x0000000000D24000-memory.dmp

memory/872-5-0x0000000000860000-0x0000000000D24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 2dff402b11d60b8d635038afcb1edd60
SHA1 c62452c7fec9c0d9e2fc85a1682cf451698a8e2a
SHA256 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
SHA512 0cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690

memory/872-16-0x0000000000860000-0x0000000000D24000-memory.dmp

memory/4440-17-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-18-0x0000000000031000-0x000000000005F000-memory.dmp

memory/4440-19-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-20-0x0000000000030000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/396-36-0x00000000000D0000-0x0000000000CB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/396-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4440-98-0x0000000000030000-0x00000000004F4000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\facdcefd-4dff-451f-9f6c-4b1ef0c609c0

MD5 26abd81359cd3b6f5a43a616766ad834
SHA1 0b12fb7610a53b564542383947530f76a496d34f
SHA256 546836087a8449eb7568c460868cf688b38ec1e2ec58a3595ff60c84b08a14dd
SHA512 c2dc0bac874fb87f9282202d856c201808c91207a5047c196cb85f0b0aa9ea1e9e0ad3c0f47a2368e47cfde8047832d24a36ea5d62ebcd1824dae914167dd08e

memory/4932-354-0x0000000000030000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 952b6c90353e3984de2227bade5a3d7b
SHA1 e42b76901a07387da3e4fe4ae5cf2a54f7b46254
SHA256 ad88362a7740b910ce6bfd17ffa7d4154fc970f1c1eb0b512a81b844c7b39aaf
SHA512 2ce271315ef894032448017ed68c6c39e7f006f8c4e229c6ba4f152d2cb741ddd8817036ab1e742542196d3cf747dba8d782cd3f8c93622a912303073e112a8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\ef89537d-6b81-4401-a45e-4a79ed8006a2

MD5 4cfd460bbdae475f479c10382b22dbc9
SHA1 6c04d0bd747263d25524e34343b02e1237f3e128
SHA256 73a1483b1f294b1e52b2a2e48c9305b3e696fbd4755f98d0e139f9cb1a392033
SHA512 5294adafcf7d995d845ae579c70d2c10ca513bc51b11c03dad579c82a5d1efafa0d23bffa0eca00fc97a219cf1873ea795f221aceab88ead19570b3e3fd10a31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\6c48647b-b6d2-4472-a2ee-89a42c696b08

MD5 808f4f03707362ba22f159f678dbab52
SHA1 9d35b879833f1fc3587e15f7aae1dd96811ce2cd
SHA256 f2d39989045c80f6c60a566857e1591f3c1a32877bebec389399c20f9bfc70d0
SHA512 544eaa0dd37e0031e23251ae9ab2795d1c9d5bdc4c6b2a470218bb927bfbb8e88603893f4d0a1d7089d66423e49904c812531bdc7fca87e786538cdc19a1359f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 50819d9cc5aeafdc8f15e5e03c69a758
SHA1 82399780e52beb58fad28f920208b9809236cd5c
SHA256 3002338abc91439aaa58b808ac33ce9b100bbb00445dab4f0401a2c0c4ba1017
SHA512 5110b2964a1de83862b4db815e484c38f8c1f268f97cda12e79c24eb24e7cb6abec904e4bf2264fe13514835927ed9a8bcb465073a448637b77bf952fdaa258d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 8ca8b4e8fe7058f7f769177b110d3c29
SHA1 d107eaa9b9dd5edef2faadf6e94df19fa63fbd7c
SHA256 fdb6024bbbffffecb8b9ace6f3a303e8142ae4dcfd1e11b9dc9dd1b65b7b6338
SHA512 61916b9fe5a1d4ffa69bf95a1e5bf23bba9b4976f72118815fb2ad0aeff774692cb5e3ab073e2c80c77d002d69d65b734042e815dbc766f826daa9031b4a95c0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp

MD5 f19eb90215f9d86a6c333a6c02e55a9f
SHA1 8919682bcc04fe377ef3fbe5e7ada24c6297dfda
SHA256 bdb96dddc3f123f39123548cdefd7c1d89bba30c093f005946cc743d5dde5dc5
SHA512 1cdd5e018723086c95e576b23189411fab1e8aa2b4cd96d3b3fa6c04cd239e0eaf554141c61806cfee3fc4a85c96b6275d47c6cb1d9cb9502f944ee841e412f1

