Malware Analysis Report

2024-11-13 16:48

Sample ID 240710-kj93daxfmm
Target file.exe
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
Tags
stealc hate discovery spyware stealer amadey 4dd39d evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

stealc hate discovery spyware stealer amadey 4dd39d evasion trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Executes dropped EXE

Deletes itself

Reads data files stored by FTP clients

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 08:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:41

Platform

win7-20240704-en

Max time kernel

71s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 85.28.47.30:80 85.28.47.30 tcp

Files

memory/3012-0-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/3012-2-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-3-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-4-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-5-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/3012-6-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-7-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-8-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-9-0x0000000000DA0000-0x000000000198F000-memory.dmp

memory/3012-10-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3012-71-0x0000000000DA0000-0x000000000198F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:41

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe
PID 2324 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe
PID 2324 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe
PID 1584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 668 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe
PID 668 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe
PID 668 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe
PID 668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe
PID 668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe
PID 668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe
PID 2852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3768 wrote to memory of 4344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDAAFIIJ.exe"

C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe

"C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1877f1b6-cef8-44e7-b537-39dfae92fa5a} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e285eda6-b0af-44c8-90e0-5fcbcb38588c} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3200 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d15949a-19d8-42f0-9e57-54d49c3de0fd} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a20676a-bcb6-465b-b806-a49658b5082c} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4480 -prefMapHandle 4476 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {519cd353-bd78-4a92-87c0-941849ba0532} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c217ca8-e76b-48f2-b46c-2eb5a327a292} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d499b134-5184-4997-8a87-0d948a93ca7b} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b980ff75-0b3a-447e-91f0-0e111494f9a7} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:53553 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:53562 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp

Files

memory/1244-0-0x00000000008D0000-0x00000000014BF000-memory.dmp

memory/1244-1-0x000000007F750000-0x000000007FB21000-memory.dmp

memory/1244-2-0x00000000008D0000-0x00000000014BF000-memory.dmp

memory/1244-4-0x00000000008D0000-0x00000000014BF000-memory.dmp

memory/1244-3-0x00000000008D0000-0x00000000014BF000-memory.dmp

memory/1244-5-0x000000007F750000-0x000000007FB21000-memory.dmp

memory/1244-6-0x00000000008D0000-0x00000000014BF000-memory.dmp

memory/1244-7-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1244-83-0x00000000008D0000-0x00000000014BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe

MD5 2624875da55238f620fa50a01d4bce57
SHA1 f955733b1feeb7d7b1a7eefe414c2e33c242df1c
SHA256 413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
SHA512 0ebee57fc926ed57309b2aa8eae951ca44e71992999086e92a3b58a7448e2d610f57364b2fdbc5fefe76eb8ea557966be34b072e0f545b6514992008f6cc9159

memory/1584-87-0x0000000000EE0000-0x00000000013B8000-memory.dmp

memory/668-101-0x0000000000430000-0x0000000000908000-memory.dmp

memory/1584-100-0x0000000000EE0000-0x00000000013B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/3988-117-0x0000000000060000-0x0000000000C4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1912-137-0x0000000000430000-0x0000000000908000-memory.dmp

memory/1912-139-0x0000000000430000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 813ceef970f9409baf8a9223d34d88e9
SHA1 f2567d9c869a0a6819d918170eb7b863db571d45
SHA256 6dfbee1470e21c2bf6ea5aa96264c199ad4770a7a0037751dd31fd1660048649
SHA512 7ed3f7c26d1ea54147cd38fa5b1b628efba07fbc86f6a2b85ac8021bebfa6d7f0578069eed428558e1fb2b9a72ba5dfbd0a69baa7632d1fa980a75e35ac0604d

memory/668-149-0x0000000000430000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp

MD5 b4b750504c33d451ed64db4460a3388b
SHA1 bf21e4ff1ad04943366b05d63de3f1fc033ff927
SHA256 706a12ce0cb7549bc08fcdc4631cb509a02e7b2a39d214213be812746d3451e8
SHA512 79681df2735c8f3bc4d0af46b6f633c057a0b2f77c06d7c490b6867f08029ac0da3b58d3fa9dcb69d53a11a2f474be50d7b9007a43cc7e03e779f0a257873e4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 24e3a86c2c52c2dd837f1b3c75261d3c
SHA1 8d0c1cabc760360967109d4a02fd5d1ec4d44020
SHA256 6ec8b97ef767061f76821436d6c660545bf68eb4af8beb279166aa5ff5234262
SHA512 b84af8afd40ed03ee2bce00fd8dbef6772e8c3107971b46f5f4d08321eab1384cff6cac7c0a5b127f0d1762fe2f3dc962bd7378b654c54d03781543acbb2d7d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\8ef0e82f-0529-4c80-bf50-58bae6fc7e05

MD5 201bf1d257d16b43573b413f65961320
SHA1 5957a27e14fdffa56fdbda7c1ec0a9b0e85e8659
SHA256 1245f4e720b9776bc902ff226aa11138e87f8aceff387eab146a872309f352fb
SHA512 6fa859e75068f8fe862b5734678b0942a4c1390234a399679f4a4be31c8685bdf6404c8c8ba5b81d9e5ff5962f409442f2563e877c3144a10b7ede8848c7ab7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\d9406192-1347-43f7-b14c-268cbf19b764

MD5 b81d68ea6915b5ebb67629c4dcccef06
SHA1 5735d0384ce0b058885331f298b8ffe479e39845
SHA256 d9d534367a4f24dedbdc9cd56de8c4775552aed5a7a60df552b3f72ffb800598
SHA512 dbdfc3e6f5b0edf59b4ce699f47845d710e013f580babc5ca3ca5a11be5c83e90d599651a61bda934b7fe4c4cb2aafb98555d69b6f6e6b037521829c07fd9239

