Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-j35fkaydmd
Target 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
SHA256 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553

Threat Level: Known bad

The file 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 08:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 08:12

Reported

2024-07-10 08:15

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2456 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe
PID 2456 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe
PID 2456 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe
PID 2456 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe
PID 2456 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe
PID 2456 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe
PID 3708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 860 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 4680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe

"C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6fb940e-4199-4ab9-89c9-34fe71c1e7f9} 548 "\\.\pipe\gecko-crash-server-pipe.548" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4656201-6bd5-409b-b64f-4956690d5c10} 548 "\\.\pipe\gecko-crash-server-pipe.548" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2984 -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 3064 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 796 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b23824a-e482-4eaf-80f4-41816f4623d2} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 796 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a36dcde2-fa9f-4edf-b44d-6b3a798b5585} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 31108 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {297b9e0c-10c1-423f-bf48-5e863550e23e} 548 "\\.\pipe\gecko-crash-server-pipe.548" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5356 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 796 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac8a68cc-c762-4a26-8d18-e774c13bab0e} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 796 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48495ecf-054e-4880-9173-6d07069d7073} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5372 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 796 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {484fe52e-35f3-44a6-ab81-2c27a34e7a9a} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDBKJKFIE.exe"

C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe

"C:\Users\Admin\AppData\Local\Temp\FIIDBKJJDG.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:50831 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
N/A 127.0.0.1:50845 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/5004-0-0x0000000000AD0000-0x0000000000FA8000-memory.dmp

memory/5004-1-0x00000000775C4000-0x00000000775C6000-memory.dmp

memory/5004-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

memory/5004-3-0x0000000000AD0000-0x0000000000FA8000-memory.dmp

memory/5004-5-0x0000000000AD0000-0x0000000000FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 2624875da55238f620fa50a01d4bce57
SHA1 f955733b1feeb7d7b1a7eefe414c2e33c242df1c
SHA256 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
SHA512 0ebee57fc926ed57309b2aa8eae951ca44e71992999086e92a3b58a7448e2d610f57364b2fdbc5fefe76eb8ea557966be34b072e0f545b6514992008f6cc9159

memory/5004-17-0x0000000000AD0000-0x0000000000FA8000-memory.dmp

memory/2456-18-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-19-0x0000000000EB1000-0x0000000000EDF000-memory.dmp

memory/2456-20-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-21-0x0000000000EB0000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\ccbb8fa357.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/4912-37-0x0000000000E00000-0x00000000019EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\4f1dbb4f2e.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/4912-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2456-117-0x0000000000EB0000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 0cebce14f6a8cf325e8925e219a857a0
SHA1 5d639346cc1a04184fbf3422cedd3d294aaea705
SHA256 c8f2e3e42135bc69e905ee6c688bb75e6a1c4b3558b7c3c64e01d1df87f2f82e
SHA512 09bfbab3b5d65d2c8cdb2f004e24fcb73cc6abcebe7da51c2a212230a4f3f9a113231bac86e03bf1c671695b88a52f7755e6c93cb59c7b9e35b14c333e8f854c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

MD5 c3523c196c3491dc79ef5418206ff05b
SHA1 5964e5f6d64cbf63b3ef62dc5b0c2e3e63f0e740
SHA256 58b18381d8b4a1c5b77627d2078a6f23c18017a51b7d7815805d89996113eba6
SHA512 2c64fee61b01ca758c63a26d5f61266dea44cf957210d20c493a8746134b2059bb98564493af2bf349b86fb0bcbea95aef4af3294213c63eecd2428164a4e541

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\624d490a-aa4d-4faa-924f-69cda90b2b35

MD5 b70efb4b91b01f6b404b4030cb5bb82c
SHA1 41ff8b6e181fcc88b12a89bfbe5d233f17a8f527
SHA256 77f1cc599c159de79c5d9b458279da402aaf99f0a009102b78423386ac69f283
SHA512 8b66a9fcc404d9248d9207954022f9f72c17c8da2d6accf60f603b3af0b29d0c14a42f7c975dba4d6cbbb2b767ac4555b0a5fbbb16231f79c6a06bfa5ce5f5e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\8980b366-1028-4254-ad6c-b9861444c6ac

