Malware Analysis Report

2024-11-13 16:46

Sample ID 240710-rtqj2svgre
Target 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
SHA256 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d

Threat Level: Known bad

The file 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 14:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 14:29

Reported

2024-07-10 14:31

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4364 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4364 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe
PID 2940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe
PID 2940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe
PID 2940 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe
PID 2940 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe
PID 2940 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe
PID 4568 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3232 wrote to memory of 3336 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe

"C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adccaf22-0dca-4f5d-aefe-d99ff385d5ea} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32761125-702a-4cae-92a3-8bff37e60a8b} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3492 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f06f103-d8b8-4a79-ab61-f2408ef46a32} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 2 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {662e66a4-2cd7-4fb4-8a99-959cb473bf0f} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e1bbc7-5723-4ceb-81fb-19d57c8ac434} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 5084 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a03358ec-acad-43bb-b8d5-93cb586ceeca} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64899ead-91b4-4fba-ba93-9074db9f7471} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a239d5ff-6df5-4533-9579-d77056cf4219} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"

C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe

"C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:50222 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:50229 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/4364-0-0x0000000000D30000-0x0000000001205000-memory.dmp

memory/4364-1-0x0000000077984000-0x0000000077986000-memory.dmp

memory/4364-2-0x0000000000D31000-0x0000000000D5F000-memory.dmp

memory/4364-3-0x0000000000D30000-0x0000000001205000-memory.dmp

memory/4364-5-0x0000000000D30000-0x0000000001205000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 552d0051de12f8651ce6d95f6870300f
SHA1 56c854d8a0d157c4759f64d9d5f04062479ebf67
SHA256 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
SHA512 237a1e1984465e15fd6613744cd6032628283430089ef2347568f772a9d193a7ffa309e037f6d840808f9d71bf38a5567e7ca43dd78bb7315a6da5fa6a4f4e39

memory/2940-17-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/4364-15-0x0000000000D30000-0x0000000001205000-memory.dmp

memory/2940-18-0x00000000006A1000-0x00000000006CF000-memory.dmp

memory/2940-19-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-20-0x00000000006A0000-0x0000000000B75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/2364-36-0x0000000000950000-0x000000000153A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2364-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2940-82-0x00000000006A0000-0x0000000000B75000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

MD5 424c1bc416fc53995be1d9433fb203c6
SHA1 9d97683626b580eef923c913ebb0da911ba9ad01
SHA256 f1bf95969c219674de627bf6274bec2bce48a09409e5c0309af4dc91f39a1298
SHA512 8d735aed6a1d3cbea36c676f492b8ad6f05d1c3a5fd9a273dc724a89a438cecdb734e9b6781daff5771278d8c0092a3bbf0c2fafd8ec5746f120f045c14bfdb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\1f5714a5-0828-4cd7-9322-1b7404052b1e

MD5 734a462e4d7e6857ccca0aac3617b697
SHA1 4661a2e5255d72ee4ba134e88e703654ad2dbbac
SHA256 e33df52c46e4b8bce603201410649065cd9bbfb60d50025e47f7b8169405cdaa
SHA512 88f97e1af0a2eb1c0a0e9406240c415180ff0ae797609c1a43e2934b869a148519a43ae692b6c837e085b35f3e6a3691fb07a8400967cfdc0c7b32bf9aece90d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\b92c8baa-62b5-41e0-a107-34f1138b0aca

MD5 e6c41a3f446a518752731189cea2ee73
SHA1 960629c2b62f50680502282952320212adc71b06
SHA256 a92c768891142cc50ca953e04536a8f2e3c845a07e8f2812532af35258de07e9
SHA512 c3d5da9d486ac8a0eb0040eb63f029bb8ec0ac01ced3f1bdb8ef36a1b85f28a37efd14672d7ca3ec392d5fa1d769882848e62242376afaf6eaa68e5fb55d8e36

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\5b907a58-c65a-4ae8-8b7f-5e6feedf614e

MD5 63890e1bac15958b04f51c72604ad8c6
SHA1 79e9dac31caa29a6558f7423fa4e7d7ac34f34ca
SHA256 0d3fe2125bb6d76e763efc66fbaa58d33ce59df21b5023ab243d87d58d533df7
SHA512 df99efee9d4c7bec8ff32497ae8d3e319fc17a814a5acda188d7f533ce9f6113bd3e7b7467bdfea2559a13ca16091e6c1823728e1e08bb7af00fe1cee25a4693

