Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-ld2z9a1hqc
Target b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce
SHA256 b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce

Threat Level: Known bad

The file b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 09:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 09:25

Reported

2024-07-10 09:28

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3192 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3192 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1800 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe
PID 1800 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe
PID 1800 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe
PID 1800 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe
PID 1800 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe
PID 1800 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe
PID 1620 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1620 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3816 wrote to memory of 2008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2008 wrote to memory of 4620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe

"C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a120783b-9e7d-49a2-b5bd-24f3bb899305} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef043907-4022-41fd-833c-830c2182df1c} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2872 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0be5cde3-b618-4a3d-97f5-c4fdd6089f81} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3928 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b169d74a-2605-40da-a23f-6b89d8075605} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4856 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffad9bc-d325-4d90-8613-3a5911d24fe2} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5384 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98bfa7ff-56f4-4ecc-94f4-1c1d4cc8fe1d} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96932ece-7310-49a3-a3de-ef1e9d1bbd08} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {878c90f1-33f5-46d8-a0bf-511e01df200c} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe"

C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe

"C:\Users\Admin\AppData\Local\Temp\GDAAKFIDGI.exe"

C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe

"C:\Users\Admin\AppData\Local\Temp\KKKJKEBKFC.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:54973 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:54986 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/3192-0-0x0000000000490000-0x000000000093B000-memory.dmp

memory/3192-1-0x0000000077624000-0x0000000077626000-memory.dmp

memory/3192-2-0x0000000000491000-0x00000000004BF000-memory.dmp

memory/3192-3-0x0000000000490000-0x000000000093B000-memory.dmp

memory/3192-4-0x0000000000490000-0x000000000093B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b7720b5120de2b14e91e87ecf1969f5d
SHA1 188d865c8c0284ed6f89906e0bcdcd9e61a41517
SHA256 b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce
SHA512 fe10a7db3341da9f15b44e920b5af4a7a9406c0f3cfcb940f44ca4177550e7758bc180d1d98d2c3e7ab5467d0d0bd05811dd90d3f9b9c55f7044d455dfafb595

memory/3192-16-0x0000000000490000-0x000000000093B000-memory.dmp

memory/1800-17-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-18-0x0000000000C21000-0x0000000000C4F000-memory.dmp

memory/1800-19-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-20-0x0000000000C20000-0x00000000010CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\24c09af7e4.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/5056-36-0x00000000006D0000-0x00000000012BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\64244d7bc4.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/5056-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1800-95-0x0000000000C20000-0x00000000010CB000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\activity-stream.discovery_stream.json.tmp

MD5 ddfe5ba6b34ba9339ea42ebe9d37b38b
SHA1 effc28cc61eca5ea7c3a801ad62e6675555ed6b7
SHA256 59a5dd11c38de5a8a680d1842a8a897268100b09785d3195cfac69f806d975fa
SHA512 221d6e2278409dd2cf887f1a2d1f7ab28db37c568fea4dd5347d8c0d5a1c81dd9820c513b0c46e02af94bb3c4f24a0681f469519ee9e625a3ed7e16759d6db74

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\pending_pings\a59f6c4a-9f9e-434b-a68e-97aeefc79d0b

MD5 4c5173a9080966c6f9598e61a6013d09
SHA1 111105cb0b43b4a5f38abbf4d9399c489841a7e1
SHA256 17f43f42e81a6db525f9f917f736623609166f8da9b92e532d328e1497d83058
SHA512 f876f1648d690d4f6a03197fa426bba7e9c111bb7365311a2f12d05cac596863333774d9073ed9cb4aa680137789181d1e26212a67256eadf88608e0cdde8dbd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\pending_pings\f2d42468-f294-401e-aa49-912e3d6c488d

MD5 7929debedfdc7d76596cf9fa4dfd9edb
SHA1 43d4ef95fc0ede8d7dadc3df6094a3516d14be21
SHA256 2217775d0295ee571a1bc25d0ddc15bcf62d77a4c435e46a60efedaca9b3111e
SHA512 9be90ea3e6e4bb86645f82837cd356d8cc10610d1ed70ef76f6ae118465585764cf474fd24b0e45877f8ab394e05e9ac4edde5b01e7d7deba1134c03809e22ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\db\data.safe.tmp

