Malware Analysis Report

2024-11-13 16:46

Sample ID 240711-3tq2cszcrn
Target 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
SHA256 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701

Threat Level: Known bad

The file 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Identifies Wine through registry keys

Loads dropped DLL

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 23:48

Reported

2024-07-11 23:51

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 436 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe
PID 436 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe
PID 436 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe
PID 436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe
PID 436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe
PID 436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe
PID 808 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 832 wrote to memory of 2064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe

"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1920 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {651190fa-0923-4f0e-9387-3459c8832414} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c71e442-b279-4eda-8dbe-77fde235871a} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 2808 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89bf59b-3478-419d-986c-bb171dc62c35} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 3224 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {121360e1-c0f3-48c0-898d-c56868f94c6c} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4624 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e77805bf-0a57-4b89-acb9-e60f2e4c8d33} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5544 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e777aaa-d887-4d5d-8d39-b1d1247f7c09} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e83da92a-829b-44f3-b442-ae2b195d00dd} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d675d0b-be28-4514-870c-cace9ed1df4d} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"

C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe

"C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe"

C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe

"C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:61972 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
N/A 127.0.0.1:61979 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4424-0-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/4424-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/4424-2-0x0000000000681000-0x00000000006AF000-memory.dmp

memory/4424-3-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/4424-5-0x0000000000680000-0x0000000000B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b5e7797b2a49edf96b67c1040b301e45
SHA1 bab8594d3af5eae8b2918c9d3a6c1811957c489c
SHA256 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
SHA512 46c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba

memory/436-17-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/4424-16-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/436-18-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-19-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-20-0x0000000000510000-0x00000000009CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe

MD5 7ccebfe91b4c5b3c8feec467941c3557
SHA1 a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA256 41fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA512 5b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635

memory/4664-36-0x0000000000DD0000-0x00000000019B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe

MD5 c405ccb4db5e6b3603e8d263acf6efec
SHA1 a7af8499340084c5fc9084fac7403fc7d1d14e98
SHA256 79bf5e36c3bd475045d5e2c4472530299e3352d273ded288f79930bdceca179f
SHA512 cbd990037ce94951b50567cdb605f2e886239aeac56a313be1b3cdd7654648a8ca59ca1c1a1d5adc7ef35a58801518afd68775dcc04314db7e8c27eb3ac8b396

memory/4664-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp

MD5 ed1818043dda8ba02e7b3128137793dd
SHA1 ca0423826e1b806a891eba9be037863a8112cbf1
SHA256 c6c5d56f7090afb9982294b23641147be98461c350c35fd4dc1b5348445d8295
SHA512 edc6c6b540fdd4ab84803a583e09cf8f8435e61fbc742d7af6faac87afcb0b55f7d2432407ca178e41a31965048c6f2b840da32c60bd5c58d19ac7653b837c06

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\4088a9a9-39fa-4e2b-8390-244d65018c25

MD5 f1c5ae019acebeb3302d0220383ca546
SHA1 9d406c5993f2684c92e9a87aef1181f3ea2842aa
SHA256 7b51247552e27f7a52f00a9276ddc951d02966b7275216e851a11d68723c9a8d
SHA512 e0d2db43dfaf7f711d9390275c4df6354de9d22fa22b0aacfeaab6e7871a83804cd4af79e2a9f0aeb300f1c2f952560282187da4540d384adff4b6a84776e25c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\a17ffd4d-a02e-4689-8ac3-cab358c8281f

MD5 3135731354e4d14eddf97363bdc43c20
SHA1 9ed5717e370bf0b55bec9821c733276caf6555a3
SHA256 56e3039c59b61fa3287e8f372518ffd20b9ca96d7951832412665cd321ee3185
SHA512 3e83fc0c55bfeb1cd2f5c9dd9a86b3355b05e54d2edef9a619bdaa518c7ae0543368a5c18fd707f51995ca4b1b900950e4af155ad9bd58edbb70debd4892eda9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\ec14f1a7-27aa-484d-9a25-41db783fdd37

MD5 4ff893e0280e52af5db0951fc177de95
SHA1 e4b3d0d455c551ed1bb21d171fc0fac02ddf604a
SHA256 fb9b547784a55b5cb41b17d41e9ae78e705cbfa070b8cd45ba0ed12a2c319f9a
SHA512 95fcfb54ec2c60e19a9bb203c6e44b9b11ecaf696d85cd7a216a730fe18cbf66b46028c5a6c6e805981cf87ab35ef560e052c9d04533c889daaca45d51682a5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 c40d9dd23e66f12a123228b0982f910f
SHA1 f8115f076f381053051a039089719a4a97a3f0ed
SHA256 5612dc1fa4cac95aef60901e1137bc7b939c6c0ce021f673580064912ee7bb8d
SHA512 3abcfe89798db7ca8ab35465bb020aab590b8b90dc4c7f5c93ad997aeea1394cf489d7466bfa27beda7a2740094aa104b25b1c94d6521e86b1267d31612cb43c