MD5 11f53acc238df2c8e4309dfc18719323
SHA1 9b039a72b7fed53eafb501bc3d01bd45c12dde38
SHA256 7ef6693586617ebadb5c1442a90594e1e7016b9b8510ffce6506708f2ebd752e
SHA512 174b0a883ba21876e9a3fb3532979e06a725bb1207b674144a2fb49987f8e0092d20c3e55b75f24df4f520b931e572d91e344a3aee0b78b16293d442479519cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\1a88039d-f94a-4706-96ac-fc0f6573bc04

MD5 98f11aaea5958faf07a28fb81beb92fd
SHA1 cd0261a9022240bb9280b26365649f1f6061148d
SHA256 e0f01707f971401752ea14ef165d71596dc52222834f5d171c314221c1e4d11b
SHA512 51e3a734c2ac91bb4340fcfa3b0e43a2e84fe005d3beb63265358d1292befa5149cbed419dfb089407a64685a68055098b09e4b3ba91fe0ffc53a923afa6959e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 b11557b00874a48a591a494b0fc9a970
SHA1 fa21de32b2e58c1fcfb04ac9e0f8a97ae2cb99dc
SHA256 24f179aeeee09b91cff934cb9895947ee48d1a2da6c4edd11185db5b15cc0770
SHA512 e5da5330de84ed79883bbf039ab59e89b742776a82e254d2639de7a88b90cd85109ef876a8f03323585815da255349c73822670b59e1f54c626c589a5ed2bf8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 6144957dc12f4adb935837656d57d41b
SHA1 7e801b3a2b25b40dab0d09c9a36d6ac8814429f4
SHA256 bab62f61736da1340988eb09a65563bed6084888b4bffcc0e6eed20a171c7f53
SHA512 628643b58f1c87b8a33a3b260c2d936ef31958b3bf82c809e791b961412e938a3176ce5a39d779098586f17b2a4ebce8da6315d37d5437153dac828fd7766065

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 757088096e466a45d036ae01f559e123
SHA1 fec0d9bbc7c484217d6715f90f839217a2766d25
SHA256 bcbced51ed2628782bc452c56b8af06be342f1a79fdd2b86f89b1f3393664b93
SHA512 214170ffe63f5273139892a79ae1e9d573672bf44690aef5dfc8530d926e9126e5b541cc17830b0ccdcacf9b53df80a84c1324af8ce2cabe2a7ee85cbce35154

memory/4912-467-0x0000000000E00000-0x00000000019EF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 b43f4d6a438cd47fc152ebe863ba624d
SHA1 4475d51dcb24d45bd108662d23b7a498bfd38061
SHA256 ae34150045009b74b637d4f64def383bd369852539678fff2ad25fe01d82848e
SHA512 67f0b5d8e2297054bd48e89541be0ea81e5189081c2d7c556d288307fdc53088a529505debc961c9482908cf968dfbca3abab06ce31ba4fa2aab59e385828c9b

memory/5004-484-0x0000000000B60000-0x0000000001038000-memory.dmp

memory/5004-491-0x0000000000B60000-0x0000000001038000-memory.dmp

memory/2500-493-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2500-495-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-501-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-504-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-511-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-516-0x0000000000EB0000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 c636e7da813454881b8f4e77e9452850
SHA1 5835bccd2b74827c845da0186a19d22ed0c0b36d
SHA256 58a9114346eec251e3beaffbb7be1380bfc1396f8e7222a80a85cf0ce5835c88
SHA512 da6840138093e834ba8ead76f200026c61457eaa3e66b9dff34efe46ad38f8acec32f093ada5d98eecad010abf9567bb65cb5ed7ab22d274afe8ddfa705bb669

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 4ff9d09bd4506bcc67184ffbef80e979
SHA1 203cf9bd33284a67d6236694dd56ad0fd6a65b35
SHA256 9e15d7e0d1ae091ebeeddd7c9d843235e24624e797d5f35affa963a1127c4862
SHA512 633a90108f96e270b748f62187f540184c61e52b4f4eefaba4973078846baa0d3cb91b8593dc84cfef7f29f1b9b8735c43fb6240431f3c5ae3212b0ec4e93541