MD5 66543f7d0854cce953f75f2654dc68c6
SHA1 4223369bad3902291551c9964ec7fc64054d35f4
SHA256 67b0bcc44633a806fefeb39775c46c8416681752c615aaa967e605bda81408a4
SHA512 1378a87c43995c1f96f13a51d810dafbff9d26225a55eb7b6736a0942c2d19cf25ff1ef2f2ec767ef2e2a8de7ea13371fd5d0ab294ae8ab7faf5b828950218bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\pending_pings\18b5a8b5-b148-4cc3-92a0-81633b775435

MD5 2acaee8492fe9c3a3d10f5bfa269ad5f
SHA1 f649f5766a4606950cff528418fbf26b0429e090
SHA256 072b225c53af822d3005e627b38d1309bdaaa3f4c9f36f820efb8e0158d6e7ec
SHA512 712d729ad6537c0dae4c6271ee30f041e6472db1d8665779dbfe8005927ac5cd01fc2ae5538109df7e3a9edc8b47e32973caf48f843ed17b76e5ba4176e8464e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\db\data.safe.tmp

MD5 0dfbaf54f6fd3479134cd503b0847528
SHA1 43c101fca228fa1f00e2ea486de269fcf1ef2cff
SHA256 bd1d11443285f2f9f48b7be33dd8923f8941fcb53055dde9cc64732c3540d370
SHA512 a29d8932559f3d917b30434e9967ecd49cb2267efba308fe4dafcdae0b16782c78f7ad0a6a725bd57ed7e384320cc5c212674569e1ddf65136b036138cc06499

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\db\data.safe.tmp

MD5 64770c74541f75934babf96741705954
SHA1 ccd45f3d4c7060a2636f6a5418b06eb5c00f3e3f
SHA256 a4f0b2a7daa78dedeeb3b0739234945dcb6a1dc943114a844cb7d0ce08ee3047
SHA512 5dfb51dbf3d275120624831f362565bb78c609eab66a0ddb2e0dd128a7b17a0f0179a3d37cbc260d78db4bfeced5537c5ee03de5664e596890e9cea59d74b3b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\AlternateServices.bin

MD5 a37a2bf7fab9a32a606ef1c2a5a3c60d
SHA1 291672f11255d2f8454f10dcf62621b74d021ca9
SHA256 ff8fe659d5e85fd42ba2edca489f8c23f1cce49aced041f99632d549391ce115
SHA512 883218f50ff1552155d33d6b8ef3ef7eed3afd4c65bec7a3b6fe46414e75fa4bdb5c9d689c7c491bc96710b05ff12e014996ec8828e6cc2166fd42b2c475ea47

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\prefs.js

MD5 6a040ee48de6a061831883b8b47db59f
SHA1 e81670e308bf0355531048b51114faa98f3a2686
SHA256 7799eef53555374fe3743f3f5ee6125b399fa6c99b19bb0ea00f3ee0d8fe9c62
SHA512 900d115a8fe0637a2ede7336a519bdd34a28217fa58a2f6c2ae77c8290f46f25a3b63565b552323a85bb1fbf2d58262cfd49c3de2fe560ef1d6e76c95bfba24c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\AlternateServices.bin

MD5 2566748497624b718cd2719e406a64ae
SHA1 361d18fd9711d9df832c080875224a16ae0ed2c7
SHA256 c43e59573a193157f7f294fb33d9a17284cebb22300e535f4b828413246a6a70
SHA512 58c505763aec43a585cdea29428b082eefc620ef422d34cab53d9c1657bb585ad128226c655f9152237fcd7fb990d43f0146eac68c516ff221f52c26972c89ce

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\cookies.sqlite-wal

MD5 2ac8b19c4dcc47cba76191d34cbbc73d
SHA1 18d59f7accf1e15164bb1112a3d79b489bbb7afd
SHA256 0698eaa72684db563e20b3837b04194ad4380355c3072b6e7421acdd0f166c78
SHA512 4a3d4534a22a05e410e49bfab92f2efb73d7420e7b4ace17d44a76b50ade363f603c3775239258f6873a49390bb1999898488da40d89e48f5f552914bea487ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\places.sqlite-wal

