Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-hq2y8svgrg
Target c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA256 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f

Threat Level: Known bad

The file c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 06:57

Reported

2024-07-10 06:59

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4908 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4908 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1584 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe
PID 1584 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe
PID 1584 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe
PID 1584 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe
PID 1584 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe
PID 1584 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe
PID 3108 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1904 wrote to memory of 3080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3080 wrote to memory of 3728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe

"C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec6da45c-e16b-4f17-a198-a7d32c49b75d} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f8b928-3509-480b-ae81-44ab253e9de8} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3060 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1751b2a9-f161-4bad-a7c8-22e2dd8d4510} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4004 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 2776 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70899185-22c9-47fe-a378-144f0e610db9} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4680 -prefsLen 31272 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41a5d7cb-e5fc-4bcb-8859-ab149ae946b6} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59aa8b5d-cd53-4487-9fd9-d7a7c6897912} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5975fb-0e2c-4bab-8ec2-eb5fcf4ed2ff} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5612 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6ac1721-0756-40db-b216-5bd81ecfaa1f} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"

C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe

"C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe"

C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe

"C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:63578 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 216.58.213.14:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.213.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:63586 tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/4908-0-0x0000000000BD0000-0x0000000001087000-memory.dmp

memory/4908-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/4908-2-0x0000000000BD1000-0x0000000000BFF000-memory.dmp

memory/4908-3-0x0000000000BD0000-0x0000000001087000-memory.dmp

memory/4908-5-0x0000000000BD0000-0x0000000001087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 8e5cc3afe25b3fa1938214fb22b4b782
SHA1 9f244a294689f1f2b3fb730e7edaa9751c578068
SHA256 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA512 8d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34

memory/4908-17-0x0000000000BD0000-0x0000000001087000-memory.dmp

memory/1584-18-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-19-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-20-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-21-0x0000000000960000-0x0000000000E17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/1236-37-0x0000000000940000-0x0000000001524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1236-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1584-98-0x0000000000960000-0x0000000000E17000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp

MD5 cf9a30603e0098342f0f4b53fca93132
SHA1 191ea64b5d8179dbcb4165f618596c723d259c88
SHA256 09a02cd47a7477bb6d056bbe1947a567a6c5d4084644beb1278e7bd5d2564aef
SHA512 323ce13511e936997b1b1a31bbc70ecf14604489588ae1ec391d4597adff6960bed3837b1e0f78690a28d64a6f08b0aea0c17a53bf30159ce3aef0111590b381

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e2b1609b-9ee7-47ac-9ec0-924025706140

MD5 29cbd86622bdb789de041c280aab2509
SHA1 dca91da4d78ef1be7860237bfdc212b08ef6ef26
SHA256 6ce379088e37d3d2421712636c3bb253627eaadf5c58cda51d7614a65b1c0f26
SHA512 97c7f8b38da148d5a314d4e41541ff0db045dd3d024e98c6892c257d4b1278b58a4b3d6edaf29fb701efeeafaa1f56c29847070fb80e6aeb62b43afae94ec3ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\8603d293-2795-41e7-8b17-f0fa89a48a41

MD5 4504dc0567f0713cce2657c72125263a
SHA1 49c670eb05437f4ca025816c0ade4db601f3db5c
SHA256 a4a459e23ef28f9027d2584259631e23d973d71099b390ca2f0146366617cb7a
SHA512 c8ea073ebc19d57cae4053ee872e0d9b361ed827c0a2acd044abe81ec91edac9e5eb33cf3d9d2e096449a59278147606584027d370edc8c6b51ea65699ac5caf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 231bac33a9ee45fc2dc4a03e343df990
SHA1 e29a86851e936fb38640eacd6e6ed539ec496180
SHA256 622b909a56c7b419c6c02a0387612548405f81195c84f8c5b8dcfef608a078b6
SHA512 f1302b5fc98c1de86200064b317b654ad5d392c2a5171bf855831c06e75b1559a9c2d30f1bae5ddf35a4fd147c2efc761bcf39a5ef4d53a2d3ab3021b0cc5c65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\23e37b1d-fa48-482a-86d3-81a052a22cb8

