Malware Analysis Report

2024-11-13 16:46

Sample ID 240710-qhp9gascka
Target b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
SHA256 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0

Threat Level: Known bad

The file b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 13:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 13:15

Reported

2024-07-10 13:18

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1680 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1680 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 792 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe
PID 792 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe
PID 792 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe
PID 792 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe
PID 792 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe
PID 792 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe
PID 4592 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4592 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 2428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2428 wrote to memory of 4416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe

"C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.0.1065774509\397306340" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {345b7f31-576f-457e-9ea2-462af0b94164} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1852 1cc4fcf0f58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.1.1393770941\1127894053" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cb48f2d-b67f-4ee6-9262-5722338fc237} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2444 1cc43f88d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.2.326589128\434990292" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74cb5110-fa71-4e66-b4f7-290a2aa8dca8} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2916 1cc53c37958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.3.1116088492\1697480205" -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f9d263-85d8-4a6d-9847-1c4715bfc7fa} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 3968 1cc55a68b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.4.1361397128\452976039" -childID 3 -isForBrowser -prefsHandle 5012 -prefMapHandle 4988 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71af683f-567a-44ba-8577-221b32044081} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 5024 1cc569b7f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.5.1008295083\848487509" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f83e6dc4-0ca1-4c9e-b5b3-7aaeec281022} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 5284 1cc569b6758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.6.1407463237\320431038" -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8775deaf-a317-4782-a71d-280fbe238dd5} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 5408 1cc569b6458 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDAKJDAAFB.exe"

C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe

"C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
N/A 127.0.0.1:57805 tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:57818 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1680-0-0x0000000000F80000-0x0000000001451000-memory.dmp

memory/1680-1-0x0000000077A74000-0x0000000077A76000-memory.dmp

memory/1680-2-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/1680-3-0x0000000000F80000-0x0000000001451000-memory.dmp

memory/1680-5-0x0000000000F80000-0x0000000001451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 eab77268e7ef4408f7c9a45c8e3c2d3d
SHA1 65225c6a2a6d6f52e01a06441634989d406965a5
SHA256 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
SHA512 0f37aae6ea10b4c7ac7e4302d9e7be0df055605c99c48914cbe5bd650dcf86ffb0727aa836bcf0a2dd6e842bebcef58acc31911dbd5f8bc4dc5ec7816d3bdbbc

memory/1680-18-0x0000000000F80000-0x0000000001451000-memory.dmp

memory/792-17-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-19-0x0000000000911000-0x000000000093F000-memory.dmp

memory/792-20-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-21-0x0000000000910000-0x0000000000DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\e4ef0671cf.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/5048-37-0x0000000000A90000-0x000000000167A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\1c90ac9583.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/5048-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/792-92-0x0000000000910000-0x0000000000DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 4e7067cbcf5a02a6af1d1e0658dcbefa
SHA1 cc817af0417fe96c324c36946798dfb427582954
SHA256 9304b8ef4f8e1938f1cc8caa2ac4795d50637651cc4bcb413b356d27c43e3f6b
SHA512 0a2a245c053e91822e77db80c6c130796e5cbc96217d659859c1a934c4e6d5bc82eb594706adc05cc9c9a61e72a77180ed488b7abd69a8eb7f73da45b04cd101

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cookies.sqlite-wal

MD5 92cf3a87792a76e3a07e2a483d70af40
SHA1 38d41c5fc5aa02151ad292a5d2be74035420cbfd
SHA256 dc6fb32588178b1aaef929e9e10367d0d2dbc28791ab849cd32915f547fcac6f
SHA512 067e55035e04671c57ab8e1a654460546c6c8b4c323d02122c3e0b3386fa7673f800bed42911c6f3e4bd584501cb00327d905d5d50c1941d15061bd08140b644

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 d3893ef0747e9311913ddbe067d23ec4
SHA1 297978bc97db71b2368202f1eb3b53eb94958c2e
SHA256 ab31dbce7ac21e7b356de73d3a4835b71dbf015afeebbdac0643df67189fbf23
SHA512 7c0bf2c72a39bbcb0e95f068aee78570530c96fed76a9d68d49b9099a243907683ed3849cbf26f426c9909f74367b99856216ae67e08e8e7ea9a6a5bf35303ad

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 b09af38b693086c4dc86e7e1174e7c6c
SHA1 f17d9cd0643bf8c5603ecada79be1ee719c7d9eb
SHA256 58400f84a00198b8d2a38bd0bd8596fee53cd0982da9df2cffff75962d4a6cc3
SHA512 5319c1af16b58e2028fa1e7f808ac76b479f84f98fb88cfa220af2d97e071fb3e5e2321eb4eea7465a222547e47624892ec89433a786ed57244afa57a509dfb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\places.sqlite-wal