MD5 92d91e45eba9d9f51bb8b42a4acf4e62
SHA1 f21a35dcb9425eb1cced91890ec23f41698ae9e7
SHA256 f86c4fae627207c6d60797c475bbd01d5136af373964c5790d10896f8cf1ad3b
SHA512 32ebd5bcb4270c41c6a2da6f799e4a3551188c5a76caf62db367e7980d372fde65b8112a21d5cba7a0bcc14ae08a2b482919a3b29152f8e6cb6755d213ffb35f

C:\ProgramData\JEHDHIEGIIIDHIDHDHJJ

MD5 209be566711f4a0eb3139275fda6cdfe
SHA1 55667f5fdf4336ada4c4efbe8c4d686d8ca1b60b
SHA256 0dc47162ee193873825a06f2694f00dc6de4f57398020e58b6925ab5c8cd72c5
SHA512 a9e340f3e93ac0e5279790743f78308528e310ebc56ec89960797089a8726435720ca0528c87ad51123c452b2738b9e23f9c7da002db6d07d5c44e396cec5188

memory/5056-463-0x00000000006D0000-0x00000000012BF000-memory.dmp

memory/1244-479-0x0000000000EB0000-0x000000000135B000-memory.dmp

memory/5056-478-0x00000000006D0000-0x00000000012BF000-memory.dmp

memory/1800-477-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/2672-483-0x0000000000AF0000-0x0000000000F9B000-memory.dmp

memory/1244-484-0x0000000000EB0000-0x000000000135B000-memory.dmp

memory/2672-487-0x0000000000AF0000-0x0000000000F9B000-memory.dmp

memory/1800-494-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-495-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-500-0x0000000000C20000-0x00000000010CB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\db\data.safe.tmp

MD5 6e3a3e0e58c0def1ceb344d073eb7a56
SHA1 f02dcac4b4847324aa7273e47b86a5c8f3cf44da
SHA256 b46a5cf23f81948257d49d9e11122bd326cb82a23e4110761390b03bd77604f6
SHA512 e1a364956a4287b45059d6de83ab0b569530e309c688f478286af40b83bedd41f7d69b1176cbb5a89b701420a43922c6e23f559ce2b0825b9043e31ea9ece90f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 e217dcc8905a8f9827bf8e06a55f719e
SHA1 ad85b0679e7822a46f538b4cd101e967d05ad0e7
SHA256 96a266d57b58fe6bdf9fa18ed75d5f0769693e9c80df34d8100e9baea1fa8a3d
SHA512 1a8300f890feb36c9599b2ac533d7c1bbe098ae9e8eaaf4c2d777c78cc8083e7b75fbed431d5a83293d561a1e9c293ea6fb2a3f6474332535f7fb5c4e75236b7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\prefs-1.js

MD5 621c8effc7d133281f9d9ee819af02f0
SHA1 84578191d90d467262c91d8f7cb4c23edc66ad82
SHA256 ae71f95b89787d591ef510c0c2b66d7f81ef9c4aa2029fd77af4ffd45df14b50
SHA512 094452d27fde2498cc886118fcf6aa5bc12ed04333a9c38e036e8a1698c65af2a1e65479a6171238bb498ee3c928ebcc4b0612fc76678df01daa4fd12f155ef2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d3925de54ea5f3a82966be7b79f981e4
SHA1 923a207a5e023a6a19a5b0a345324c2f17b054e0
SHA256 34740dfeed8eaa88e03981b7f65711caa504f41562c91cd83da0155e16d313a1
SHA512 ef741d171f6e440913d8de0e619ae225cca91d05f931b4bd6b5643e421f0506adc00cc78bc8c95a12b1fd34fcb3e6741be15ada63200d84570cd249ca1ace521

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\datareporting\glean\db\data.safe.tmp

MD5 7709f12c3e6baf53c78dcffe0ac5f618
SHA1 c94e55be6b85a1dd68bf3619f6ced0a474a7e87a
SHA256 bc081dbf0f246d40783a21045993166c7ab62b517d88e8ed48ae1ca4fa932f37
SHA512 7ebf25fa55a736535b8e405f9ee6185e0c231cbfd468bb3bedc5336578a7d004e78d01319a263b386d811e022d4bf5a52c8da7b8cd6247e57e41da86a6dccd04