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\cookies.sqlite-wal

MD5 a8a03f59c3ff20982ca3d04d060945b4
SHA1 dcc22655fca69c3717252684e803137a5bc57958
SHA256 0c40a25506e4478e446e0da3216a5cc3a91841183b5cffbb1bf371bdfbfe82a1
SHA512 625c46cbb350b95b6010662f778e72feb39f43b45fe4719cf5378f04b8cd188e4be48514cb6f8a9300344e14bbc70a3ec1b2ec226d31c89e7bd098adb2fb9940

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 a403a36335fed5cdb4386d265ad43722
SHA1 bffb2a40d7562aec00da46b45c980ebd0501f4b6
SHA256 c1b7a0b968458940a0058e44e693bbf7ea9ec7ffe5df3f49dec9cd3007880b9f
SHA512 f3171fd9fd3f32dd22afab47fe912b8299b8dc726c649b729ed4b38b69416d488dfb5d57af364cf36fbfef91fcc403f2e85a2326ac646f9f5a92d1c95b2a2621

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 fe3e60e82d70ccfb657ef2a221e1487b
SHA1 9c66b16e8fb2b477d7ba0edd5eeeddefd1a1f886
SHA256 63887b8e1afae6db2ef63db96caa377126a2a7ef3be99ce5d26e1a4682f1006c
SHA512 637d91bdfea20595194aadca756c67630e1050b1d92b6312130337e4de5967c1065e6fc7fffb7f155a0be354ff69242a3a948ad48a9c0203c2b1189253013045

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\places.sqlite-wal

MD5 22f1ee15ebee390695aa3daea3efb421
SHA1 5e7c6d663bcce8a989e2c7215d780e61727d7732
SHA256 14f8e26b14d3220a4ca1805c7db0e4236425ea2ceac08789bdc1001975d63e1a
SHA512 f8e39e7061bc81d7fef1d42280f42b2b1084c50aa24851ee244d5a2ad6fac9d5db5a1dff0baf05ca401121e881173b90c8fe7bdfb468a5f2b387fa2a65559900

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js

MD5 af2f128de4caeb92342ddb2d9ee05f61
SHA1 ea590a7e733f7a073d87c17e32ae0594c19f03c4
SHA256 aae9dd3c3fc7552c2d8248387d5b3cda95ff22871606febab68549a49a7afc6e
SHA512 94ac6fd589a7e5861a7d80684737eb4b98a0e8b9a265a69cf5db2beda5c350e0c76e6d9f28cfc5b35c4f5d03885a6015d8ebaa199be489b7be433ef9d909c6f9

C:\ProgramData\BKEBFHIJECFIDGDGCGHC

MD5 74510e15b366af53b490af878824f0dc
SHA1 9eec6602911af765e28f9fca7a7409d84a055e0d
SHA256 3414c126bb7254d8a5be6c4cddbad6bb23ff843264aef5a69349bb0fbe77a697
SHA512 8b196bf4ff6bf27bf80cab8f87a45dd57dc1f7ec830c20e62bff7aaf7ea1df0b31514b9ab00b04817087b5d91dc24b25a02b5232fe86e796f49ad0ada6bf2d1e

memory/436-458-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/4664-459-0x0000000000DD0000-0x00000000019B6000-memory.dmp

memory/436-469-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/5012-470-0x00000000007A0000-0x0000000000C5E000-memory.dmp

memory/4664-479-0x0000000000DD0000-0x00000000019B6000-memory.dmp

memory/5012-481-0x00000000007A0000-0x0000000000C5E000-memory.dmp

memory/436-485-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/4404-486-0x00000000000B0000-0x000000000056E000-memory.dmp

memory/3848-488-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/4404-489-0x00000000000B0000-0x000000000056E000-memory.dmp

memory/3848-490-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-493-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-500-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-501-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-506-0x0000000000510000-0x00000000009CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 0bb8ccb5d1a927c927382ae95ebfd56e
SHA1 996c1b82af46ec480651d41a0c015643f38a85b9
SHA256 12e3c844ed8bd0104f0280b5bfbe860e635141e8a74ac5d0fe003d3ff22ea256
SHA512 d4b8e23b57e91d0cba98ab071582e51700445c498c72210b4b1c96b09e8ea16e51f39a4f807d253d7c797987fe5b925d03cf334ad575e127edbc92ed2f0adf84