MD5 bdf2eb0861de39bce0e19fbf30f61782
SHA1 5211bcb0b775b67178a367fdcce930bb9a5de38b
SHA256 46e5bd786782fa821b3bcae139ab005343d0a42f791cbf5ea8e74afe990f6e5b
SHA512 75948c603a750383c2d1fe6b3380e1a8d8d673588ec91b0d74e930825d6765a8cf0403483b8d56a29fa4d60f8c22aa86ee0c3467349a2032321bc594d838b069

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 8add972e9fa26808dd78a7531671e0da
SHA1 6cd9a1d8682ae629aecb1487f0cb2d8f194f13f4
SHA256 762c4456c540bc6368f6bc0b2e933fb907472ee83549e3f5985cce08cc0cb993
SHA512 8a47e6887d939c6963e3ba2b509d3ce44ec8138f78decdc6b959044f4ff14e2e9520e8fcb206a28cb9c1378aeca1acffaa9138e02257f92bbbeb29080db83b5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

MD5 ea0bdefbdffbd65ee62dec07274aba46
SHA1 80452142c7e6466b6e46f15c77b2c8e8ab1a0e93
SHA256 3f6d0e88c0a481029dbb44401ca2248e76edc0db40859278127c608f44f8b006
SHA512 14b407521d9058cc9066a462051eac2cc502a5f5e86dbc6be8d83aad5ec832238add0466286e2f53e361ad0d5f1a05273df6b147a0f9bed78fc7db030017d790

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

MD5 f34fe9b2710490e54a9c9903fa264c53
SHA1 6464643b9449f4b7246b7c9b8ccd42f7c804b5c4
SHA256 3a04db6b73053f6cc8109f3297a056be4f4b6116bcee60fe94ea37d31816751f
SHA512 f7d2da4cdd55e60b86c5e7747c57571d8d291925d48ff2ce67738c5737b90b9cbe289a9984b2b6de5e21969b601a1e7b135d15f605d37548b7cdb8abbc6d22de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

MD5 5a6b398b1965b193a0e5572703831386
SHA1 5e16731d74c048bc66d27075c8e3270e8b678615
SHA256 5fb48f5c2b78e1148f32276e67c5fe5c9dd80819fe1ecd2921edaf01e8e3917c
SHA512 09183d8c8b02bc9d6482e50f4e96cd87a6013de57721dc276c244e7d58b9914834275a7fac2a9ce0cdb643e306628e3d23401d3c8704d58f9090778cae5c4325

memory/1236-461-0x0000000000940000-0x0000000001524000-memory.dmp

memory/1584-471-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-475-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-476-0x0000000000960000-0x0000000000E17000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\cookies.sqlite-wal

MD5 7eeffc361d82395910f5ee15bfa9d47d
SHA1 86bc6bbf97b99b867d8917138e3a5a0c3dc536bd
SHA256 fa3c187373f7f9b0f56b283fe6054a3b984b8e21e2012acfa70dfc191c85a2e8
SHA512 2fdd15e80c0024b0112f5e2967992f41e5dacc05740814639522b82087e89055b05ba5fc359b578a18b593f638092736f4c1331833553c1ab634b520d1804ee8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\places.sqlite-wal

MD5 cb48d4888b907b775493f1012e7601d8
SHA1 72c3ef9a0cfa17ef840060f0e9fcab2491481c5a
SHA256 13037e8c073c22c191d1025cff4e990d0d5eb2651d9b158ee22b5b7dcf03a294
SHA512 0e29bc633283cb988770fd06f40c998d4946aaa47d323496069a63dc57607c053005814a72faaa8a24317af0d469bb6c4053a666dcb465533a94a92911fc38b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

MD5 e4d6fe6fc408f944b0cdb0a8f336747a
SHA1 b5c94a964bfb68f34bc94b9ac6ea9bd96a4147b5
SHA256 e100ff70996dad7c4f7e1b807a7601ba025784dfa7b857052e05e76081fd9aa2
SHA512 03c0c73daad855f9c60a2f47825eb53ad13170ddc8d9bb0c0cbacd143fd72cf10e2fc2b3d921bfde1934a9eff5128e563f08130429bd8508be4dc13cd8daa4cd

memory/1584-514-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1236-513-0x0000000000940000-0x0000000001524000-memory.dmp