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 71625fdae38a513569a988927de02ad4
SHA1 6e7de249891e0b6880ca3d24389745c272031db3
SHA256 2f5fb355ddac66a081c17288cb540020d55fc47e57638232106aaf59b543d4a0
SHA512 7436c663358226e0af15993f44268f32e47133e8713f041280159e6cd8d19d0168af0e0fedb2d171236d541cd23a540de9e7477f4f3a37c2ca47f1c16a1c65af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 075da9a62ba3b3e74c284e378ae65232
SHA1 567224645bd4339cb7fee43ed9b8dee4e74b1e90
SHA256 42ed57613a00586a2e57fc3f89382ecc11dd199364e4e6b6231c32365492a181
SHA512 59fcfc65b403ff4b4f2fadf749e51dd93b92565ca2e5cb46481d0ef5b3f25e84db2eae2862ce9551b7ec806ea386cfbfbc486dd69be231d7ff2694c84a414115

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2456-798-0x0000000000EB0000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 94b5edf569f930412a64743d6801124a
SHA1 a674804e7a254a75532c8316ee14eacd08929ba6
SHA256 5fcbf1ceb9cef6852aba1e9a3e5e9220216d92a2e3d10dbfed7b7dd138fc4664
SHA512 96e6e955864bf8c2569d4518cc894e8ca3645aa06c08029c16f1a857b78b06a441d6b47f796842b995f5bb1e560412919fe8471e3231add41656306f92c945d6

memory/2456-2217-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2686-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2692-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/1224-2694-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/1224-2697-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2698-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2699-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2700-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2701-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2702-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2703-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/5688-2710-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/5688-2712-0x0000000000EB0000-0x0000000001388000-memory.dmp

memory/2456-2713-0x0000000000EB0000-0x0000000001388000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 08:12

Reported

2024-07-10 08:15

Platform

win11-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1088 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1088 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5808 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe
PID 5808 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe
PID 5808 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe
PID 5808 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe
PID 5808 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe
PID 5808 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe
PID 1688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1744 wrote to memory of 1532 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1532 wrote to memory of 5332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe

"C:\Users\Admin\AppData\Local\Temp\413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06f04292-0d31-481e-8c66-11ef2aa8e862} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab8e786-6084-4a15-8d41-537b8ccdbb89} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 1 -isForBrowser -prefsHandle 3408 -prefMapHandle 3372 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71110b20-378e-4ecd-9d94-9be94960cd0b} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3460 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 1376 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a008544a-812b-47b9-b424-dfa2da7e0458} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17db30e5-040b-4810-9cb3-701b99cdf8fb} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 3 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df79f0e6-0fcf-40c1-8129-5074d59b7c41} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70f05d50-c6e0-455c-8e34-f75145f285f0} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5676 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {859b115a-d40c-4d28-af7e-ebcfa033a0ec} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe"

C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe

"C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49897 tcp
N/A 127.0.0.1:49907 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
NL 52.111.243.29:443 tcp

Files

memory/1088-0-0x00000000003E0000-0x00000000008B8000-memory.dmp

memory/1088-1-0x00000000775A6000-0x00000000775A8000-memory.dmp

memory/1088-2-0x00000000003E1000-0x000000000040F000-memory.dmp

memory/1088-3-0x00000000003E0000-0x00000000008B8000-memory.dmp

memory/1088-4-0x00000000003E0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 2624875da55238f620fa50a01d4bce57
SHA1 f955733b1feeb7d7b1a7eefe414c2e33c242df1c
SHA256 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
SHA512 0ebee57fc926ed57309b2aa8eae951ca44e71992999086e92a3b58a7448e2d610f57364b2fdbc5fefe76eb8ea557966be34b072e0f545b6514992008f6cc9159

memory/5808-16-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/1088-18-0x00000000003E0000-0x00000000008B8000-memory.dmp

memory/5808-19-0x0000000000BB1000-0x0000000000BDF000-memory.dmp

memory/5808-20-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-21-0x0000000000BB0000-0x0000000001088000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0dd8438c21.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/3008-37-0x0000000000180000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\7fbca2d0f6.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/3008-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp

