Malware Analysis Report

2024-11-13 16:46

Sample ID 240710-n9ewpswhmq
Target 3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17
SHA256 3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17

Threat Level: Known bad

The file 3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 12:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 12:05

Reported

2024-07-10 12:08

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4772 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4772 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4596 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe
PID 4596 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe
PID 4596 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe
PID 4596 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe
PID 4596 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe
PID 4596 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe
PID 1412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1512 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 828 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe

"C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {952d16d3-bbd0-45c5-9f3a-eb03e74d2521} 888 "\\.\pipe\gecko-crash-server-pipe.888" gpu

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be1abe50-2840-4ce2-834c-e0993855f200} 888 "\\.\pipe\gecko-crash-server-pipe.888" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3252 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4d1bf0-1727-439d-9366-608a06bb1898} 888 "\\.\pipe\gecko-crash-server-pipe.888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2720 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7ccc6d5-dfbc-4b9d-b298-a55a04b53eab} 888 "\\.\pipe\gecko-crash-server-pipe.888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4664 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eaa192a-0d2c-46d1-a88f-b156226a6992} 888 "\\.\pipe\gecko-crash-server-pipe.888" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -childID 3 -isForBrowser -prefsHandle 1528 -prefMapHandle 5364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a6a1fc6-b661-4ef6-920a-d82271dc2b4c} 888 "\\.\pipe\gecko-crash-server-pipe.888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {947b4eea-66c0-4514-916a-6b912769821d} 888 "\\.\pipe\gecko-crash-server-pipe.888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5696 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df6f37e5-089e-42e9-b915-c690f2274139} 888 "\\.\pipe\gecko-crash-server-pipe.888" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"

C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe

"C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe"

C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe

"C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:64876 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:64894 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4772-0-0x00000000008A0000-0x0000000000D46000-memory.dmp

memory/4772-1-0x0000000077584000-0x0000000077586000-memory.dmp

memory/4772-2-0x00000000008A1000-0x00000000008CF000-memory.dmp

memory/4772-3-0x00000000008A0000-0x0000000000D46000-memory.dmp

memory/4772-5-0x00000000008A0000-0x0000000000D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 28f7e2ed3725fc403099eac97c08b136
SHA1 5e45a160f6d74cb14bf52809d51495a2f4925445
SHA256 3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17
SHA512 b1216a69c0a995ad953ad8c43f2d728c02518de54dfadd8be9b6f8045de8a37b85abfbe771815c16f97906ac9f0edede39877d2f1b53128a5761044339dfc7c9

memory/4772-17-0x00000000008A0000-0x0000000000D46000-memory.dmp

memory/4596-18-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-19-0x00000000003E1000-0x000000000040F000-memory.dmp

memory/4596-20-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-21-0x00000000003E0000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\644319e2a8.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/4248-37-0x0000000000BA0000-0x000000000178A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\619d3df99d.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/4248-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4596-83-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/1604-93-0x00000000003E0000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\activity-stream.discovery_stream.json.tmp

MD5 34803dfdf9d8565c164b26e40fff46e9
SHA1 5bee7e4238f1c347eab314e7fdbb9ecba7d1b8d0
SHA256 eb8bf15aeacca84b32eca17c3ebf109fea65a4602103e41616ca7aa9167aeb32
SHA512 c03287d8c98ef302b4fb0c2da114a8226ffae2e5723ea0b5d64f4e24843d2d45aa220fd555525525d545f219458cb702f2fc85c1fa89f8d5e5926c60a12af054

memory/1604-121-0x00000000003E0000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\e976d836-7ba7-414f-8f24-ba7ebf2f823f

MD5 9d7d6361d2bcb655ab4deb73b32b9363
SHA1 2e282264d9b7a6ebfc06b924978ebdd0cc3604cd
SHA256 d25bae0f59a2049da278f5530f334fdab1c54b274386582241bc21b880dd3374
SHA512 db1aa717f3a1651f870b93f3051fd70c99438e3df3b2fbf54b1e2a6cead7c4bd536e20b611545ec0aa7245b629d36aa5c5021b1caabf654fb4dcc2bf4c698b9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\88550226-45c2-4a1b-968b-ae4ea4cc9d9c