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 7e6646cc81aa4f3362198f69965977de
SHA1 fd324c12ad28aee90141c042f5a10c80421d8f1a
SHA256 422099c4dcefc2c2987165d183faa8b1c23692ad5a67814ddd675ad7713f8455
SHA512 1fe53c2bc796f9ed07be1a0c36c85bfa47ecdddeb3e7d6c98627a2c4a3348f39bc9755dfc76958e40b4020f0a19d4f26f3bb7e7f4a9c1686049e57add2426675

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 bc13cc7939a0b3524a8058e274d37e1c
SHA1 75fa9a9c3be41bdd5122c21b0fe92faca88a345b
SHA256 376f3b2063dd76f8dc1b56e90a47197ce14c91d4fd29b885af9ec93eeb4bea41
SHA512 79b5123de65d34dd053aa6c99f776ba1a3975cc83787457487ce08bf98334b920c287f9459b007ee514335d91225d3e0e387cbb96324af03d14790f0c6569344

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 6561c01ce2f0a56f16bc6911460b323a
SHA1 657f2eb546fb9c64157b40664080bd3d7e89d3a6
SHA256 2174ff2d6526e76722cf64d5a24171bb8e54b3eca9b0b24174fa4dc7ec3b65bf
SHA512 f67e4653f1b38a9645047398f0839e3d1c23adcb210deb84f891c21cd9c0439d396f711750516f24056d559360d6724e4dacd8f69724751c9f91f8f687385bd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 d757a67b7d40830d171843c20f1c81d9
SHA1 e994cc3a46fa09cba99380989d24eba6b9e1901b
SHA256 24ae8280546e0d329e93af1986ac128da4157f601a94de2905c8d54a073b3db0
SHA512 bdb88b6f678a5274467528f6a92e872a5a2acc6096a2c15f5556a6d0ef4dab6090b75cb1f3f8be7ea4d597b06ed968c8a5e61f7920cc98dfee06a78e91dde184

memory/2364-426-0x0000000000950000-0x000000000153A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\cookies.sqlite-wal

MD5 8f1824c2de9b78877645dac55862743e
SHA1 e7a74ae6e6de07211c135a0a8a62cf8d61ff105c
SHA256 4d0152f065c127d2783a664860f614dba9edcd6fd6b065353f142fc4689c933f
SHA512 c6674bafdb39da14a310f556594d46ae89f567d2ebd22734f0d89bc4670295447852fb9ad3f63eea739e2ab4112f100a75754a026e997d927f5b5516935017fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\places.sqlite-wal

MD5 919c21cb2359decf8074f2378bcabb54
SHA1 3cc39a98f390f9317109b7fc32b79bfa7fa53f88
SHA256 b03119712ae80ece048d2f17fbb65b6c1f107a7ea9d42505f0ac070b3dd6f9e7
SHA512 a3f95d463cb4731ab7b6ddb80d1ccd6a323a85c52bcc1c5541b82feab6bc87aa92c387067cb62e613e72cae1fcbae0e82816b3119ac7b034aaf60bf4497437d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 f2c110fd78a08e802cfdf3393d85e374
SHA1 e68fd5f946ad03da16b311ba117b3782116e8a33
SHA256 f3990a62b466c393af4f8b265b17d610c3fb0d57aaecc5f6b0584fa8b42b925b
SHA512 f1bd75df7ca5a1a6cfecf8c961486bf5081e8d60dcffae610038396bb926850d101641b5bdbb1c43e8e830976ad396c4cbe7771a9a07ee580fc0d1c9c0967b2a

memory/2940-459-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-460-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2364-465-0x0000000000950000-0x000000000153A000-memory.dmp