MD5 e2f10c15c8c932c06f2d8d4bdd995135
SHA1 e1bf0f607ede730ee9421ad7b87c12352e1d0cd1
SHA256 2fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d
SHA512 894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef

C:\ProgramData\GHCGDAFCFHIDBGDHCFCB

MD5 20757fd4991fc8d72295b2b2b6396952
SHA1 93492c5bc28b8c610133f31bd54c04e0443469bb
SHA256 8b5f6ffaa00b0dadfdf59f5510160acdfe43ef1008f7a9241d2c532001deb16b
SHA512 db2c2fbf026b8fcb2ebd0c1fac9263271bdf7b4785cf0ea0e005001b6278f988239155f9890b5e0dbe8cfe7827d20d8d78c4be6205d73be7a8e1ed3b1373b6c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\1f7c94f2-a2fa-483c-a2a3-09a468ad8733

MD5 84535ab50ed11403c70facd0915086c9
SHA1 cd95e44422297c0321e39854976d2197eb3b7db2
SHA256 7aa574385c692b3b0d3335e2861b7927e8b543af5f52c10ce733838de41fb101
SHA512 2ef523dfdc24853c2ff0c4ad0b4cd037589f0510429435eaf1977058a24cb6b302c873f790c2a52ceeafe201311d3959aed056bb6218718708e06bc5941d906f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\51850907-3c01-42b7-b4cd-792caf6ae9e2

MD5 bc6af62d5856b6e744bf30da731642e2
SHA1 77b6a8b7a48f4940e10fdab7f7fcdc9329831935
SHA256 c141d536e141b4c2acc5838eaa078bdcefc79cd163b91ea3929930aea1f8ef08
SHA512 62d63c9ca41d76cb6a7c8f0ea4d09e3666665b67dc089368e6a7c5748ff85014e366d840db0d81940a92ee27192ac680395ecd20f91baf9040bd1f3709d92da3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\2d3ee712-676a-49eb-b2fd-d69e66373568

MD5 52286341c1e87e964c4151d48f6eec27
SHA1 4b1cc698f8794f185b8a2df8f7c35f26416cf0e4
SHA256 01b6155609c6a6fd5479902b698c254553aec945bd22105cab45e8a8137897e0
SHA512 b59c7cc1f162b21cec63a27691d9387391a256087836c297a2160a442b2c66de2f2a38506941c638f0dc016ba41004f4678324a2cbbda1ac09fd80745fbd504c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 a5f9eeb5919105f26c47a57409b6e9cd
SHA1 80601edb5dc19c08bd4a2d9a74f36edcd17a0b00
SHA256 88ea9d1fddc8770befbf0bac78b57d55116b71500ed2b357effae603d12a6dad
SHA512 648c1cf79a39d964fa59c41b8da30085fad2157fcbedbc0649cfd07b8a0317610524f886367965b0c333fdef82e79156777b14533c9c895892c01900cf468c01

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 f23486a799e6ce91639f403fa6c7d57a
SHA1 06781da3be5f4fc8888fa95893acde7cf6178c60
SHA256 16a123dfe6209e77ee7bf2efb65230ab3c8bf0b876f5be999edd8235d59a0939
SHA512 f3fd16a197a982c666053a5b2631bf8b078f9f7b8cf16475d4a52953c8b2901801ff9f7da1c8fd5e24252b336af918c435f6d5b1b7b7dea9de2d9a9b117d7729

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 f5ad77923e9675fca806c78861294a2e
SHA1 cbe8065b313514f4665f57805de9ab4b3f214aba
SHA256 b1a6d4d3ca643d30d94533151a23a719acf84aa25ad876d593b26877de01baf9
SHA512 55816ac1e6580a41a91c37f824301f68fba6b6297066e8ea8f9ad69cc410effd1b9b22808895b4a7d9f8d86f50f4ae6289314ad75f4bd239b59f04a1c0ee9280