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 518c8facd6ddf8b92171f9d563950744
SHA1 4bccc92d6be7f89f291c03562f227adab9b11de3
SHA256 c96cd99f2ffbde20506ff2dec3237a0673f240dffbb564ad9e8f5819287967c5
SHA512 3e3c4a0cea34777ae69ddd953e5f4af50d70301ede8fd2905ae8083caf3220af488e5d51080158c2e72d7a43d770dc71f704dfd95aea87fe3aa4c4acac61fdb7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js

MD5 8f522ab8d24542f683356d38ec3e4731
SHA1 6f541dd7c5cd3b81866d919b4fe56548a9297ad3
SHA256 e7e6ede4bcdec346d99d88733efc3a7a98577f8f2bc61267700950fc83505a01
SHA512 30492232d1ed516c0381b3bbd5afc4d4f1416a901b60d6d691673782ab610b25deae2da51299dc2f9e38d016496cab230473071e4b4355f2a6b8340ab623b530

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 6adf54f651a2543adf38ebedb1e8315c
SHA1 00b35f799396b7a9387d13e37b84bd72de974da7
SHA256 af7c043bca25db8aac2ea1d67b9c2aa2a62943f1d96d59e6bb6cb467a0cda0ef
SHA512 f36553c7d087b6ef98a9502dbceb7ac94c5edc676f8af7a2737b9e4b5b219d570d0fdf457d3da64e63de06a0cd4dc9f2916ae5a23e573c9ec71155f226188a95

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js

MD5 ed405399fefcdec31a676e22b243dcfc
SHA1 5049c6b185fe8b4b32dcef5b2ad88a4878860db4
SHA256 c51d6b50d41d0d6238bcfc5aaeb22f59caa82461c2a81cf2fc3ad785f622ccc5
SHA512 efba9abe20640decb374e42824f98cb6e2399020d5fb134b9e9675283d37129d4710a531930e771085d58c03fc5a6437166d65a012d90ce9716a0a2f110ee02d

memory/436-1105-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2185-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2572-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2579-0x0000000000510000-0x00000000009CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 9188bec7c37664c50c79ed50f9de8fe4
SHA1 8230cc3c971fbd241d16e8d6fe96985291c8e3fc
SHA256 58584260e9b37d32e8295fe6ad8b16b8d5c0e6199d63362344748a7ff62801f2
SHA512 8b5fbfea99755ceee6abe87ee1c042e187b616f158051677f31a3da6848a63bc53a6ab68e7fa8c53b4f6b08e54d50e6452487e1cbd3127de646ea0a581af3f52

memory/732-2583-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/732-2584-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2585-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2586-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2587-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2588-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2589-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2590-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/1828-2597-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/1828-2598-0x0000000000510000-0x00000000009CE000-memory.dmp

memory/436-2599-0x0000000000510000-0x00000000009CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 23:48

Reported

2024-07-11 23:51

Platform

win11-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1976 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe
PID 1976 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe
PID 1976 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe
PID 1976 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe
PID 1976 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe
PID 1976 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe
PID 3488 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3488 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4216 wrote to memory of 3312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 2320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe

"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a353cd9-634b-4217-ba96-a0d95fbfc956} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2272 -prefMapHandle 2192 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952d8aff-93a7-4fda-9bd0-3a1b5b0c9676} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70760208-cecc-45d3-a97b-231872bb2891} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40aea27-7f0c-499d-ad24-6db3ea9b51a3} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd99c800-e0a3-4169-a54c-9fb765424a82} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7768b288-b3bb-4dfc-9b27-e8a071d4646f} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {798f52c4-3601-4b58-88c6-6415635bfd1b} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e33eda6-39dc-4277-b0f6-ca967edf4e4e} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGCFHDAKEC.exe"

C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe

"C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49900 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.169.78:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49908 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
GB 142.250.187.238:443 play.google.com tcp
GB 142.250.187.238:443 play.google.com udp
GB 172.217.169.78:443 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com tcp

Files

memory/4968-0-0x0000000000290000-0x000000000074E000-memory.dmp

memory/4968-1-0x0000000077686000-0x0000000077688000-memory.dmp

memory/4968-2-0x0000000000291000-0x00000000002BF000-memory.dmp

memory/4968-3-0x0000000000290000-0x000000000074E000-memory.dmp

memory/4968-5-0x0000000000290000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b5e7797b2a49edf96b67c1040b301e45
SHA1 bab8594d3af5eae8b2918c9d3a6c1811957c489c
SHA256 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
SHA512 46c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba

memory/1976-16-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/4968-18-0x0000000000290000-0x000000000074E000-memory.dmp

memory/1976-19-0x0000000000C81000-0x0000000000CAF000-memory.dmp

memory/1976-20-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-21-0x0000000000C80000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe