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5n0dnl6r.default-release\prefs.js

MD5 0aeec874229ab902cfa8efe9c4b1d5a1
SHA1 24ca8e20af603cb7879521937c3e7083e3c35431
SHA256 7e1aa1c2e48902feeb99b315dda7dbfd6c9623d3afda664869ae9ce769feafc7
SHA512 42f94f290250df20889bb2b2eefd06f38048120707ee95da194ab126f297a0cab902214a353ab4cc1c9b797e76c5eaec4159c43cc9b38dcb41f6c18cb77d085c

memory/1800-896-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-1314-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/2332-1734-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/2332-1856-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2021-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2659-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2665-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2666-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2667-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2668-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/6084-2670-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/6084-2671-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2672-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2673-0x0000000000C20000-0x00000000010CB000-memory.dmp

memory/1800-2679-0x0000000000C20000-0x00000000010CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 09:25

Reported

2024-07-10 09:28

Platform

win11-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1356 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1356 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4552 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe
PID 4552 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe
PID 4552 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe
PID 4552 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe
PID 4552 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe
PID 4552 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe
PID 1460 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1460 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1076 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe

"C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55757398-c740-40f9-b900-cf52beb3208f} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e78c81da-49ef-4aaa-b903-5cab4dd00432} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3272 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e013341-e3cb-4dec-befb-7751cf82cb5e} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b1d5c2-4623-4e53-9bca-8548f62318a1} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9386096-f07e-4f3d-b5c7-6a98def23492} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7a0525-1949-4466-a1f4-3766ada3745b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01741602-5351-4d22-a8d5-717607de394b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32e3e296-b8bb-4be7-996c-9bde2b1d1c1b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJECBGIJDG.exe"

C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe

"C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49862 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49878 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1356-0-0x0000000000A50000-0x0000000000EFB000-memory.dmp

memory/1356-1-0x0000000077A56000-0x0000000077A58000-memory.dmp

memory/1356-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

memory/1356-3-0x0000000000A50000-0x0000000000EFB000-memory.dmp

memory/1356-5-0x0000000000A50000-0x0000000000EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b7720b5120de2b14e91e87ecf1969f5d
SHA1 188d865c8c0284ed6f89906e0bcdcd9e61a41517
SHA256 b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce
SHA512 fe10a7db3341da9f15b44e920b5af4a7a9406c0f3cfcb940f44ca4177550e7758bc180d1d98d2c3e7ab5467d0d0bd05811dd90d3f9b9c55f7044d455dfafb595

memory/4552-16-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/1356-18-0x0000000000A50000-0x0000000000EFB000-memory.dmp

memory/4552-19-0x0000000000551000-0x000000000057F000-memory.dmp

memory/4552-20-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-21-0x0000000000550000-0x00000000009FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/4632-37-0x0000000000090000-0x0000000000C7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/4632-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4552-98-0x0000000000550000-0x00000000009FB000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 532afa64567ffc858870d6bcd4f84641
SHA1 2c81cbfc5a5fbf0030b455792fe9de7bb20aae40
SHA256 c5220af59568a6c035c077641c80e71e9edeb921b0617deca8de4a49777d3636
SHA512 05c40964a78453e71138c12c9c62811946236d00fab9a63b1c2a43a5ae66d31282ba0d2fa4f4c495b5d815e2da7dc6d7bfce337fcd08ba264cbaa8fc10fe26e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\94761e8b-591e-4f04-87b2-999a38e86c00

MD5 159f7224925078ff25b8b874492149c3
SHA1 c7dce8833b3ecfeeb72a0c611bfba6c72ecbf38a
SHA256 e3c97e562c86f74be9e761f0b9529a7d2f50303c866182c7d6a9ce8d5826429a
SHA512 9c2e06b3bcf5a0ab51e2e8143bfe4b2a64a4f73dc989b68db2016e0374be01c99be8892ae75897fa37f8594962730afd4b023c5d93abf315501880664bcc0d43

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\8a80c340-9701-4f8f-a5cf-42854e814536