MD5 b2fd097ef45c0f5ca578eca76d9a63ae
SHA1 04f08427b793b6ec9c890edfc0d4d155228ffa0d
SHA256 ee1effea8c71d4dffb819062f3a20c59351c0fe69392e7238d9b1722639bde12
SHA512 0cff930010b8f2c6b89b3166996e9622e10a028e08c1f267226e79db62691b48413e16e6532a51dee49144b4a031997f1b81366132e74b603cf44b99eabf4244

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\125f38dd-e818-45b5-ad84-92e69d98de38

MD5 5eca39e9ccc0d7c9900a71c63b5f7c70
SHA1 f5f43bf30e11c2d1460aed297248a006df48368a
SHA256 9b0a55cc16ea00ad757883a3684e2414bc53a6a777e24702dfa3eee16c96ec6f
SHA512 ea85c11bedaa8738aa7ed3b1243a972fff3d405402bc17503cdb1489cb53114a9d8ade4ede0d12efe85d0a16a5cc67cd7b2294b0c302a26d5bd0634dbbbe2339

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 e1c33820b9f067561806967e0a45a136
SHA1 339fa23141700e379f452f8b13f0739f4a362134
SHA256 cb683eabb80c33db4b7fe18110c63c9db13d10d40f2594c26bbd89a088dec549
SHA512 5862d5c2b82a0f82504379fe5af55312eb4a0287799a105c4b644e38ea59336dc5cb943ee417f9e469ea1bf9f26124a539a43fa0734bbe7871d94b337e280db3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs.js

MD5 952886ee6181df64b9e3926fb5bac2b7
SHA1 b4d49ecbfa4771ffa818ff62347f00ff72574c0a
SHA256 d37d18255388df0f6bb437d3d33fb94283dbc9f12423b7f02bc3bec0efef7490
SHA512 b3069a5cfc1ba3d41deb76134c6c7f4adb254dbd87fa5bc664ccd05ec245fa47dd6d6f50b77939dafec06ba092d4fbcefa23261c1d4d55a148d7d61238e49407

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

MD5 8cc6b0d5971a9f6227811023b8d3938b
SHA1 6a8330d315074a42a3d3748e117bf4c7c3e71601
SHA256 dbea6f0150e6d48a06e8c0a8d845b07c696161ee202142b734707d546d87ad50
SHA512 49ffc24eae24633c83a075ef614cc5ef96663dbb736cb6f1fb228201f0d43c2c574445d6ccfb466a1638d208a11a5543225f019fbfcec82a47222488257df7b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

MD5 3e4d7c1a16e7d0d59ba58658cc877fc7
SHA1 034f29524547044d2658c5e67147d194fe1ee353
SHA256 0a76a001bcefc0c0d1b510695a3f52ed6ea9cfa42e7320d4e2ae8fce59e341b1
SHA512 48483dac0cfa9315061beb7df272044e684105aeb0f0d98f144a80f1350e8fa811fc662d7958fdeb1e2db028b2499318e93f00fee510d3ff69cb7e1c853b9fab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

MD5 1d5504c76bda38e40be1ef1c86caf3d1
SHA1 18595721d4120554ce8661657e9c2825ded201a8
SHA256 ce7a35d3157e8e33a2d537f094bd6c6f0f9feb403d5eec9976805d0cea9c19a1
SHA512 7a3570fde7c4747a1a3acb3bd2d55a0003ce536246be9c0a0a71fe1e6ac9f3e19873ec478330f9450f27f7b855383a9713e2a76f4c2c43be1f71a8319fd8a01e

memory/4248-462-0x0000000000BA0000-0x000000000178A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\cookies.sqlite-wal

MD5 3e4c91baa4f05d2e862915be6922e5b3
SHA1 2eda472182ff2a701fe7c49fe9c9274a19663d8a
SHA256 856805c8b3c500b763b363c1cc359a83947af2c566f62103fc63eff12cb9acb8
SHA512 f610371fc130ab0303feb136cb661d061917ac9fbd454826830ef0194fe93e8ed8e625de56753e645dc2d1766488c1585544fb7675b1afd67fb68833130339de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\places.sqlite-wal

