Malware Analysis Report

2024-11-13 16:47

Sample ID 240710-jcbqkavanp
Target 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01

Threat Level: Known bad

The file 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 07:30

Reported

2024-07-10 07:33

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe
PID 4632 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4632 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4632 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1404 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe
PID 1404 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe
PID 1404 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe
PID 1404 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe
PID 1404 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe
PID 1404 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe
PID 3500 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3500 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 2524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2524 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe

"C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"

C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe

"C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {214b73bc-fc8f-4a49-8829-b5af00da1c93} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39ac0b99-697b-4e18-ae87-437284dcbe15} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 3028 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69c92f8-c933-4bc6-9681-60963debff94} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2652 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 1264 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aef210b6-9bf3-406b-8b13-c092a7ab95bc} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2784 -prefMapHandle 4792 -prefsLen 31272 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6b3847-9730-4f8b-8459-9cd6dcfb3cad} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5240 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec23271-cd0f-43e5-9bb4-1993e127242b} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5424 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e8bec5-9846-4e1e-b393-2a2c14fe228b} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2597fe84-282c-4447-ae12-49b8a8771d82} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:56754 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:56762 tcp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4092-0-0x0000000000B50000-0x000000000173F000-memory.dmp

memory/4092-1-0x000000007EFF0000-0x000000007F3C1000-memory.dmp

memory/4092-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4092-78-0x0000000000B50000-0x000000000173F000-memory.dmp

memory/4092-79-0x000000007EFF0000-0x000000007F3C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe

MD5 8e5cc3afe25b3fa1938214fb22b4b782
SHA1 9f244a294689f1f2b3fb730e7edaa9751c578068
SHA256 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA512 8d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34

memory/4632-83-0x0000000000330000-0x00000000007E7000-memory.dmp

memory/1404-96-0x0000000000070000-0x0000000000527000-memory.dmp

memory/4632-94-0x0000000000330000-0x00000000007E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\673e3d423c.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/1404-111-0x0000000000070000-0x0000000000527000-memory.dmp

memory/4208-113-0x0000000000280000-0x0000000000E6F000-memory.dmp

memory/4208-114-0x0000000000280000-0x0000000000E6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\7e2d322953.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 bd37d72d2db8891496cf732f8eadd826
SHA1 a87c94a50e84f92f9716c24c30b38d93ade679b1
SHA256 6c8ff2f714f9e153a4347462b261ef549106937546562b85e7493b24c6c1aa0a
SHA512 7486f0a70a47e032f3ab9e5d41d788a15d2c06a5d5bedb08fd95f97cd665dc227af88cc8cf8547a4067451943fbecc023fcdb4d9e77c3b4839d38ec08831c123

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp

MD5 d9b662b7967bcd7f6aa2ee5684a5a097
SHA1 a5a0119dfd276f3b10547e495dfb7103391a1818
SHA256 2b0502a5eefbc0127553492603d2eb61077276056cdb5944e77fa1bec9114e1f
SHA512 37f212b2b02fd056a3ab63f4a62a3bb0ad416446ac5a150335fa42328ffa834196b1d454145494b822a3b00525187568c318e70bc24fb69ff57edb552584afcd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 359946cd021d69a337a928ef246ab8c9
SHA1 567168821aa7694677e7d769d19410af2b7e50f4
SHA256 1f18c40c31d66c022184f08e369917afbc99406d320c4988deab98ed1e1a915a
SHA512 75948aeceb14134ee57da6290b52dc909ef9f1712c92b46f1d87d773c7d81ee87909444504200085445d142241b1554e230c29827f17280c6bf43ad50065142f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\a96d17ee-f942-4ebb-94f8-c36402829da8

MD5 d4c55041e00a51a4e0d2850494ca2e3c
SHA1 dba1ea1cdd8e3425ca1399fc3db77ab9b5ce53cd
SHA256 10c42eb57c7c16d235d2cc6a8eb00be74861282519736b1f3d40c7ce183b6a62
SHA512 7d9e290d7f8d17a4c27ab5ef040a6478e4260830ad05fba914c5d76f435a07023da426325b911a796cce17cafae6704260db74ee6af40d93aa0a3555828bb375