MD5 00837e7f2c88849aaff7de5a4f094e9e
SHA1 bd4521c82f2dd5e0ebbfd89c3cb2d744f19cdffb
SHA256 adbb5e0ef5857d2bc16ae23e33c60465050267587b966b398062f7a41cf8e136
SHA512 854dcab9955b40c97a8786e3f6d9642f07cb4dbccff669004882fab087ab32fe1c680ab5ca2e5d81ce3e2be3563589ffb67499e16f7f12e88f808c8627851315

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\35dae4a3-a8c5-4107-b0ac-c3f5bbd6d446

MD5 b595f74b5fbfbe95d857ff386148ef01
SHA1 8643294073dfaf87d2e4e25616d3cad5e2323eca
SHA256 22a342cc1d4734c99eb355c1c43dba2b236aa8c942522b63d8f6831d71cfc10b
SHA512 33ebfc401339bb007835cd33ef3e3bd9aaff05aa794dfbef56244b284f7148758adf70f59fdb1fadcd7df9cefd39c9c573a05e4b2f8e5a444b13a24b0d1c5c15

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 c36aaf5d9fb87e2653b000178f27af19
SHA1 a9a787ecc6b3754548e4b39560c8e2ae0047c421
SHA256 dcb0bdc18b91afae6cbfc105397d49eeeeecd2084bcfbfa81991854d45f912e9
SHA512 7a4c5af0996f0477de52aa9ff17fc08b9f051f9e993993dbded6d03d8c6ddecacf77d7627169be283948ae4060926c71499ad7e3f12058b228c09fdc8ae17387

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 fa17de58afe4b928f02f6b3dff49246e
SHA1 09390deb29650017d19fa5aec4f6895373ada125
SHA256 ac51327313e12865abf2eddadf9b4136a794bd25fe1cfb2c394b909b1c08ccbe
SHA512 d6f7e1848907010543cb1754a03876851d07bcff0857c6bd22409b0bd1c4c3223dd3be7b20a573235ebfb5b63f64d4e8197dea5467b28fa9247203781597f239

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp

MD5 bad9024e971975c84862133cb1ab3711
SHA1 7c92488e814a7af23d0296fa7afcac2df73f8acb
SHA256 3abb4eea473bbcc82c89211cbdce569cdcda1eec5f7dbb10ed577dbade27260c
SHA512 4cc633d8fc0cc85f4f1ab71e54389b71e89b708f75d8155426e8af093da560f6317f07ca85d7757f9d66743415d65bc69e681d68f66d34a32a8ee1df4f0ba4ff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 65bd2607d06c20403a82a5ff1c7da172
SHA1 5ee53368f5ced2f009a2ed6edcf75e7b37f0d776
SHA256 a215b3a89dc9b17390ed90f295367f0712889f84f8b82e7f5e9d587757e60f07
SHA512 11c92df724dd80e1f005d799468f48936038d7213a03e97215a0ee4df6a71d9423caf377f26e86c1d2b9da875d447243eca98b8cb64ad02109110e32423da93c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 02db1d4db4e7117733f5731fb2bead71
SHA1 01aeeadf553815a61d064ce0f772b67d6daa791e
SHA256 9b3f8e386db5d809461f60ba2b150e17e66eed829935ffd4ce5a9db4c6b9deb8
SHA512 7f85c7eb854759345146e78351fbd6ef719857a837d87e18a60ce8a9985e056c078ec60bb8fae8288b372f9074be9bfe713f95b410f4c64614c8cee5438b57a9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 bc554303197ae840313b6142f1e7fb70
SHA1 d587cb8959e3115cc6ff24ca20781067fe169262
SHA256 6d71a43dc617cf89f5ff7bc04cb28a6a90b9351bb6f43830fe14ae80ebeb25c2
SHA512 1a9705f5af368bdd1bbb2bf699b254a4dc08e92f0e3780e5c75080e6e140578a4d6eccaaaf986b9b177a7a7c0c48ebe140aa9380e8e02a719f259d17817d3d68