MD5 bdeadf1eab384deb44857b73bcefc5b4
SHA1 43e961787e80107dabc0e50d9dd1df93f7f18c78
SHA256 efc0116cba6f204daf96c79658b3b9edcd3c27e596d8df3acb8029b295318cca
SHA512 5b642cf6881eeda489ffcb15f44704ddcce9e5b3d469f8af8f09f2d82ec3722e98d24b2da118ba7d1047fd195af022ca447e7b18b33a705f62f5593192e7a725

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 a8392ad62f6562ba6e8e97f24f04f8e5
SHA1 d1a7a224377b1c2b9fc9962c891e720f20abfccf
SHA256 04d699a5c9e01f01ef62a776ee9d882df339970f73dfd2d3801bde16378c7c5c
SHA512 b6b8644972e3e47d96678e8e8a778d728ea489042c279675e0c9f2058a1f84dcf1a352dd8bca78cf826ae9b501fba52198da9308747f5bf73b1950a229a09637

memory/5048-213-0x0000000000A90000-0x000000000167A000-memory.dmp

memory/5048-226-0x0000000000A90000-0x000000000167A000-memory.dmp

memory/792-230-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/4996-231-0x00000000002A0000-0x0000000000771000-memory.dmp

memory/4996-232-0x00000000002A0000-0x0000000000771000-memory.dmp

memory/792-233-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-241-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/2656-246-0x0000000000910000-0x0000000000DE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

MD5 80829ec2e6e8cb5290c286ab84580693
SHA1 d0cfdfafbe55834b05227cea47cc0dcdeaecfdcb
SHA256 d1a58a70975e45c80fad4b114eebf07e8ec9d67a41fd503d70b4c394e29102b6
SHA512 e5e76cb4e8cf8d59c8783c0e4dd55bf4c71f94606778d43bd9a0db9979c8802731b2c7cd7297776a1bf4e6cad7be34c60bf123b14f462e6171436b735c88373f

memory/2656-252-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-253-0x0000000000910000-0x0000000000DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7e302ec15b8f0affbc00daa01d5d07d0
SHA1 784fc874d8c1b1538ab5212a84ded34bdaac1fbd
SHA256 1196dffc75ddfc9ff0fa9224efbbdf0d593795fa29c99a52921a01a8a1577bb7
SHA512 d9552be0928b0578edc9739e500b9095cc236afa3e2485db69898d3fda311478274cd2d912f13ee4b642c66295f1bd9ae083269e6da5f157d6dafafcfdafce31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 01568d2ade7619f24af956f5500d3213
SHA1 234f19569302bc2b9a26884adff899598eeaaf84
SHA256 1d286cc584f204755cb7704457c81d1327c154ea99e71771c4f7776320b71210
SHA512 62439d926d4b00bb1d5a1a8e57dd6c5e0fa45b7a4a3b606adb4ed7fe08e38ddc56b352de93f850575b904e036d694db74af11d73f71a70520b05471b1dc6b0eb

memory/792-270-0x0000000000910000-0x0000000000DE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 55cba3276937dc6915261635669f03c9
SHA1 521381e0769ffe931d458e69fb5771db44cf325a
SHA256 7e7c90fd7aa1f5caf84e4a9c0da8c390ac2baf88dfa69cbd8d09c836a0a1f5ee
SHA512 c969bd94e7a0e456bfe5b42cf06cc9cd78a4ea144ac89138779ebeaef2a9a6b680ad939ae3970b15b4f4f61c9342dd97c13166b11119d375b91d123a4496a424

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/792-764-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-1886-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2265-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2270-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/1560-2272-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/1560-2273-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2274-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2275-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2276-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2277-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2278-0x0000000000910000-0x0000000000DE1000-memory.dmp

memory/792-2287-0x0000000000910000-0x0000000000DE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 13:15

Reported

2024-07-10 13:18

Platform

win11-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4036 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4036 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2424 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe
PID 2424 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe
PID 2424 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe
PID 2424 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe
PID 2424 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe
PID 2424 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe
PID 1504 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1504 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4236 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3236 wrote to memory of 3228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe

"C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1900 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6489f4-0948-4c36-9d26-650ede3b82c5} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4669a321-45da-426b-aa64-f49185e6b573} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 1400 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {372fd3df-41f1-40ed-9929-e23a08f7bb8e} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eb57011-3fdc-49af-b990-94e599b9b9c2} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4796 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a3ba7b-4d1c-4914-b682-b359fda54e5e} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5604 -prefMapHandle 5516 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e1a86f-8fe3-4a87-ac48-71a5c6fbc188} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f393b090-4220-4045-9568-907cde26de1c} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b47d85d-2b6a-4f31-bef5-d3f49fe8bc71} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGHCFBAAAF.exe"