MD5 17c95451bcec9e5cf93c889268ce8628
SHA1 87eb0735db07e00ab35b49f71e25166e04391aa3
SHA256 e0e8fe18a2bd4890f940ba60268bcc84bc8025a268d1155fb720371cce931f5e
SHA512 beebf23b30e0380ab08e99d394b4c65f02f820eed73e119958dbbb48bbc79b5b6e85a6a39bd27f3fb3dcaa35eec889ae77dacc197efd73b02d3f45a58ad71c5e

memory/4596-488-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-489-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4564-501-0x0000000000C10000-0x00000000010B6000-memory.dmp

memory/4564-504-0x0000000000C10000-0x00000000010B6000-memory.dmp

memory/4248-508-0x0000000000BA0000-0x000000000178A000-memory.dmp

memory/4596-512-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/5124-513-0x0000000000560000-0x0000000000A06000-memory.dmp

memory/5124-520-0x0000000000560000-0x0000000000A06000-memory.dmp

memory/4596-521-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-526-0x00000000003E0000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

MD5 48ebe5205750c4afcf1e6977c73ba867
SHA1 e100f0f8621eeffaac9193471b28d38de843fcc7
SHA256 fe96fd5e5863845dd77744b1cbb390f09ac10c416411d736a375f58cf478a55e
SHA512 082cc40d569315114af58be66449a8c2c644863cb88da7e5a7c0c89f51faa33447d402d369dde0687c31bd40ccd8fa947f99169fad03eb660da74bb4e5036565

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 d52d2f030da53f3f8d642b71738df4e7
SHA1 776d1057b3faaedef8d19bc4e416a6313fe18b21
SHA256 7ec20468707f98283e05e1347b57f21d37355fe46f0c77af6e979e32ef9a22ed
SHA512 f824f44db56f47ba6220a7c5f291bb91b1fcba0bfaaae8d723cb988830b272b7b24044a53c41da85d1f35782239d4acfb5ab41d7832d8d0ed97da3dd74b3a141

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

MD5 f32d4ed6730fd085969d9cda26cafb90
SHA1 449cc9340a3a849978b78fa1f3ac7b8a7a435487
SHA256 3746c3fca7c86cce1d7a7bb0579878783234f1d34c8997609361d69398f6fc2b
SHA512 13b4ef04ca796278d5b9057734217750b9014fb964dd237f6e09de085800b67c731ad2a5b31dce66880f22c2dee9f2224699b36755a303ac46a7e01347672190

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4596-741-0x00000000003E0000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

MD5 a2f222268318be9a5611c9bb2e8230f9
SHA1 49fb64ec1e8236a646afdda89b11475ebb50f5eb
SHA256 3da118a153494fa94d452578f59e2e2402f8e388a020ccd65a4a7c3e9449839c
SHA512 3e73cbe0aec49cb93200334714b375e663fb9ce555d2b0ccaa4757d34390bb86b82b1abadbb5abadc4ae57d4ed630db27478eae490d70a212fb9d4ee88a25331

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 55fd58d3da6b5d82649e6c5b750408aa
SHA1 d7936c42cfcdbdc5b00fd9ded532bf3aca0819ca
SHA256 8fad68d7a3944cec48713fce34fb96e50f690f856ef3c492132c2e8ff2353ec1
SHA512 8de836649cdd7616c48de03c167d3256d4df9fdc26d6bb145e50283fb16883aa5fb2889b10e682ed1cf8ef7544271603409610c49e85bad58093e67df12461ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 78629fe452d89e087b97bfef28901b23
SHA1 768620c90bcffb29b0412169aac6770b46e68f91
SHA256 600376be7901c87e5dd8847792872978038ebc5b14eb80b3b597864163b747dd
SHA512 c752ca3d183c6696642b9eb9ed7d69ce8139f1a8a95a5b7216327fda382a4c9c54ba7858d05489a08d5dbd0dd30cafbbb29a4e358504333fc9dab62bf7e06c15

memory/4596-1224-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-1819-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2638-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/3884-2648-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/3884-2736-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2766-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2769-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2770-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2771-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2772-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2773-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/524-2775-0x00000000003E0000-0x0000000000886000-memory.dmp

memory/4596-2781-0x00000000003E0000-0x0000000000886000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 12:05