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 f2b4b945460473d9e02fbb41e26c72df
SHA1 c85cb7b9fe42e3df3109353f47bf70b997b7ac84
SHA256 a94cb7345de1c482ba93978ff90811b5859e0db0aa8c866c319bc330d07119ed
SHA512 ff7c4beb043704a14466a4c4690d62a9890f118686b9b03f9be9755d888d6db28104d9fef65bf7bcbaafc19532cf00f95aa3e5826df0ad29a6d36cad52234318

memory/4632-481-0x0000000000090000-0x0000000000C7F000-memory.dmp

memory/4396-485-0x0000000000FC0000-0x000000000146B000-memory.dmp

memory/4396-490-0x0000000000FC0000-0x000000000146B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 66e1bc783df3c9ed1ba3880e453f6c3a
SHA1 932775792e9c2ee8cf15e4433ffcd634c02663c5
SHA256 95317b81bf45976ad7a27e4cca7c98aa2e906ccff4d15ed75eb2d628220df4a1
SHA512 35d914193f85e7d9653357fd09f9a860f390a52e735b0f459937b3761e5d8f3ba56f3be1beea314e1cc66b849f2230fe0d4dac8f6cdcb782a1064c6d72555d50

memory/4552-497-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-500-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-507-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-512-0x0000000000550000-0x00000000009FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 abfc6860ccbc6f4589b0aa9fc7cc5a71
SHA1 bfbc12cadf3ed7eff04f27f6f0b53e536fb49bef
SHA256 db0a73bb5c1fea1039726ed882d636e69025181fd3f32c493f71043e41a6e79e
SHA512 caca7ee015a56983fa22aaf923fd04ae19d7f3ecf7b4de33e8be4b13db630e29350701afcf68d2b68169e9640fe6ae66dbcc706a458503c62d36ca4552fa59ef

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 e618187b7684303445527ae6261d643e
SHA1 88e2f64e521502385db7fa3a03a14e3aca6a4c60
SHA256 99a0d33acec4e1b00c9917f7458ea51b85dffdac53fa29f87911c62da6fbf6f0
SHA512 a611ee33fab90dcbd7ea72dbcc528f99046377c91e6fea72f2bb7f2233f1dcee0610a3ea6843490df6ad9f986f3c7ed5d86551b0744863e7b623ac1b2f237ec5

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 3b4fcdbe52ec5a92af547cf72750c186
SHA1 9cb517275cdc3824014648882273c65b3137db90
SHA256 0faf74cedf9780991fa961ffdefbe882ee7a11eeab11dd3fe366d46ec8517930
SHA512 643012849a6f08002d37cb4854261b36b0eae42e18aaddf63d626ffb5088a58337b5f9e25e232f4d3d55212589feeadf17d47aaa50b4f4ea3dd2b092ba49f8f9

memory/4552-667-0x0000000000550000-0x00000000009FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d8f2ef10bca0416d3af765d99c1ba771
SHA1 975360dfa374f19052f0b6497fd09e8dd6a31f73
SHA256 ce153c6213e0a08997044af27711caf7cb7dd437593a1f8fdbd069948cba16c6
SHA512 da1c805dc3349c977a53b3fd24e7c2fb1c0080c823974cd3ff0c695a505f245ede02efe211a6e72e338a071310d4774ed4c493208bc620283a114f2c998e8ff0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 bfa4b01c008094ef41dda700bd851e50
SHA1 ef3ab6a1b29de746523a1ae8381eb676a033ea11
SHA256 0cf6ca62a275acd18d6107a62ae243cceb96ff4ca58499df67579196803efe23
SHA512 f9ac3d3302819f1d6fdd87c89d366fa2610306b0af9b3f0b0799d8eeffec04397ae8ac6793f63866b79ee320fed89198fe8d046bb48971f973a865be4f0c7299

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0baaf90dbb12e268600825d4ded15ccd
SHA1 0022d746673d2e824ca1c9e0a0e5d27e637419b8
SHA256 d1880373d51e01e7366904c2809b7700a183738e75abc24e0c65d829cdf87efc
SHA512 5b4a9448c72b9a0fd1a87d4a02e9c287b29fdbb23d8f19eebda64f7cb87b74108c28c3bba352c24383dd8a75a26653370ec64ef619d35141e4d430483838590b

memory/4360-937-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4360-1050-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-1440-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2509-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2661-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2670-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2671-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2672-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4920-2674-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4920-2676-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2677-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2678-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2679-0x0000000000550000-0x00000000009FB000-memory.dmp

memory/4552-2689-0x0000000000550000-0x00000000009FB000-memory.dmp