memory/440-469-0x0000000000270000-0x0000000000745000-memory.dmp

memory/440-472-0x0000000000270000-0x0000000000745000-memory.dmp

memory/2940-479-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/720-486-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-485-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/720-487-0x00000000006A0000-0x0000000000B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 51ef54a64bdc32b8b399af3ea32eee5a
SHA1 8ca05ee55fe95b92fc70e79ffa726a6a1d32ed90
SHA256 b463b946aa96f24735e753aa938c08130d9e9625b95f6d360afe0fd4c2fb057f
SHA512 05afaad8e6f83e045e98b48e570fc5e24177265846940c73f07f8969dd380d780440b235da7e299ad49261af68bc15ff7e054c5937e619fe193d947e8d7679d1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 a5b2256d54ff785e3e823b083df82084
SHA1 2b0406cf58f45b0a70b7f7fb93db71ddc9dcaf34
SHA256 0908ef02c4a8c24298acefa82bdd8b3b8d6fd87235dd663ba136b19f36261418
SHA512 b68cbb8b8d1d7ab614a398c3ffde4465b6922e636e2dfd2d11ed6c1a6d90203685d47378a6ff08ab7c056dd2a5cf61abae8de9da9a4bee8e23fa1f2644f6ec2a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 a5d6927a4cb298a0439e9193fa537b83
SHA1 2435165b1c8e4f81005ea40caa7a2827def1e8b1
SHA256 c09158d0f99ef137c10d9d98a7e31166f36d18c1662160383bab57fb69dbec52
SHA512 e7887a123257fd96b723ac171f91d2c7d14651b4547269b5d4c7347b2424a14a1722b6ae88208f9b7c4ec75ed5506827e8ea74fde10c9cee885775c2b5a84d02

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2940-720-0x00000000006A0000-0x0000000000B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 a1d3384bc7d6387dbf0463e41d161d76
SHA1 029543d3aea689e1912b95d55d01e8059cbe341b
SHA256 fbc53430e34ef281defc49f6d1df3f3e246fadfe60f5eb3ac705eed65c2ec159
SHA512 8e00ce3e463a77027617b7a15d1e0568e62181a43f060cff4072f91b5be36160e17ce6e98f848eb9dfb46d4e924e642d62c376cf2c620636b8513d4d2defab9e

memory/2940-1701-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2579-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2583-0x00000000006A0000-0x0000000000B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 dbc2b90b4f09e35d2f89946b92e33793
SHA1 062720d4b4a89751d99010f01564da2ce8bac02a
SHA256 df2545c79686283667e3c8c6f49635b00bf1a9be2581afaff8522219963b7c66
SHA512 1c7bb3ea3ff6eb6800f82e32b1932d7f08cda928dc528a30e4263fe6cc7cf865a380049592edaa48aeb18e667928f026a8c5a0c415f82c80c669aa7a0a10d2a4

memory/2940-2589-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2590-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/4676-2592-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/4676-2593-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2594-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2595-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2596-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2597-0x00000000006A0000-0x0000000000B75000-memory.dmp

memory/2940-2607-0x00000000006A0000-0x0000000000B75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 14:29

Reported

2024-07-10 14:31

Platform

win11-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2364 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2364 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe
PID 3572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe
PID 3572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe
PID 3572 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe
PID 3572 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe
PID 3572 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe
PID 2160 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2160 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 3620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3620 wrote to memory of 3136 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe

"C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ef7fc1e-7e4e-4fea-8815-e8312a8df249} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b0bda6f-dadd-475c-88c4-47d039544422} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 3108 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {415b5d98-a944-428f-8d70-767ee4b45386} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd9310e7-a3bd-4dc2-9827-cad6a261b7fd} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4764 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24aabe67-b07d-42c2-abb4-638d3284b16b} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5544 -prefMapHandle 5464 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5054d759-985f-4515-8c8f-b26fe0f04d61} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5692 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a87c6e74-d6e9-48da-9d02-58a87c6793db} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9c0e036-4350-408c-94ed-3215db346bab} 3620 "\\.\pipe\gecko-crash-server-pipe.3620" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe"

C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe

"C:\Users\Admin\AppData\Local\Temp\IIEGHJJDGH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49858 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49868 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp

Files

memory/2364-0-0x0000000000C60000-0x0000000001135000-memory.dmp

memory/2364-1-0x00000000773E6000-0x00000000773E8000-memory.dmp

memory/2364-2-0x0000000000C61000-0x0000000000C8F000-memory.dmp

memory/2364-3-0x0000000000C60000-0x0000000001135000-memory.dmp

memory/2364-5-0x0000000000C60000-0x0000000001135000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 552d0051de12f8651ce6d95f6870300f
SHA1 56c854d8a0d157c4759f64d9d5f04062479ebf67
SHA256 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
SHA512 237a1e1984465e15fd6613744cd6032628283430089ef2347568f772a9d193a7ffa309e037f6d840808f9d71bf38a5567e7ca43dd78bb7315a6da5fa6a4f4e39

memory/3572-16-0x0000000000470000-0x0000000000945000-memory.dmp

memory/2364-18-0x0000000000C60000-0x0000000001135000-memory.dmp

memory/3572-19-0x0000000000471000-0x000000000049F000-memory.dmp

memory/3572-20-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-21-0x0000000000470000-0x0000000000945000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\60d465350d.exe