MD5 7ccebfe91b4c5b3c8feec467941c3557
SHA1 a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA256 41fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA512 5b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635

memory/5044-37-0x0000000000D10000-0x00000000018F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe

MD5 c405ccb4db5e6b3603e8d263acf6efec
SHA1 a7af8499340084c5fc9084fac7403fc7d1d14e98
SHA256 79bf5e36c3bd475045d5e2c4472530299e3352d273ded288f79930bdceca179f
SHA512 cbd990037ce94951b50567cdb605f2e886239aeac56a313be1b3cdd7654648a8ca59ca1c1a1d5adc7ef35a58801518afd68775dcc04314db7e8c27eb3ac8b396

memory/1976-46-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/5044-47-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp

MD5 73c90ae0ef84bfdac4e0f1a159ba1f27
SHA1 03826d4ff34ba38f2784919336666f009c129be5
SHA256 5db58e00be2cdc018d6ffca83c9adfab6818038cca5fde209f525f6c3a46b9a9
SHA512 ba01402914cfdb6f7ce430d0fb214993acf0fc562e58af003dc1854e8137e3b59c0bd5e3f55df831ff08aed9e5c1b4807f531663e6d84565caaf5ee0598591a4

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 c3b129a727ba4560d67520bfe58210d6
SHA1 4d59497443c4f396b60bab0e9b455c9703fc3d63
SHA256 1ba41f7ea66af9d65984954ee25ae396d235468772a6beb4b821297150d6bfc4
SHA512 4056ffd8066474d7822d116348f2961972f23579aa05afd4a4dd42cb00e24e59f183a5007f4fd565fcae6d41c76563d876377eefc88e799f6e2a859fefe8460d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\8858a3d9-6ca3-4ca4-b551-4e37d09aebd8

MD5 a22918f6c80f8f3a3bf2bf6e37a32cd1
SHA1 b4e39ab940c394ee2401a75d20a9c28c40261085
SHA256 988770177b04d7a6fef59abcb041c62422443c6a146db27f728fdcc8877f1c67
SHA512 1a5499a1a6c55ac57abca93edbb3aa230307f609ad55d5bc9b7019f5dc69b55775956930ee8040b0f1ee5228754639a0285178c07363a213b6247586aaad0f70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\cc386882-be6b-493c-b755-6e8689f82cce

MD5 4e037aae502c1f6ee77f891250e0260f
SHA1 d9737166e770cbbd18cef8ee69d0c4ee181b4e91
SHA256 c381e08c29b8d383e919a890b2d057b905d24104fbac9a3a555195aab5d32492
SHA512 c250a6db2d8be3af930877b64ec6fdd5e1fa5c60e557a50f02f9ca575003782da3e28eae8f7996bf721ff0d179f34e6f359665d26923f160a053ded3988b450b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\ba82df7e-fbed-4998-be4c-eb8fec6db0f6

MD5 585154e80e9833213e4c0c7476399665
SHA1 2836b7f23c9c843a07854ae4e73cb7c38a691ad7
SHA256 0511e4c9453f94137b2c03360ea833f086e01625145905aec2cfd5020d8cb13a
SHA512 ff701626df8e351dac92245b126993da9d02cd459a32558071a372e351d500a01d7e46948bd2ea2e45914c38b99c696320f950448629dbc31ac69e3ee839ee92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 8521af6841d516bbf99949b05669ed87
SHA1 7c213e31b750388c235cdc2f686679fb6b66a012
SHA256 c96c163795574ef93055eb51a8d88c45e905a781d1f37ac3ff5628e0481c28ee
SHA512 eb7a9026967b3260967b00d4f85954b8d7a308cac25f61afe1e683979b14657199b141bf9335aec27f9d3297e87ba1c455933c46c2e417f2099ec86df7cc173f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 237996db2fbcf519d5e9a292ca89caf3
SHA1 983f571ace9d32fbc3c2b06c67ab30bdb73bd526
SHA256 ce1bc111157bb7dcdf3ee2269dda48d4d50bb971ef7090429e642fbf493a8b57
SHA512 20c565e1bec6ba7f148bca446a8adff14b79fb87288b89b5f7e57f5110fbb9933c540f2d6f546e2bbb59f4211705f4bbb82dc68ad0e114406011d6fb79a3d370