Reported

2024-07-10 12:08

Platform

win11-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe
PID 5068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe
PID 5068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe
PID 5068 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe
PID 5068 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe
PID 5068 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe
PID 2032 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 660 wrote to memory of 356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 356 wrote to memory of 3024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe

"C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e65fe856-43a1-4dbe-9f13-4c08fcdcac2b} 356 "\\.\pipe\gecko-crash-server-pipe.356" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2df2cc13-f3b8-4183-b825-000aa57260c8} 356 "\\.\pipe\gecko-crash-server-pipe.356" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 1320 -prefMapHandle 2828 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5568ecb2-2ed2-403c-b5aa-5ad8c4bb8f83} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f11d7ef0-c24c-4728-a423-520c1a5999ec} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf81e2c3-20c7-4fda-bab8-66742c513ebd} 356 "\\.\pipe\gecko-crash-server-pipe.356" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5448 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d80846c-7b80-4734-b9f9-b0cb4a394962} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5012 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70879cce-8e77-4d76-bf1c-5baa2d8e324f} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc4f225-355c-48a9-809d-c207abcabd6a} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBFBFBFIIJ.exe"

C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe

"C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
N/A 127.0.0.1:49844 tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com tcp
GB 172.217.169.78:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 172.217.169.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49855 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/5116-0-0x00000000008D0000-0x0000000000D76000-memory.dmp

memory/5116-1-0x00000000777D6000-0x00000000777D8000-memory.dmp

memory/5116-2-0x00000000008D1000-0x00000000008FF000-memory.dmp

memory/5116-3-0x00000000008D0000-0x0000000000D76000-memory.dmp

memory/5116-5-0x00000000008D0000-0x0000000000D76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 28f7e2ed3725fc403099eac97c08b136
SHA1 5e45a160f6d74cb14bf52809d51495a2f4925445
SHA256 3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17
SHA512 b1216a69c0a995ad953ad8c43f2d728c02518de54dfadd8be9b6f8045de8a37b85abfbe771815c16f97906ac9f0edede39877d2f1b53128a5761044339dfc7c9

memory/5116-17-0x00000000008D0000-0x0000000000D76000-memory.dmp

memory/5068-18-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-19-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-20-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-21-0x00000000006D0000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/1612-37-0x0000000000390000-0x0000000000F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1612-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp

MD5 0d1567e37371e8c42a3736155a4b3c95
SHA1 a277edbc77dd5c3e456dd4c6c62e58e03eddbe1b
SHA256 3f9c8fe92482ca15372254c37abca7ce023adfaf0fc111c23f1a6f06a7d81d72
SHA512 9d8e78ad41b886404723cc2b6c81b17bf714f37d1a9b3f53c590a44d319f5fa3aae8cbafdfa0d5de0e80bc3c6799319dae52e114a1b6e23b6c226f352ece0f84

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\6bc64177-c706-441f-b14e-7800957a2bda

MD5 c97f2fd96e8a99298a89109139337412
SHA1 83bce20059ec6d0d0209f91d2b47de7e387a61c6
SHA256 d667da5944436ee582c779f5507d439f1fbe22b86042e901682cc1e8be4e4258
SHA512 1cc87c5e85bdb4690ddca16c16051ed470aef4281ea1cec6a2bc71015af3fac993abf0cc77257ac38914b2a318e7cce6e3e5f8046a524dc4d1443f389c8fdce1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5fb7ec55-bda7-4445-8c4e-bbc1c72b2df5

MD5 ffd73352ac6f1bfe58715c3df3c2c093
SHA1 5502cd3e314e5ae1a1e86d67b24fd7b4e6bd2bb2
SHA256 297fe6b8edae0fb78734b71a6b8905ae1f3b82b5cc32822cac81d37e202ef2d5
SHA512 fc8f957b3a859432bf8df5e93f0e7e216dd16c947d9fa1bbc4b32a4960ac60e1312059da69efd961786da0e91b0d7d0473a494d29b0eeb63dde1e0f4792128f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5dbaf4a3-571a-46b6-a42c-c3c05193d192