memory/532-515-0x0000000000760000-0x0000000000C17000-memory.dmp

memory/1236-520-0x0000000000940000-0x0000000001524000-memory.dmp

memory/532-521-0x0000000000760000-0x0000000000C17000-memory.dmp

memory/4344-525-0x00000000002A0000-0x0000000000757000-memory.dmp

memory/4344-527-0x00000000002A0000-0x0000000000757000-memory.dmp

memory/1584-529-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/2016-530-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/2016-535-0x0000000000960000-0x0000000000E17000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 7a95575b4beed25c568b1566b7422d57
SHA1 d4741cab4ae190cce5b1bfd6f44ec0d8c7a96941
SHA256 af438cbd808b3cf451d9a94a9656ee5cb293dcb1e20b9b8e92745076d78d250a
SHA512 34fe97be29519466073f8f863c24e08cbec91bb0cb86fd4036322d6772bf49887666971514bba7b88edb90d30cc553b3d4ef1efaedbfdfdbfd1bd7240fce4bae

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 becabd546a531dfad42a1ba825745014
SHA1 a78b85f7aea6039316379792da3c5baed01abda8
SHA256 84bcc0eafa9983dbf02ef0b399842d9b73f40e03023f1fff1f0a35627dd5da1a
SHA512 3f754bb0d53f50c005d55fe5a801918a2818406de524b668f643969563babee5808a21ed98613b385062dbf3f6c4b472ca3d6a80aadb8ee313afe542e7dec356

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

MD5 a0f84a7698058bbb4e48e70a9bec696a
SHA1 94c342a43d907c01bf11d37677c28e609f325e17
SHA256 95f1abf4facdc80afdeffe743c361da5d29cefc9ffd1a36eb86e3a31070fc5c0
SHA512 02351eff207a488fdf0803a207a9ef245d94f17a1961e7a09117a1bf280412e2915503f30035338fa30e73fdda774151497c5d0cbffbaef8766aa4e316a68d8c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1584-796-0x0000000000960000-0x0000000000E17000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

MD5 7a35b406907c919acf9b784660d7c4d0
SHA1 5a2e9ecd6067acb758d5144c657285634ac74572
SHA256 17e9fc5b8da614e483017a587f5495fda773c00310af4cda201a4235f05912e0
SHA512 268e8389d6bc2d0f283d27550c4f2ece260a3fccc408ac0c2d7b9a5a43fbc2d7374ec033586ddafaa7915086d9f1c88063c2abd84a6cae11b9681b8ac59cde9d

memory/1584-2321-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2776-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2783-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2787-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2789-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1728-2790-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1728-2791-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2792-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2793-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2794-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2795-0x0000000000960000-0x0000000000E17000-memory.dmp

memory/1584-2802-0x0000000000960000-0x0000000000E17000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 06:57

Reported

2024-07-10 06:59

Platform

win11-20240709-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1532 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1532 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe
PID 2448 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe
PID 2448 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe
PID 2448 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe
PID 1112 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1112 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3256 wrote to memory of 3264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe

"C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {795a775a-5549-45c4-9a83-587525ac1e45} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af6219bb-98a9-451b-bacb-07b7cd890d99} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb56748a-f8e6-4951-a4f8-e6bbc6860b27} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbaafecd-e371-4fae-9651-7fcc27b16060} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4696 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d360694b-73c0-4358-9bff-7566c6dd9110} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5800 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e00663f2-be5b-4964-85b9-dd94de3c19ce} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5980 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2bcd13-cc52-40f0-a35c-0c12ffe6863a} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 5 -isForBrowser -prefsHandle 4868 -prefMapHandle 4872 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58ceb291-e22a-4546-ba27-19a197333d2c} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEBKJDAFH.exe"

C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe

"C:\Users\Admin\AppData\Local\Temp\FBKJKEHIJE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49883 tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49907 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1532-0-0x0000000000230000-0x00000000006E7000-memory.dmp

memory/1532-1-0x0000000076FF6000-0x0000000076FF8000-memory.dmp

memory/1532-2-0x0000000000231000-0x000000000025F000-memory.dmp

memory/1532-3-0x0000000000230000-0x00000000006E7000-memory.dmp

memory/1532-5-0x0000000000230000-0x00000000006E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 8e5cc3afe25b3fa1938214fb22b4b782
SHA1 9f244a294689f1f2b3fb730e7edaa9751c578068
SHA256 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA512 8d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34

memory/2448-16-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/1532-18-0x0000000000230000-0x00000000006E7000-memory.dmp

memory/2448-19-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/2448-20-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-21-0x0000000000F80000-0x0000000001437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a49bfece38.exe