C:\ProgramData\GIJKKKFCFHCFIECBGDHI

MD5 c72f1bb58f96184a77408eb1796eac92
SHA1 6715dd4c4895accf6b05e444f03c6cac0dab8d8a
SHA256 357820164215efa8289a0a2afae85b7b827a01c84d0155092e770cfed85e764e
SHA512 2c2430d05ccde0433a18def1698e33edd7854e753df2389004c37b86950f96929e748acf57bebfb521c8a6d4ae4b7589f413d1adf0373f1e35b9419f27447068

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 7b4d474ee4060103318f92fd0f3e7674
SHA1 91a238679e456f19537e42097522f3b844607995
SHA256 d34141485f986da1e9ed2397f83cff5a20acb6e99a52375cf867b47e9a78f0b9
SHA512 d9404cf0d2d803eeb6b0f0ecb4b70fa2e47ef375721625a6b56846dc76910f8fed3987969c1408371577df49d6e15cf495e653948381a896da2131ffc801944a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs.js

MD5 92052c971b1fe634e0a3daef5db1200c
SHA1 810a1219d6a3d20aa6d03e784b415ba743829749
SHA256 23718391113af8224efcf80a2a4f67948bfb50c2fba48fb21d08fa28b0ff6187
SHA512 f0e31c5bdf0690504269047ebdd13c8ab340dda8096d142f369a53a1e39cd58ab1253f26615509312617ee8eb746307f2584d35a84c3222aef4e289dd0e90c95

memory/1976-462-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/3196-463-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/3196-468-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/5044-469-0x0000000000D10000-0x00000000018F6000-memory.dmp

memory/3828-473-0x00000000008E0000-0x0000000000D9E000-memory.dmp

memory/3828-474-0x00000000008E0000-0x0000000000D9E000-memory.dmp

memory/1976-479-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-478-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-493-0x0000000000C80000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 f308bf73e8d31117102aaccec224f856
SHA1 97d1a1e08afacce668f5bae08d50e0be62c3989d
SHA256 1724d96280a6d7a00b354b23be1cb77c7cace96d3553d693b0fe19b7d3287dc5
SHA512 04a89ac745c46fe05b185f49077efdbb8a4906cdef38873ee023d3c619b325bf7924162cd7b4f4d118b47ed5e771835ac34a8b548789bb7f830457e15f702ae8

memory/1976-506-0x0000000000C80000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 e8a4e2c4ccac5042455cd0208195f6a2
SHA1 754a7810df9c57c5a617bf302bca88728316f8b7
SHA256 f92220a0647feb03f409ff820343143432c132693ea3ee2dd6bdd4738e3c60c2
SHA512 3f3ddbe864c290c0a9beca7f1e07ea9d54c7d9a6a4f87124f818e1406c478d44f762a84eaed385fe556ffc019ffc878ee3fa3e2a27d25466163755bca6b25119

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js

MD5 8828cc16bf2e8158050d77f5ec401936
SHA1 3c872b3acaf5b8329ce458abfe8f5f36efb0c0bd
SHA256 ebed32b6e7df285feae4dc7b02977e276d5416abc54b97a45850f847b9f90f2c
SHA512 5ee06a3f2fce765145989fa2e33d5b61784b11b22b28ac1063e580fb335a637c60d112139d0ae06f711fe571b562718bd8851f7d414ab45b40e73b634eb1c5ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 858f5b34a27aa6414106b465a6430376
SHA1 b40eaf0f719f43e3ef858a44fe42ee66a51f930b
SHA256 37b35f97c4903f504d0834910bc224671ab3452693b0cf018eb8a47e212cb161
SHA512 5197500fe6c5ef147f796618fccf4a203d6bf9bfdbae4c0554d01299b1b05ba756ad2aa85fe7043a840872e65908fa482702cf4d0f00db8ce108a35460b9419d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js

MD5 c7dc16045b7619ea0aae9bd4056757bd
SHA1 a79fe5820eaf94a3bb88106103060503feb77c87
SHA256 11afa0d60e04c0cb805a6852990e4abff4505fa7e13eeeb20690b03b485bd1cc
SHA512 0220654ee813a32107e7d0948ba83695a5d8974e1a6f6b223b77c710643917966b246124a855a519060242b68ddecd0bc7394bfca8484c6307506507618f0918

memory/1976-1835-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2686-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2691-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/3748-2698-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/3748-2700-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2702-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2703-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2704-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2705-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2706-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2707-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/4012-2714-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/4012-2716-0x0000000000C80000-0x000000000113E000-memory.dmp

memory/1976-2717-0x0000000000C80000-0x000000000113E000-memory.dmp