MD5 20fe4b16d13a547a5d7f4dbf543b595a
SHA1 3c59aca1c693efb9923f04c312fdcd47388d24eb
SHA256 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512 c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

memory/1488-37-0x0000000000CD0000-0x00000000018BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\d1ead8e937.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/1488-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp

MD5 e2f10c15c8c932c06f2d8d4bdd995135
SHA1 e1bf0f607ede730ee9421ad7b87c12352e1d0cd1
SHA256 2fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d
SHA512 894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\be3bc69e-03fd-4979-bc93-8c2029d8b0fb

MD5 41e87dbe57800d81a2545deee1723db2
SHA1 23e06ec7980d9b49774890a85d01599887ee6ae2
SHA256 349f72245ba4fb13f9255d88f574ff9a93a9aa09763197e8bbbdf6d46ae3d859
SHA512 7368ac92b65f0a74a5a3c93064a33dce25842ba936c1411275c8853b53b7fac9564c56f13e42b2fdc97408cdca66b7ae519aaefac3420846f2c8d65ea9ebc561

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 fd5c3e9d093dee668d52bfe09cd2a6d9
SHA1 2c02a0009777e1b201ec86ed70084413438ea49b
SHA256 5a2d5e6ddd87909e59cccf880bbda80fc1bcd3c7386b9835cf00a6044a26ba67
SHA512 d1dd3cf7e4200324a9c30d6b7a48ca6cb46690fd0270156a1a2c71f8e0a44bd621d2f1cedbf3585ce6c1674f96d7c763c15ac0c220e33d63ca6578c1aba9760d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\a3bdc23f-7c2f-4665-abf9-15f0aea3de69

MD5 452a11de7439ccd922ae4608ad47d3f6
SHA1 eb50958752610e9f5653dbb4e3f98fb633578175
SHA256 d4d9bd5e0f86ee15407701e140d2cfe1eb755dd27c34dcf6b28163fb4fe2dd86
SHA512 b1c45bbb65cd41534bbabfd3a3577d5ce6ed12a7e475fa544feaa3fb740fa369b7d20ad25075f371d42c7fc020c1240513e21ddc193a87b8e8f6e213f5e49a08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\2ab1bd92-e785-486b-ae2f-ca91dabe6b22

MD5 42dbd11efb38b413dc30b3a6cdcbb343
SHA1 830d59d92752ab59bbaaffda486a30df071ac855
SHA256 08745e087a564899c7b062cc574b4a891a7fc47de74e8872dfb84979ad47ab0a
SHA512 d362905a0a58ccaceb71ce6cf10cc5202f52b2a34bc75fcd03ab5c36450a81c050cfc131101aeb4c397a913b2fbecfb75bca35d6111889b9e4d8b9105eb29a08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 065ef09150f23067a690d191ea047135
SHA1 d24764ea4ffd165fdd5d2940c805cee59d970445
SHA256 e4415576b3f2300144218b6a875555bdf13509562f31516fc57985bc9e75c8a2
SHA512 6cb19c3c63b8b092c2622e1579f282a0ce4b43244302a9d92d1a0bdfd1150537b1f9044d9bf9a6612822f8a34ed36c3e78b6220bc60cba5b1dd9f587cb86b584

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 ad7a603be0daf37c72ed8e15a729bc11
SHA1 23dbfb0db585f95527230601b08ef29accb81629
SHA256 fce1f4288ffe7be77cccf1075b635477bc6a47de494bc18f3200516fa8ca6b65
SHA512 d80c3ee8b9d2ef23b6c2cd6e454beacf0af8ec236ff5393c63f6cc332aabfb2e0cba749bafb612c04d831cdd706642f921146d80b49c734bf7fcf2d1fc23e729

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 3a12aafbb5a50c658e8310031f8fb426
SHA1 58698038e958e5cb47565dc6399c5064dee3ed15
SHA256 e16e63fe0f0337da64d8e9e247cb369d17d965483a13a586c68271b5dc506537
SHA512 6d7a0f3a202e6447db1d0fa9e0a55c7a472a208e937033152228159d232e94df137a1592a66ef97ed759265c48eaef97cea4b9adcc0b395d0696f4c8e652ea2f