C:\ProgramData\KEGCBKKJDHJJJKECGIII

MD5 d73d1f4cc04c9357011b36083d11f667
SHA1 573251c39d5f355b1cc748d073eec883108b054b
SHA256 a21f86ab14bd6cf870e4200ea3a21089942e213096191154a37f958800cf6a1c
SHA512 7043e96c041e81101f0fa90545ef450891f6666923a599ee75704b54651b8f1adce3645f9023ba121f798c9e4f5b2b719a63eb849dec65b8cecea7d7af8c29fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 b98c6f5fbec4796c079b63b8460d8c72
SHA1 a05ec9c3f57d694e82f3b4b3c1cea525ed462651
SHA256 a96ea86dfeacb59e5e7d2950f689dfa344873e4b60bfe05a35f3854d6a52af63
SHA512 d46196a0c8e5039ceef068c31b8f0c64184e0848f1fb524518d6b8421c3d865d06c2f4f407863248d8201a02dfbdbc1c9d10e9d648a49f1a473985e08a824a9e

memory/4932-460-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/396-472-0x00000000000D0000-0x0000000000CB4000-memory.dmp

memory/4440-476-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/1936-477-0x0000000000680000-0x0000000000B44000-memory.dmp

memory/1936-478-0x0000000000680000-0x0000000000B44000-memory.dmp

memory/4440-486-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-487-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-498-0x0000000000030000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 b733626ba37d19291875f3e0bd185242
SHA1 1722dcc0ea5a623d10d4808cf99e8096150172fa
SHA256 6248eebae2b14a848aca193a4a3bfb54c82aa8b66b95c2c207306bd40b47f370
SHA512 18caa8a3a96130168516d69c3f5d8ddc4fbae5a330b71a88aed5951df0c7cf5c48df01f07644c1c40e650ece0bfbf399796b494aed2903d7d7acb5d9da25f434

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 ec81afe7347f164b5234fa6ff6ae6e47
SHA1 395e99fee9e60a6a8e5a6bd337e1f1b3736d50b4
SHA256 e5902279652181784ca8efb720700ac5d55b099f37d703f9958fba56a0efe88b
SHA512 3e77780e65f4cdbf6b1d0d22c78eb16737adca6793d94a9bbd2b2744e99c117029d9f80d13fc173585600fff7ab985f1b17dbd718a55898c8db1a9c7fed08af0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js

MD5 e160cba20eb636578d0a4ca42dda42aa
SHA1 f79489e626249d72a3a0d3baa790c3b9e11ca8ae
SHA256 89f2420f018757dda8753652c45d1c34bc9b71960189757016993cfa0abed5a9
SHA512 52a39a679c0cb7eb04b2148216586d57367296bee1f910c6f7aabc6f14d3138a088d3f4a3a31b2468624c4aa1e0581867de152712056b6ea4e502dbb7d2ec200

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 0997eaa16d420961296f500d24cde4e7
SHA1 5a39d3048a113fd783f0050e186bd08eda39c6a3
SHA256 c165cf513756ba5748781995a61db2d4381bda208c440b6e423df306fbfbc3d3
SHA512 c25a05e168b1d0ddb0de2f3093f4eea91ac48523991d7de01839653cb32f938e4ac55bddafac8959f4d1ff813dcdb2987c4b8008d6237cbdc6f96b9c24dbd80d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cde09cb187f4fd326dd61dbb27a1b4c4
SHA1 02efae82841ed94d7fbf25427089ff71a1b2bc62
SHA256 398c0485da9a4a7fb242cbbc6bbbcf1d0276a0a856341edacd5616d9a454f769
SHA512 764574d12315877a6b0475cac821e3a9a8dcc10243a48f233584ed23909d53822184b61c6b4ce8683eaf9c50663b5c219f2508571a4c0b1d84bad8320ad4128f

memory/4440-777-0x0000000000030000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js

MD5 8f42f74c69378e19c603b464cb23331f
SHA1 36914eb96b91ddbeac8cb43b05c1aafd140f1531
SHA256 936b71a2fcbb64e9cbcfacdcedb20b2d4302d367990894f0cfffea85d730ee3c
SHA512 608b3977cb6f778ed9e3f6cba7a12a00e5eced670d1f8af34c034c7fcb1b70a5cc467a54fa51d20f4407af85367dade82ef5f1184d9b5f75410bedc10cbc5d33

memory/4440-1952-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2580-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2586-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/5064-2588-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/5064-2589-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2591-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2592-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2593-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2594-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2595-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2596-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/6036-2598-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/6036-2600-0x0000000000030000-0x00000000004F4000-memory.dmp

memory/4440-2606-0x0000000000030000-0x00000000004F4000-memory.dmp