MD5 8ace1e3e1691212d1a707a9eec78d592
SHA1 1947d0a0a7ec8d03a7d8233100239cca2af75dcb
SHA256 1e2e70141838c96412831b57792983d794e45cf40f7a58f3b6f060288a570600
SHA512 98f5418a782b06cbdcc25a5676990662f13955ce1f003281c153059ce2ee1a270f0f54633c04951ca972df20e4d4c544d81b2c3f80822b9afd7835ee376f100c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 fc6bf2061728c55f9b9cef712a5fe600
SHA1 947eb79e5d5464a98165ebf24ccdee20f3e8e0be
SHA256 a553c2f95bb6b8aa2e24b976698209f5824949c4fb3e85f6362409c9dc5e7678
SHA512 2ab009b86168cabf3f7a1e9e3e9aa99508675cc595879287667d96bb2a11a2adfbca9075133e4f5ccbdf193eee835a7ac7041b7d871e46d1ca2141caa3855157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 1da4fa65e29e3ff88337fec0c0559796
SHA1 447898aa8aa7942ac6b9f2146b34dc86c34222cc
SHA256 93135e916ea35b419b6b77fa44ce1a3a9dc0b9f9ada28946069fef4787176496
SHA512 491dffed292695ec7d103ad61253cfd59e43e9d63d91d52fda9001e5e28b803cb5b3c4e623bda3eee670ef66792052980218c56094785423bb7029496395ae7d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

MD5 34c27d68edecdd81da16c5b1c1a468d5
SHA1 55baa6de1190cfbf6ea4dd16d1a2455b2d34d915
SHA256 8f81604ce4f24f4de4860144875ef68e97dc26a2c9cda22baf70a67e84deb795
SHA512 e66c949499360bb7d5f90f71eeb8765e43a746752ee6f8f4edd806c7a7576da2feadfb5bb11a1f2647d66613d955bc29ee5f1d9ebff699cfa62f6794b3b4d3f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

MD5 4c8a36cae464b1c78a9ffd50c7aa26b0
SHA1 f3fd78ce865b765b4c0f2a35a8a857dcbe3e2a7f
SHA256 37fa81799fce1173d28740ad794b8eb81657d7312d26651b1be4f7983c23f60e
SHA512 8f3b23be80fcba5414a8d2ef3710a3ec262660863e11d5d921e8563ff4fd6edc8e2f6b49550740d7c4487a7b93e94679ab4cb1eb76162d9a65d8e9dca85756fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

MD5 514e799fc611385578325c0d7372c2d5
SHA1 e3289a8fe155d641e421d9e9f6fe6c9664a07eb0
SHA256 c2023b4321b86f8a6c88a81d68a5579030e9f2fb45c200adb60ac635344ddab4
SHA512 ad2bb5533da5bca42684694c4f80d0df9b221f1c529f3d5fac5180061e22ddc0f40d98100d684d8de3a341466738d4ca6858546b18ce764b7eed635eea0b9093

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 b5f5b803a79b413673345f52df1ececf
SHA1 fde9310f1fe6849e8ca56515fad752c200c1a04c
SHA256 5e32cd124917b0703e6e4d41fa9da7787d163394798d95db87a740331c020270
SHA512 37d545e3929e487f5bb05233d3ef290da0aad2122ea6e0bf6f37e4d7b0ddb8dff757af186e002aec4b1e5f3b70833ad4ab9115dcaf49faac06aad03e724400d9

memory/5068-440-0x00000000006D0000-0x0000000000B76000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cookies.sqlite-wal

MD5 df4d8f6950771432e90641ab30c14a75
SHA1 94b0442911cd5e97beb99bc9394e8aa42a9560dc
SHA256 357c5e802c6f3a4e8829fd3e568529905a2f7f2a83a316a71199315d18ebd906
SHA512 0d59f78790dc2ba18e98246ee64d1655c7633bb4538762ffff15edd3d26a0e4d778f278e7fafa3442e32e3f7d3686a6201dade06fbfa2996c50d582b49a56d00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\places.sqlite-wal