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cookies.sqlite-wal

MD5 85eded72c77768ec5c182dbe0d3ecddf
SHA1 440999f006c39fb7842ee825c310152ab2163fbb
SHA256 00ef297435c279e906ff7bae2df79a0cb6bb72481b1bc037b2ab785a75b1d3e5
SHA512 bbee26748299a38d57ad287777ba067dde558ab5674cb97d32f6cf34779e97ad94dbbf5b33366ce4a2933647f26e258369a036f52ac89b5cfeacec4002d5449b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\places.sqlite-wal

MD5 fff9031fb31ce3d973827df38cc48a3b
SHA1 0f17d80476a02039df95a672172f8435ca0edb6c
SHA256 789ba469687f70391f1bb335baa0d618c1279ce7d820157ff0281c954eca8e1f
SHA512 fba6892ca72a6cb5b1aa02e576d4045c5d99ba2f5e8b8994ce79f039be4e837be53a0bb152fecc2be2c0d8f5021d2ae49b7df935ef89971ca9a3ee1541d3a100

memory/3572-457-0x0000000000470000-0x0000000000945000-memory.dmp

C:\ProgramData\JDGCGHCGHCBFHJJKKJEH

MD5 db8eae38bca0b9a616d0cd824a6c39c0
SHA1 2a13884a2765f9f9d5a32b05b5b4d4475944ee2c
SHA256 f42a797f3275b733f1df3e1b527a30e0de33f9406201c26629c706df3baf4014
SHA512 f185712527f18737b865054b840f2617306896393e57dc8583a5d1d5893587f43704fdd68017dd2a98446d311984ee65cc8922f2934f93d5c1b376422136ce3b

memory/1488-466-0x0000000000CD0000-0x00000000018BA000-memory.dmp

memory/1488-471-0x0000000000CD0000-0x00000000018BA000-memory.dmp

memory/3572-475-0x0000000000470000-0x0000000000945000-memory.dmp

memory/4160-476-0x0000000000D90000-0x0000000001265000-memory.dmp

memory/4160-482-0x0000000000D90000-0x0000000001265000-memory.dmp

memory/3572-485-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-486-0x0000000000470000-0x0000000000945000-memory.dmp

memory/5032-498-0x0000000000470000-0x0000000000945000-memory.dmp

memory/5032-500-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-501-0x0000000000470000-0x0000000000945000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 9d296cabad8975eb40a0a729a54521f6
SHA1 db0455d584a46724d734abc6cd6e7564cff84abb
SHA256 e855d4dcf8fbfd90c33e85a913413110849bdee275f9ea4c84b2f469313dc243
SHA512 bcc72561428ce36a21dc2b6fce1ccd500f5ea0f5a3dd02c01041d7b4f4b86fcdff2159e902155c182bc65f4d0e34fa2a660fa47e4f28f726829f1278ac7a5ada

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 568d7228cc2750a49abdf5eec61638ed
SHA1 b44d3b19ff9859876e9f327f6dd59104d68db9be
SHA256 284618beab4c1508c95fee8e2857652ef62155d3ce937a9167b335fcd334846d
SHA512 fe657c4a0ec09372f906519aab2c07668bff70cf25a474e06ede4dbda727366a82a64dc22656eb38ce7a1e9563b05a66d805209569858d055a6e7ce2e4c7c14d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 6534448dec9801a72d214c744cafc8f1
SHA1 d4835fa52c91284876aab68f1bbb1f4fb58f46c8
SHA256 68d4ec60b3b95e14eb729a7563432570c8b0089c244aaf5214ad1277f0d3f325
SHA512 b22a4b48a4a5cdd076e85dbb246e832f635d5e4cda77ca2b27497b3add1d266fa2c99d99462ea18efd43501d92ec33aa1640ce9cd57d05150ab1b334ba227358

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 756bf0652911788ffea389ef109a107e
SHA1 57ed79282c84d04c983b713f6ecbdf59ce9141ab
SHA256 6f1543e7445d6e24031a15deb7bd8c5906aff749986c160d789a9325343795e0
SHA512 7464ed0ce2edde2371465bb4e1ac5be9678cff910e2edbf0555874cc4a8e59c90a9ca64e32fdaf178cf7d77a53480daa37bb80fa65898f01665697b867a36e42

memory/3572-1126-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2546-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2553-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2559-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2561-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2563-0x0000000000470000-0x0000000000945000-memory.dmp

memory/2236-2564-0x0000000000470000-0x0000000000945000-memory.dmp

memory/2236-2565-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2566-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2567-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2568-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2569-0x0000000000470000-0x0000000000945000-memory.dmp

memory/3572-2575-0x0000000000470000-0x0000000000945000-memory.dmp