C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe

"C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49900 tcp
N/A 127.0.0.1:49908 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/4036-0-0x0000000000C10000-0x00000000010E1000-memory.dmp

memory/4036-1-0x0000000077406000-0x0000000077408000-memory.dmp

memory/4036-2-0x0000000000C11000-0x0000000000C3F000-memory.dmp

memory/4036-3-0x0000000000C10000-0x00000000010E1000-memory.dmp

memory/4036-5-0x0000000000C10000-0x00000000010E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 eab77268e7ef4408f7c9a45c8e3c2d3d
SHA1 65225c6a2a6d6f52e01a06441634989d406965a5
SHA256 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
SHA512 0f37aae6ea10b4c7ac7e4302d9e7be0df055605c99c48914cbe5bd650dcf86ffb0727aa836bcf0a2dd6e842bebcef58acc31911dbd5f8bc4dc5ec7816d3bdbbc

memory/4036-17-0x0000000000C10000-0x00000000010E1000-memory.dmp

memory/2424-18-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-19-0x0000000000F41000-0x0000000000F6F000-memory.dmp

memory/2424-20-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-21-0x0000000000F40000-0x0000000001411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/2576-37-0x00000000003F0000-0x0000000000FDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2576-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp

MD5 d751ca6a36d3bf0daedbb3560c5dca6e
SHA1 fb46aab0d7f8f7cccbcee4df37a413deff1527f2
SHA256 21f7c1a57614f954bf498bada36ab67ba38e321e4b2b3f80b5e161fb4ae0c539
SHA512 2cde1d637a3de9a2e3c0dbf1b7dba384dcfcd7ce7be8aee28691b8671649f616779a89b721157499fd5a090ed20c71091f606907cd9a92fac43439ec6d82a6e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 20b9bd71616a5635294d0c2c99e579db
SHA1 db038f8034f8a8aeb456c84a5e1f2c7adf6be1ea
SHA256 336b1c9f95966e3a60727c68e3c9b3c9f7ce9a25b75e445eacd755da832a3cf9
SHA512 3470cfa9d4b3b97d4871bd9acb93a2aee831c9e6383429f2f244b496da57674b03d5ef9fb71c9a21f570db3cb144e743065d346647c6a90197c0f3bc34d06ef3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\605aa892-3d5b-43ff-92dd-89d790f6b1a9

MD5 95fbc683478da35b3952c40b0f5724b5
SHA1 260a5d3224388ee2fcb8fd3b05675a8bd9c79a80
SHA256 2063f1207b6d1bd5b9ae5fda501f7e63efa332004d221c500fc2cf27c0cf311d
SHA512 2c186c186718d86e8abed0805241eb189457021d2cae4ee4bd37911b7a7cf5abcca50a40a719e540ae30a330ca3e45bc13985f6952db8e4641256f31f3bdf1c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\3e12b008-a099-4c54-afc4-26613c172bb2

MD5 f0bef563d730e2f5be5dcd838f6da07e
SHA1 0004fb42203faddef52371ba18acc815477cecc3
SHA256 3365d426fe3d690fce5ae2ba899fda9ccf4a2fec13ffedb713519a1264e089c8
SHA512 d34e7ff8d5aa83173c93ba25d9105406bf859b8a377c918553617e8cb383e79e746c8e4bb6a198ccea6c9c06fafa7558febf095506771d3c3fd6757b3d18549c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\06ff740d-edce-4a74-949d-38547fce409e

MD5 6334cfcc9600f42fc48ac677feb522b2
SHA1 94fdab029d118610de04672486ca2f0270768fdd
SHA256 79e1272b8223b2cf0fbad8b589f66b3622e5a85022cf9ede20b42dd1f6687ba6
SHA512 b20c162421598bcc344b00c4b30ddacb7089ba74119f2a9784fce9a1ef2c7bfcc903134f95b0eedd3bd33e7baff55389f686f8158054074848bacf39008b628c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 63ec9159550496ee4f5604ca2eef894b
SHA1 c17ab37bd5911eaf061d4197a1edd2efd625e137
SHA256 152f72ae7a895e7383f02c7219451c85432b3415b16e47ed7f17d4fe0bb6c309
SHA512 847f23bd8e90ae4748ed369b9c7ca2c2203bea147a7b8d6501fb20f220803b7551ff9e1454860d55c016f6797285fdafdc2dc848693502616f51ca1f5fd30aa7