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 eb347cdb8bfb23a00cfa6c75099c5a93
SHA1 763b02608eb8cb039da6b56955e8c1a0156aeafa
SHA256 ee31d188c297bf51fd0d277117f8a008c97982e35bc87d4debb68698fe5c2124
SHA512 9de4b45e26860ad3a62335d8ca32854af37e035b9485672c0fe5d6431f7bc54b2a31bf5a55ccfad1afd7b7f0a839549286098dd354f80cba3ba4d87f9fb22359

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\fd92f4c3-b046-4d6d-add4-aea68c65d154

MD5 398319c879dc2c95b6a4690cd0967c7f
SHA1 a7f3bdb5a2e3b3e261641185e193f1a68ca7a7c1
SHA256 2a8348160b62c2b5378237807dfdb33af2a722e6177de6c239b158af17c25584
SHA512 69f0ef5992c43d7f7207a009d22beb2f8bdf8c415d3c2debf0001e4efdb9dd217b8f90856a93296ca269045e98f923678935f020bf5bf5be35201254e1506c08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 cbc232969978b6986e974a387612bfd4
SHA1 47d7ae74e9a9c74e2ef482d299eeed7b74bf257a
SHA256 3013c58636dfa3c43a8b5c2b986948871dc30ef57c6e007eb2c7036242505569
SHA512 2818aefc0f7b150225c3077854435e6e86a97f6dfffda0ef4646f8284aff4aa7b624d99c90a8579f0c11ba36e5193843bde0c9f31debdf74063dd8a457fc76fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\c4beca49-321c-436b-a365-3407e1b03e63

MD5 8df90d3e94e2c9c1a47e4cd5978a64b3
SHA1 df0d060103afe62294411124f24b07a4514aae7c
SHA256 33a0cb78243d94843648e3bd24c32eca2baaab5530ef4bed7cf025a1250b9bb0
SHA512 255ccf73de88274b8c52ff3f539baa3cf1b685c27642b63c3cfb0dea07e3c51f03d049fd8f7189c260f6094197bade15fe031e4c0863aa2f2cb3d20dbc8f1c05

memory/1404-399-0x0000000000070000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin

MD5 ee90f101b4bf2c559cef59437f121938
SHA1 03d0f107edf88d1e44698e129d560d73038bb1c7
SHA256 8034b028355f4224bde0f896e194d83095284bc0c15abeb8e5f708a951e3fb3a
SHA512 540a086051c5fb661abf5667dd4226839284d0dd80117718f4bb12cb736a0814d112dc8a0df52539684b88d627b5ac77a6b3acbc646323f2b46ea4a557852cb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 deb185033c59db14d1f8ba10af65ddfb
SHA1 0e1de21bc2fea34395515c64dfc4d278f6dd68f6
SHA256 2cc2d357823edf2b8716b0658baec73bf27bf075a7c3a632dead0a794e174f0d
SHA512 889828389cc926c15b2a8eade3998a98ae56d1eb4fd58d7e87dad2913b9f0097163789f1236014fcfbd9623d35446a0dee6899d107bfbcbe13d943c20197a8d4

memory/1404-484-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-492-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-503-0x0000000000070000-0x0000000000527000-memory.dmp

memory/3044-505-0x0000000000070000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 890799284e9d06b9aa8b4d956b0371d0
SHA1 62384e1584eb3e4c59e208b228297aee5ab3c96b
SHA256 44b76f1a5e6dbbb367a42fbd215baaa844dd657df9a473d5d3078774caf802db
SHA512 678041e3b5696d4a59d40cb900520cfded688cfc27cf39551026eacf83a2458d79254b46a27bbe86bb3385a8609203017aaf7da5e3291db55cd03b3a01a34f54