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\04517223-5cbb-4468-9535-25af3d28d99f

MD5 ad503baf2871ff52eff94d3c2e3f5305
SHA1 b457486b50b5ad97dc3043cb9814da4ea99e39aa
SHA256 2867f82bf3b0ac9147655e15518f0ad0f790d2aebcc7bd68fc268397644b7994
SHA512 048600bad54e5bb1cca84f848c813c0f98a2c88f14cd907482ecebff45f1dddf626c84eb325f994aab681fdea082a9120e1643f9e2062601da2a3bd0900b847f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 db263e03444461aebd511d9426723696
SHA1 1d73b1736d937344c8a0d65973c27d1ab8259c4e
SHA256 e6319ddcc06f792084c6835112ed93b80cc2cb592eb5e4aa601fc3fba2d5557e
SHA512 f92d7ef17ce4a1c32e2a362737e33c367ada6e49b82f0e7c18aad3c45a8bf520df85c5b41eaa69c9939ae9f49bfb28866de62b74cbf5d025076d974c919f937b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin

MD5 2dabc9cda99330ee4a715c656e449b63
SHA1 d3ed676ae35419904277e84f347a40651f93c3c7
SHA256 f64078cdc3015a7ab38839a64770ad29d22f136e88d2fb5063a15ce8f1b30c56
SHA512 3b1e16844be1063e6d24b5a47aa14dceb8ff68c366407dc6b16cd515be95e8c07421cab62f8039b044dbc793d7e847e578e3bdf06df30f0821277fa98996030f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 e0cc8dbbf8d567bdd6b1ab1397d4ec40
SHA1 2b411f883d30be33be0fc46d13ab4303013672eb
SHA256 bbfc0f2831fc5748c06146789e77d97897cbc18867034ac16ed36615a921b148
SHA512 f550fd1177e91ff1b54299ff1566ae1d1a94fd470f88bfeef677c60b3514bd75cbc86644264fa1356aa44d9c1f5443abdc695eac45845e0be80f17296f2b6870

memory/3988-487-0x0000000000060000-0x0000000000C4F000-memory.dmp

memory/668-499-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-507-0x0000000000430000-0x0000000000908000-memory.dmp

memory/3988-506-0x0000000000060000-0x0000000000C4F000-memory.dmp

memory/668-512-0x0000000000430000-0x0000000000908000-memory.dmp

memory/3988-513-0x0000000000060000-0x0000000000C4F000-memory.dmp

memory/3988-514-0x0000000000060000-0x0000000000C4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 fdb45746e3fed339c87d8b235a3361a6
SHA1 8316021f0033fa940a1343ce12e1dacef732d7b0
SHA256 34076bf46a3f648e9f3838dc1839ac3e885fe063abdcf19bc228ecdc612df7e9
SHA512 e7bec56a12490f9f7be0b2fc6926d222343833a9f576474dee2c0a6a7c2163aca492361fe6dfa5f835cafffceb698c0d74a7f62e5e053e3feaba72e33614b16f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 69d9030a93349855ed97e4790c7f0330
SHA1 4d752ba8d52582d2abfd51be00b5c30dfd4bdf9f
SHA256 28d34165a6c2e0cda62b676c3b4a8ac7e9a6bbde4cdfb4e44ec23bbd0bb7159c
SHA512 4e9fd34eaafdb37e2f83544236717766403bd3a91b61245a22e728f5baf2a13f0fb90c3575cde998dd656a72bec39c77242e12b165488545c85e11d678bb932d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 60c3f8a7145ea2c49dd179c45c81f602
SHA1 13fca5646b6492135c8f2881d544f6580ee344e1
SHA256 5cfa99e9d43bb3f081993d6ff9f51be33a45790b26ca040a98f3cab844ad2658
SHA512 3da9149c03c23bf9c6f482210cf50f230c2eca0143a184b0b5d57c03c1b8ee94abccfc6b7b13e009194535f7d552e407fc0a36c4bff9f01054c0ea92e0be9840

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp

MD5 67c78cc500595b6346820a7e1ee8c7f4
SHA1 6412b9cc8f0a0ee3f96c7d0d7b507ba8147abf87
SHA256 cf71571145ad428847b186a690550af4b1ce16214bf037332a08e776dba293c0
SHA512 e74040ac20f238401bb9a04d8daf2a28840c78afd719974af6ad9437381b22d871090ef36a05f04b3893331da5f6176db0d7ee3e03dcf2d9ae865ae261cb3e07

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/668-787-0x0000000000430000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js

MD5 b8a13db198d3fd26aaf73d9221c2e7ed
SHA1 6315011a92b61e52d2291829b127253bbf1656af
SHA256 d08a0c1571e6ac910a0dd5ffe6fb53daabafc527266d821404c50c657ce2a03e
SHA512 877c7571fef734396879f1f0852371814f7ba8246a2a24487325e548e033ab7816226c7444dd88d0b116582c00e21fd9dbafc4b35b5876b4a8712f923b03b7b2

memory/668-1818-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-2599-0x0000000000430000-0x0000000000908000-memory.dmp

memory/4356-2604-0x0000000000430000-0x0000000000908000-memory.dmp

memory/4356-2606-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-2607-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-2611-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-2612-0x0000000000430000-0x0000000000908000-memory.dmp

memory/668-2613-0x0000000000430000-0x0000000000908000-memory.dmp