MD5 77e2f975608c88144f09c2183217adff
SHA1 d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512 ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

memory/2312-37-0x00000000000B0000-0x0000000000C94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\68d3151dba.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2312-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\prefs.js

MD5 04a6824c4e68bc382850288d401caf99
SHA1 5af41d5b5a8caacefd10ece4033134494cdb1b44
SHA256 f6dc887c18cac5e060f41bf5f7aa6121192ef705867cd54c50610e14c0bc6158
SHA512 ac66b60d561aeb9af30273403694082ff5f43ad7150fe2ebca91aca9d097c4c3e2505e6b0b115955f2c2c6f251e7d7f8ff4ff067e2ee1f75c961bd77eacefdfd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t4hat1k8.default-release\activity-stream.discovery_stream.json.tmp

MD5 675e3b99cf74e43fbdc5262923309d63
SHA1 2c519836b59ffeeea387a8ef8e7d7e526e5fec01
SHA256 8c68acd2ec4887a3736a1372457da1983f364982f9913e532e1a516b44e03dba
SHA512 848de5d25fc86529098115f377b8b2ed8007984c543f440719e26ac214151a2f326b96a0ad440f397eedd9d642d61d0a1300cfc0d86eac5a8a57de67c920478c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\datareporting\glean\pending_pings\255b78ab-0a03-4136-be0e-041037c3643d

MD5 b262405557d622b073c94a6b0788dfd2
SHA1 76f22456d9a45b840e4f43249559fb58e0e0598d
SHA256 5efdff42b62d8ceb3c370ad924b0bca46d63889921aa7779de8ca0c6e5a2c2aa
SHA512 89885610054523ecfff7cf64a8b92b87a9133b2459663c36be4d1dac4a68a3cefdf4ee2decefd1fa746f886536ce09f37c07a7d5985df42d567b733ff2d6b942

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\datareporting\glean\pending_pings\d3bb9194-2d20-4771-844e-56fa610aa7b3

MD5 fb0582f6da4fd47265d9f56f10bd5310
SHA1 0c62ed3f96899a6c1b4baf215c13cc4a047a91db
SHA256 ef88a990dde3490a6b2025f04f8308317d1e3411fb3c232cdcc97977ea7379ce
SHA512 7b86e30d98bc04ae6c77dce364cf7042b5b35cbff85bf3c4c2c6e366584ba7d2c830ed63a1f49ae652d770aae3b2887e2e1d2299d0b394344c74c40ad64bea2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\datareporting\glean\pending_pings\21479395-89da-4872-bb13-04d623ae500f

MD5 993d4df081de3a61073c446f2d419429
SHA1 77f60e446ae2934865c8b09e1ccfbf4c02286069
SHA256 fe5b9a4352618033048148f2668d2c4b014a0eeebb59bba249767b9e867e6c4d
SHA512 911fead51b1d70057a7e7d7051fbef8d0fff306cbd57d051fbe20fcf582c26316be2cf75f049fb362eaf8ed1f835f4665734c51a64e793fd8037e8a1c8be0b93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\datareporting\glean\db\data.safe.tmp

MD5 1cadae95ec193ab8e9c0fb3cf909ae01
SHA1 07006b9d19d4a9324866cf573a2b469248642683
SHA256 155e75b55eda7c748447f7e7625d87bc1f881131cf9bfa6ffb9e274e77bfdc9e
SHA512 d43bccc08c6313fd0de5b0b27ad3ec5bc7e5e3358c5619cc56dc5ac93373ca02eebd35d684f42a86ec5a105ea198aa09b87f97957526c57c4f0c86c141105bed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\AlternateServices.bin