memory/3044-515-0x0000000000070000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 f023085929cbe401cefdd4905c698607
SHA1 e9cdb531cb5a999cfd21c9537d0c03d320e0c88a
SHA256 cb4bba2965119d83d0083c12a5ffea33c10ecfc441ca4a15a63d6e4cd43abda1
SHA512 1f208213f7fa46994a625facd844ff3271355f1c7ad587cc6d7189c58e6939b197b48498023812f43a06e6d02a67785d5343ff6ede508625fc8998d768177a6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 6b6e54e271cabac1ed8f220bbdd70687
SHA1 0eec61901b83768a91d281d1d50c03550aebde3b
SHA256 9054390acd31ec71db16b9417755f57d6111cfbb1b5d17061eead2ad2be4dc95
SHA512 94c82356b87d5b418bdeb4fadd632e8b840336589999531c849f7dadd02d125a2aa813a2e0bd4cf717e174ba7413dd54e438e30b4974b81362e6ec7898ce3d3b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 766eb890790be759076de1f814e01e8f
SHA1 ae73147294dd2ba58eeb9b0e5857813f2aefb1b0
SHA256 a5b16139b7efac5470bac3dfa687af3fc500e599507d194a67ab8c794b2dabdc
SHA512 a4e64c98570e261efeacece92e5f87b08c63d5a96d10f45bc8f4a9edc1c52aa54d4788b1d9fba637c2eb1e1a9e6149fc1d5f1f85013edad2b245098767f1c20a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 69254ffadc02281ca396617f5683433e
SHA1 37df6b6841b469fb90f43bbd94cb5d1076aa4b4f
SHA256 a56c95981e935a5143be1f2d0298e9ebc41f88e19b2a29da49d8b411c46f3d03
SHA512 7ace8c692edb27bdefaa7efc69d59590b78f5c4ea86fe1ed0886155075832cafc987729c81bd16bc94d427d0088f14506cedd16f23574bf91ec5ac06786ad0bd

memory/1404-809-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-1743-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2625-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2631-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2635-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2636-0x0000000000070000-0x0000000000527000-memory.dmp

memory/4992-2638-0x0000000000070000-0x0000000000527000-memory.dmp

memory/4992-2639-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2640-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2641-0x0000000000070000-0x0000000000527000-memory.dmp

memory/1404-2642-0x0000000000070000-0x0000000000527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 07:30

Reported

2024-07-10 07:33

Platform

win11-20240709-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe
PID 1476 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe
PID 1476 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe
PID 4128 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4128 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4128 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1552 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe
PID 1552 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe
PID 1552 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe
PID 1552 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe
PID 1552 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe
PID 1552 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe
PID 3132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 3568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe

"C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIDHJDGCGD.exe"

C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe

"C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1824 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975738fe-308f-401f-bb80-d25f3c85bb70} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20240401114208 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddfcd32f-92f6-4964-8dbf-06c31b4199a0} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 3204 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65dc593c-1e2a-4224-b671-049d61906f01} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3872 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b68d972-c66a-4c6e-9233-3889b6cc9340} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4172 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81ef044-7503-4d2a-af39-0f34ef154cb7} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02142226-d7a4-4747-885f-fff1cdc5d9e2} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1c8a63-7161-41df-9f37-a3f602220996} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5984 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e287d9b0-5762-4150-880e-fcd602ca2b46} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49921 tcp
N/A 127.0.0.1:49928 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/4968-0-0x0000000000270000-0x0000000000E5F000-memory.dmp

memory/4968-1-0x000000007F720000-0x000000007FAF1000-memory.dmp

memory/4968-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4968-74-0x0000000000270000-0x0000000000E5F000-memory.dmp

memory/4968-78-0x0000000000270000-0x0000000000E5F000-memory.dmp

memory/4968-79-0x000000007F720000-0x000000007FAF1000-memory.dmp

memory/4128-83-0x0000000000D60000-0x0000000001217000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe

MD5 8e5cc3afe25b3fa1938214fb22b4b782
SHA1 9f244a294689f1f2b3fb730e7edaa9751c578068
SHA256 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA512 8d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34

memory/1552-97-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/4128-96-0x0000000000D60000-0x0000000001217000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/5144-113-0x0000000000FF0000-0x0000000001BDF000-memory.dmp

memory/5144-115-0x0000000000FF0000-0x0000000001BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs.js