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cookies.sqlite-wal

MD5 5e0d1b47f9bbf070f0d5b00eaf81b4bc
SHA1 579441da9650a2bb97bbb4773ea06b640f5804d7
SHA256 157ed67bd4abd654faa859d6dafe86f70b07e68167889596590d017bea47d1b1
SHA512 8c099bbf863e10b4b7648ee702cc220e9a7e299d3bb5a0b201e4318ca84badde509ea8c122bbe95cea3e735a0886a72d9e0080b7ebbbcd818a4398c202cbf7dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 a9db8a61c7f1ca47c7ad6d232bdb96cb
SHA1 8b94ef67e1b77fb03f9047896c0354ab08a0e130
SHA256 da40b17abfcad427ba10c969dfd44466352d35615416d5231ea68f9b2a633f8c
SHA512 bc89e8a2d8c4684fb053b25fc33b75379e36f391fa45a0d11e3cc0314a123ab1354a97a5e33c030fd6e1c43acfa333b6e7fde2dda3c37ef48d6b1582b0422b3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 2e6a723729693a1d116a02da0e854194
SHA1 a3c788c856f4385d12c7cada226e2426c94e3a58
SHA256 6e4f6655170e1f63e838212377ef13538ba33da15d5eb8b8eea39fe566a3f967
SHA512 608f2c719d7859cf1b14dff512059041a49360a64be1794433b1abf8d68f0ebbba31ffc661d05e3b13695f3d17d8d2ba75ab2814e52a8aa6f3f2ded8409db0ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\places.sqlite-wal

MD5 154b44d7a53b51811bc321db3349c1e8
SHA1 395a3f5e44ae21efd924c1360988af787c4b5944
SHA256 4fa6f0558fa603d07078b12076061dc60435597a2ee40479e9c7c370e4488819
SHA512 75c9b0d15a8f0c07a88c01b83f62fcfbd0260eb562ca3ea3808983dec472ebe671dbff473430c96e2ebca58a907c3ed910bfafb08fc9ec830ceacdf66c481a0f

C:\ProgramData\IJDBGDGCGDAKFIDGIDBF

MD5 254c79a37596cb57a3a5bd32a0ece0a6
SHA1 257733ffc6184473acc2c2a5c2d1f56bb8a25565
SHA256 c589e3db12491752f3b5f331966b817082ffba20e28abace9834061af0da4f16
SHA512 bdb64ed4cd839a7b0311e95a6c4690ccd06781e6903e051b27fd728fec7020fa84b40c0ab3e0b91321ef94b0acdb77a4e34c9606d906ea2a079124f9ae6aca50

memory/2424-467-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2576-474-0x00000000003F0000-0x0000000000FDA000-memory.dmp

memory/4460-478-0x0000000000BB0000-0x0000000001081000-memory.dmp

memory/4460-479-0x0000000000BB0000-0x0000000001081000-memory.dmp

memory/2424-493-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-494-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-495-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-496-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-501-0x0000000000F40000-0x0000000001411000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 0aadbdb654845d553f3fdf79c689338b
SHA1 37f5e9215e267acdad567b4f81058749bfb614b2
SHA256 54db244bf1b235586a1cc178b9c6494b145365ad461fe6e2a33f043f34e35621
SHA512 5b7e786b17560e2c07b481445bfb6efd220e02f4d6e6e0607ecfad7790c7eb06c17d173d8c2a62da6d390a0ab583107430bdf80e758e918349ff239e7e3609a5

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 ddf28fcf239331ba7cae3ce3043577c3
SHA1 17cc67d1d4625b379d40ada7c70f9a618e26f377
SHA256 d7808c1072462edb58d96b12729dc6a02510fdf4ac6b2a6b27e234fc6c90cce9
SHA512 e27168c39aaf7cb77c938adde8b031bce7900a37a7163b108feeb54e39ac1234e8fd26c3ac413851e9a7871fb52c36ab0868cdc1c4c0e2b9f5386c8fba4ce7e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 85fc1a81016c337bf96f2654f294f191
SHA1 d189744d2337dea5c0b29e8340e836813ad4f1a2
SHA256 6e122f0f34bc71179cc135e55b19675f4d9083ff6dc11fcdbb4a99339b326f82
SHA512 0b3b97536d977deaa109c1a20970d9ce178f06b59faf062d4f077531557dd69940f3690a339d4bdd18d9f98c9fd6f7d6dde3ea7fa9ffc43cb2586363f3d6c5de

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/2424-773-0x0000000000F40000-0x0000000001411000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 e87e5375bbaa88f61d365a5fcfa4939e
SHA1 70a68c3e556c0a59bec67d0841c162c590406b8d
SHA256 2fc8a42a6daff7513569382aa43198f4af37e3a9c6080336fb498f7e9036caae
SHA512 953bc7ef2a51af8179ce90cd3d8bf02824a1c57adc5173671a3101c51f243e42fabc39eec2071f0a6ebda06149430b4fd2d03a6781452b3b7f4e1203563e4514

memory/2424-1651-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/5556-2047-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/5556-2194-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2632-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2664-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2668-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2669-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2670-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2671-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/3208-2673-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/3208-2674-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2675-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2681-0x0000000000F40000-0x0000000001411000-memory.dmp

memory/2424-2682-0x0000000000F40000-0x0000000001411000-memory.dmp