MD5 7772d8b57835ef816e6f111b3e4c2033
SHA1 bf85adf11d697a2b5f664d911ce6d078f69bb072
SHA256 6f58389ca977442d02c76a941b9d45613f15b7478534277fa02e36dc88866462
SHA512 7387915f28d72886f9ece7ef0f0aa66578070285bdc5afe8b00a55f123b2ba0ba422ffff4a4d2b229b8725cf231ed7adfaa4dd93d2d34179080f7c84f6aea806

memory/2448-437-0x0000000000F80000-0x0000000001437000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\AlternateServices.bin

MD5 2afa806fc05e68f1a5c520a1bfa37d7c
SHA1 5386b931c64fced4bc3b4f61d888d10a52cc5b00
SHA256 f6b48e6d7d56700e7d102c1d65a7d819e1d71c07ae31bb270bccb6dd6bf3bf7e
SHA512 f4cea84a611e00bdfca687c7ad30fa3a4ba6283d9d0484c9295e5cfba174c04c7d49204c2b420da59bcbe45d4d2eae409e1ec54ac56c4be5a6756c813a68fb14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\prefs.js

MD5 fa33f7b258175790ce639ff9e529e1da
SHA1 3d44618e0b2402ff9f296a59ca892890f0512964
SHA256 ac28075e100d21353f64ec65d0fa66cf03c7b312cc724d1565de39168b41974b
SHA512 efb1b94070a88ee55bda3debe2e9f710637fdfa3d49241132cbcc294cd8239d75fa55619627eca65aea35dbc9ddade9474bacd5ecb979157a5995229d7373c19

memory/2312-473-0x00000000000B0000-0x0000000000C94000-memory.dmp

memory/2312-488-0x00000000000B0000-0x0000000000C94000-memory.dmp

memory/2448-494-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2236-495-0x00000000009E0000-0x0000000000E97000-memory.dmp

memory/2236-502-0x00000000009E0000-0x0000000000E97000-memory.dmp

memory/2448-503-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-506-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-511-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/5256-513-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/5256-514-0x0000000000F80000-0x0000000001437000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\datareporting\glean\db\data.safe.tmp

MD5 80982306e302e993bd37954a882eee40
SHA1 fda0b6596f509a9c6f34cd6bdd9e5bee8f644bfe
SHA256 457000de55291d32b1227957cd30cb4ac8b0bfcf41d8c521d8c7fe51526a4577
SHA512 661aa9aa9d241ed6ab488c9b6a132be3ee2ab6cd5261cc7adf3f6718ee5c332df3eef5c0e51fece3e452ae133215910341289f6fdc58fbca78ef0829dbb9a495

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t4hat1k8.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 14a895a1ae9d67601eee57a942b2311e
SHA1 fd2e7990db7522d0a4bddec4fc156d1965674c96
SHA256 f5bda3749c301fc450084f3d5f77e1726b7f0482795b1e6fea57fceffc37919d
SHA512 674806341fd28f36715b00c6926140600c9f14f63a10202ee433ed92f03e021b07230cd3152b735eeec1cee6d5a061950dbe07933f5529f5272cd7a912dce29e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\prefs-1.js

MD5 6ae3dca8b426db7f0de7313b3d3135fc
SHA1 4bfcf38578c332958836fa662f89df44c24bb823
SHA256 d81cb517ec20c2c4edf342fe891ee094f1d9309d4e36aa7ef082c1c12b6cff82
SHA512 cae6d76683ef100a61d30087533368102561108b30702753c66ce079d8c4b9dc2cf4bab37f9076447a2fbe784f64d6a6f2741114f760afaa3177d6ba706d39f8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t4hat1k8.default-release\prefs-1.js

MD5 b146c0e92e41b769b4f18a80b57fcd63
SHA1 3f11f177a94410f07617622cf379b830f1a3a881
SHA256 bbf0d66b4bb37bb767258342e748a356ec8f4a4fdc5ed0841578afc6ed6d63c6
SHA512 2a8ffd69175f8049b52c2f5fffcb4b9550f13cc47ee8fcb0154bbeeea93184d1951aaa0952f08706838f1d62cb76929fe30b513d9691a2ebe08f74afe2fb6116

memory/2448-1081-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2237-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2640-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2646-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2650-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2651-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/684-2653-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/684-2654-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2655-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2656-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2657-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2663-0x0000000000F80000-0x0000000001437000-memory.dmp

memory/2448-2665-0x0000000000F80000-0x0000000001437000-memory.dmp