MD5 6b6d42cc3237664dfcc44432da30aad9
SHA1 d197d637484c4bb71b8dc0626e93f7e8d43008c4
SHA256 bc470c39faf13a3af2afc4a2f153509432365f9d0b2c4b0198d89e6ab83923ce
SHA512 56b8088a0d9c712e837bd3a903cc9da26265acef4d465846c9c1bdc674e514ee238e3f1cd87340a8f1a46691c26d7b748cdd22dbac14b8ea453a96fe1e83b6c5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\activity-stream.discovery_stream.json.tmp

MD5 de2db5a4fa74b1a500bfb9ffb3f81528
SHA1 713a350cc4ed31c355c8100808ee064a695723ff
SHA256 23a0b1e83de46d4675274b37a31d7e13a1f6b580586d0a9298be271c113ef922
SHA512 87d01203cacee424f44f081c7446f512776f19604e8bf12f15f7c0f46b36a858973d4565e98fe3ae99495429d61ae046f56eb88511cadd526ba34914cccfe281

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\080ef24b-41d5-4df6-898f-fee048fc17ae

MD5 ee865a5925f2d306f7002136f2ebc182
SHA1 de24bdc3a436643ab522051df99be507986fb0bf
SHA256 b7814cdbbd9586fbe516ce008d5ea605a4322ae8d06ea6a801cf6d4b21ae7492
SHA512 707bb3d8fbe606708e725973c77507b65628274c98a5fc67a2babe8b29e422f30835ce201e335f50bdc385ee5a0c50b57f080ac53c6ca1f18a8ee8761cf0976c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\ee833bea-987a-411e-85b8-45a448d91dde

MD5 6b265892b590a76c6ab5cddf0cfb58d8
SHA1 ba5db57c06bd0d103a6bfae3dbfce7bdc56a2ba3
SHA256 64f2c385972046ec45646d153b90526def5db8201a986b11dc3697efb5ac596c
SHA512 88ff5ffba0da59c3ed8f3f70e0be1c5e0a386b33bc606c9ba0366bed7a030652f51f42344e7b813504905bd0a072bfeb57f6d2b616adefe292423d62dd645bb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\a71d6e00-fc9f-45f3-8348-e2b4431c5b4b

MD5 a45740849fa856d704c1c6dffd3e3701
SHA1 adf24c4f5eeb0c4b853f281fb71c7edd0e6ed9c8
SHA256 7dec8088988802c0a44f5123948e32911d0ecfd20e7e028b2b3f3b4676350024
SHA512 fbeae0744b4b860309e0e95702e8abea463b0e59e1e7ccc18dbe0ed532046dfe3cfbae697554c575750eed93f091f2ba93f84397d7766342dca0b4d312919423

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 767910d068b6aaf7579fa427530b05a8
SHA1 55a09294750ccff83553d6f267b4bfe9d1e156be
SHA256 b14b9c57570b0a3b553173f9df4750131ad5c62349f8e751969c2ecb1dddacf5
SHA512 eb153e2dcd5ff30f55a9c9ed73785d71cd2db066dac89475129fe6de137c5688effbf11e4dd2fb1e973493ac93d4c74478d9836c546041a7ff05be96398ad2ae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin

MD5 41320c4b8971fe620688ca24047a2f8c
SHA1 084a15650a77a1015ca840c1c5920ab3286b3787
SHA256 78a9ae25202dd1d5378f2788ef86a939675174df89cd089081fdb864b19d95c0
SHA512 23cb1fe8cbbb1f5fd24bdf2fe0980dd08e7f16f2d4494fd1fbd546adac0f71cb40d9b60a623a1eb371d2ca43fc585662f137ea9f80cf4c7d2e2885844cfc0eb3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin