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 ab8398686734677adb9fe70e90ec275e
SHA1 0efa3d4a12d91866b02399a92883a78de5bb971b
SHA256 f8f921dbc798bb3d03136a74735e2bdc06d3cda0faaf309c801001ca96d0ece7
SHA512 1a6e26bcf688f67dae265dc35277d566033626dc361d80af83d1b20fba13eb15205a5f05deb720b890131c84eef86a654ab44b46214a947e2985329884c4f512

memory/5808-459-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/3008-467-0x0000000000180000-0x0000000000D6F000-memory.dmp

memory/6060-471-0x0000000000C80000-0x0000000001158000-memory.dmp

memory/5808-475-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/2812-476-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/6060-478-0x0000000000C80000-0x0000000001158000-memory.dmp

memory/2812-481-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-489-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-496-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-497-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-502-0x0000000000BB0000-0x0000000001088000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 b7b454ace5db6b0bc511ebc5b8cb0b13
SHA1 9b415992e2fced71434809ea124e299ea97148ad
SHA256 f8bc38d6048d0a33d0dbdd252d370f13bbd14daece16ed0c58af5d1531d0ab07
SHA512 19edcb603d139c0f6f840f051222af0f7a8500f053c0aec5dd9d2f0c16441af433838aa65e4fbfbe60032a29bbb87deff2b0e8bdbf06fa5e3d82501bcd9026f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 b9adea242ef53c7f2195e753aa3da772
SHA1 ae5a4b55a4c139a9c0c1f1e3a17748a71793fc4a
SHA256 833c061af71f8607b459d07a71a412c5af2ea75efb80c6c811e9e15283401844
SHA512 b796f5f50380e4cb50abebaea9c5ebb8af30cd115d64e7fcf6d8975d09db35225f0429381746a2b97f6ed91f303fda520d3dcd84cb836d67253b072c16c1cea1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 be5f1adadfa7bbd6a79e261545b2dc94
SHA1 7f3d3d4bcef3320298282ce25b40adb6ae3b0482
SHA256 01b9c67c707d30625b0e45186834b2eb6eaf5c7b98ee49cecedadeb83da48c4b
SHA512 e8e7f4dce3f1c89e423e0747883ae2a94ec90e76233730b28be093c63ed72631578d27dd8da48842d76e862904ffa2468a61e19c6277c79185e15df1806bca2b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 0f99b6a5e42a47d3a216beca0ffc822a
SHA1 9d7ec6a52b6bd6adaf539329962f70bcef5a6791
SHA256 23bfb8748955d2cbf90c113815156d1889da0ed5caef5791488612067757df91
SHA512 5f24c37c1971c5fdad7fe9c06107554193818f6ce364764944757d980f9f63e5b4f755b48bb761ecf5eaca8cea1ec85908d69ce82e33f8f150e6a7857d688c73

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/5808-803-0x0000000000BB0000-0x0000000001088000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 51262253b2b4e78873b7c52927957602
SHA1 9c1f3bdb9e10a8ca1cb0d788d70ff668e448f6af
SHA256 d7138fea4c0a791884c40fc545c02af708ec823c71b89e551067ca9f0a7807d5
SHA512 d79718238d5cc80e3bb1892531555aeecd23d8cf2ac6409bae437189a8a0dd53a196253bb3fcba8437f95d57f2a3f8432ea36659d2933286de3d03e8791afccb

memory/5808-2258-0x0000000000BB0000-0x0000000001088000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 d6c4e038167d1b92e56f5a28d716526f
SHA1 97d2827b49783aefa4d63f40c88d7283843a9a88
SHA256 e2c341f3dd1d5747b49d15b67755cc158779be22df54883ce702dd2a949471cb
SHA512 08315b0214f1a768208247e52eef2e2b497cedaa01bf25abd7c6d33a5564e293aa6295fc20312634d1ea3b5b866cb8aedb725403e304cf10fb74b2c6d8d34369

memory/5808-2681-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2687-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/796-2691-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/796-2693-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2694-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2695-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2696-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2697-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2698-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2699-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/2512-2706-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/2512-2708-0x0000000000BB0000-0x0000000001088000-memory.dmp

memory/5808-2709-0x0000000000BB0000-0x0000000001088000-memory.dmp