MD5 7d4ddae8a78b11965733815d9f3b1362
SHA1 a774393615c07ea6e95033e823573898cbc76075
SHA256 106ed87e750d8f7e93fcfeaba3843121b238cfb65c5d5afd9560a7e46064c794
SHA512 b4b389bab808d8979cf29c73f37d130b75550a35b73836fc2282092f9233236644296bbe4c4ef42189e033f587f0c89abdbfa23fbd3c4761626fd2188b12a4f1

memory/1612-467-0x0000000000390000-0x0000000000F7A000-memory.dmp

C:\ProgramData\BGDAAKJJDAAKFHJKJKFC

MD5 11d2b57744586d6365230101ef4b52a2
SHA1 92e886800c6d642d791fdb5f37cfd6e675aac528
SHA256 e312b61d4706d15a27d0a803e5df28a3ca9d6ccd0c0363395b5dead56ec627ca
SHA512 002a4ff12861f0be8761170f9f14cd6bf53e1063be5fb237a640b0b195463f631a4b9b7cd16f7922dd66255219bd4adac4307b7d3ab66a64f342d4a49a5570d8

memory/5068-486-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/3600-487-0x0000000000AE0000-0x0000000000F86000-memory.dmp

memory/1612-482-0x0000000000390000-0x0000000000F7A000-memory.dmp

memory/3600-491-0x0000000000AE0000-0x0000000000F86000-memory.dmp

memory/5068-498-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-499-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-504-0x00000000006D0000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 2b95bca39b7a311a71d5c594d85b7bcd
SHA1 1a36e656c80bdf9594e4922d49b2010e759489b5
SHA256 c0f9236a1c110bd1b8732b0aa278954d6c0b92ab684d209b61a259f7d9b43472
SHA512 450ddf05b475a335882147830111d701f8ac3f1d2f533aea3f4b04b861bc2b3e768e2f084fbf283b491d4c67baee22e64124bb6a01930728fe1e3d8ee244c7e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 4f54b738b67db809ad31228cd77ce8b2
SHA1 623733080b18fab59c20d668bc6445a66c4bd649
SHA256 7dee406f42de3dccf5a106deb7c269aa963f8f0a119e13edc80845a8842bc830
SHA512 32743e8296468c1d90964b09ea9310f8477683160ef873408d412987a2d5d06e321fd87dd5873ce25efbde7a8b1cfda755b26ca732c98a97e9729043bb807082

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

MD5 6e5193da1742716f8daddbb9e272688a
SHA1 b35a59cf2329111b15138ac207f937ec9c62f02d
SHA256 93f6f93b9df77bfde4163a6f8a8e3c1d223b9719ea9979d9030bf6fda89182a7
SHA512 3ffe8f4ae1e9930caa455291c2edbfbd620d86b0b70114e1eba69c7d61acd027c380297d91dab5279609e3ae8944bdbca805ad2615669c09962ed92bd7aa1a5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4e1ab1c808322a4d705686d1ceabefb4
SHA1 3cc4ad25d86350c6bb973b9db66688392ef5b022
SHA256 116d5aac43b4f7c02585708a1ba13147fb81ace230a003e58c069b8e4390b105
SHA512 87e0809af939cdf1223dbd0398eabff8d19dce89d66063a56b25c0f247ed6ae7511a66e6847ee62893ae012474a850e76ccce6813adb3dd0667936b4408d6c7e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 174e5497f81c469c231b3d5187312b9f
SHA1 b86970b48f2875efebccb107c6af2b8c2ae70224
SHA256 482612ed8e0d37d388750ed90ce082cdb155f038c729a56c8f6f37b685caeac9
SHA512 4fdd0812f30de1c2f38823599f6d9073be297b6c5df20c28a5e86014fd1b9b91ba4748cc896689b6bcb2c5f8d023050722593b9e1fad5124c372ae5b1455b9fb

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

MD5 89a944291d444e92722623fd7e0a1e85
SHA1 c1cd11c43464d2dd1e34787378ef533fddeb1158
SHA256 89656fd07e375493789959600ab63b9da2750243de8032e2169d5a2cc308f42e
SHA512 7e247c4d635bafd6709a9545456f787729f76e3a73fce67f533f2d12e9d2f319b5fa18439a4fb2cffad77bbb0fe4d5a474e9a96458c5207a9a150427c01011ba

memory/5068-1046-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-1734-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/3256-2323-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/3256-2494-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2627-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2688-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2692-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2693-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2694-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2695-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/3548-2697-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/3548-2698-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2699-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2700-0x00000000006D0000-0x0000000000B76000-memory.dmp

memory/5068-2706-0x00000000006D0000-0x0000000000B76000-memory.dmp