MD5 bb3b9d789ef84f37b7264afc7f2d05f9
SHA1 d5f24b4b0b730020e740f30ddf47146be6b0a0f6
SHA256 50a3ff28719b4f6926273f211b65f6b6f15b2f6a3c6422d51a9e02a02fdeb871
SHA512 e3c2e41b94818e62c6b85b80f236dc8427a407540a1f1ae23a312ad5a680b4f37ae691daeff969885dcf47ac64b1fdfb3b4bb8b6ab687f58efe0befa7f9786d4

memory/1552-473-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-490-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-491-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/3296-493-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/3296-498-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-499-0x0000000000DA0000-0x0000000001257000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 b4302663e5942ec36ffdb71c6d55685a
SHA1 1fd3e8a581d8d94cae462fc804769584857b778e
SHA256 4eecaca5445fefa6b3460a01d58a79cae3aec7b74fcfe34a085d151ee7d21c55
SHA512 345b78b734df01486ffd971edd4fcc41c65259dc3a5bfd8b0b150fb20ce4fb2655e83eb5d2d516f6b1cf490a433ed6f709d8a20cfdd1e32b1f77389997e5a8e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs.js

MD5 3a8409d3a93ed9260d1eb7f3a31fa39a
SHA1 ebbb341517ebdbd4724cc0ca42fed897899f2a3e
SHA256 83c122d8bf03427d73c617bbe9f2164ddee268bb26549d5b16c167b024a6f88f
SHA512 a434649524024aa72ded154ffe7281ab438d5db64b5875d5c41ac52a6da77b5cdcc3f2d9a43e23cddb20d4a433ba5c5bc6c07e806d77e24db2456665f038255b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 0d5ee1a5f99482a7038e797816121e40
SHA1 86fe9653ff1485e59145b5f70399bdc9ee849f98
SHA256 b6b4cf0feeae5f717b5b4228cb41196908587f5b05021618c4b243fe9726916a
SHA512 401948b5106228ec80917a8eb09068ae32139b644d4ba775021b7f662849f717fb783e97140f8706af3d47cdb2afd9528bf222cc7fc34d9db3127db58b566787

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

MD5 32faf7f0ef4009cc2f6c5e47f29aa217
SHA1 d36836473ce36e26d1a8b73111f9e8668a93ffca
SHA256 792308b86a6c863ff70950a18bfdfdbada31408e508448c56235a89be6b9f455
SHA512 f79a654b7b54d4f14e5223d831eac41e7a5d953daa5280933dca18e2fdc62e4c23b68777880cc00625a6d8377ce4f1bf1017c7710f8d0d18e03ad89918c03ea3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 1b7eeedbcc3c02ebfee7c045225276b6
SHA1 4c5351ed2f33fa223bccfc078db6ac89861a4f06
SHA256 cc304746bc2a03d455c8af030be688ce9aae709a54dcc8490af7edd86d28be9f
SHA512 f7bb671fc323b8c0adb4df7064dda763f3d8abb077c22f5010e207c4044b2ee8767b02e4fbc3ed0f391e889e0a127e4dca9781e04a6e47a77d8a7ef433481727

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 c8e089c06c919ab5560931447e4586fb
SHA1 c4ccdd5f83190b522bc450b67cdfad5dc95eb2a4
SHA256 b93af6eee0779ef70e8453742e55d02f7833c1ea1a87eee71708ef310cadbb52
SHA512 037fc36443c0bfcb78416d44c38a619224cfd72dde0d1295da045fa88ca4fc154a16f9469d71c5648f7cd75f3ac649b68fcc93b7206c9154653cc80f9acd1c81

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

MD5 d9143f352eeeb88b239f516842f33fcf
SHA1 e47cb929fe759f4ff24646dc4d8cebb2e1bdccc0
SHA256 51fbcd4bbc46eb2164ab15ba19a86173328694a461dcfeb76d03ee2167b83ce0
SHA512 ae498cda89b773a2085555bb9355a65fc3e5084435207485450e5b66150697376f892323d1e29c217018b47e4edd0ea0d9684832daa5548badfb6e79301fb3fd

memory/1552-981-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2210-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2594-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2600-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2602-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/5000-2604-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/5000-2605-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2606-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2607-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2608-0x0000000000DA0000-0x0000000001257000-memory.dmp

memory/1552-2609-0x0000000000DA0000-0x0000000001257000-memory.dmp