Malware Analysis Report

2024-11-13 16:47

Sample ID 240712-bhr1qsvcmb
Target 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA256 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2

Threat Level: Known bad

The file 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 01:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 01:09

Reported

2024-07-12 01:11

Platform

win11-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2004 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2004 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 932 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe
PID 932 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe
PID 932 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe
PID 932 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe
PID 932 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe
PID 932 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe
PID 1872 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1872 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3648 wrote to memory of 2832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe

"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e84cf09a-5db7-4cdf-9922-c7d6df39a15c} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e791aeb-5a47-48c3-b268-952b70d301c3} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2920 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a747872-4918-4c13-bfb7-19fe8667d303} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3652 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57916812-b55d-4177-874f-88c8897108f1} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4772 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce3e4bc-acb8-4f74-ab30-f11ddc3edd1d} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97ca0da9-0d41-417d-aaf0-8d02085b0fb2} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55234289-433e-4fe4-a869-ffe75bc07699} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c715d428-f621-4c46-a225-cb3e2395677a} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFCBAAEBKE.exe"

C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe

"C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
GB 172.217.169.78:443 consent.youtube.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:49889 tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 127.0.0.1:49896 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 play.google.com tcp
GB 142.250.187.238:443 play.google.com tcp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 172.217.169.78:443 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp

Files

memory/2004-0-0x0000000000490000-0x0000000000944000-memory.dmp

memory/2004-1-0x0000000077BC6000-0x0000000077BC8000-memory.dmp

memory/2004-2-0x0000000000491000-0x00000000004BF000-memory.dmp

memory/2004-3-0x0000000000490000-0x0000000000944000-memory.dmp

memory/2004-4-0x0000000000490000-0x0000000000944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7eac58c3aac017b11c5a2a99ae66c51a
SHA1 570339f867e074afb6f0238ca2152a50356647e1
SHA256 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512 d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769

memory/2004-18-0x0000000000490000-0x0000000000944000-memory.dmp

memory/932-17-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-19-0x0000000000D91000-0x0000000000DBF000-memory.dmp

memory/932-20-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-21-0x0000000000D90000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe

MD5 7ccebfe91b4c5b3c8feec467941c3557
SHA1 a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA256 41fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA512 5b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635

memory/1732-37-0x00000000002A0000-0x0000000000E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe

MD5 89d94c18987eb5d638be8f74bc307ac5
SHA1 5f7d6e6d18cb0dc610dcfa684d424b38ae4f7ff9
SHA256 384ce4a6f2794b0cb3c5fe36dc9b19b755315c9918ad19c925401099c41be9e6
SHA512 8f3880137b1a7e511dbbc3164c0a28cd1933776a009120df4eba0476f07dbd2b7764dae406620da6b2ab324ac0aa8011f914db6aad213fbacc4d73f0d28c2a63

memory/1732-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp

MD5 e2f10c15c8c932c06f2d8d4bdd995135
SHA1 e1bf0f607ede730ee9421ad7b87c12352e1d0cd1
SHA256 2fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d
SHA512 894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\da6b4c1b-f3b0-4220-8b55-2c5077517ea7

MD5 69265e65f3fd8964110384f401fd4121
SHA1 cb0fc724f21deac33fa9f300749993171797c802
SHA256 02328ab1372bf46bbc37035b0d51bcf6f3409aaaa2bea04da4697914f1a3203b
SHA512 1915e6077b0d3f4e4f8d0e5f1a947771c53d5db43ecdc513722429bf1c66b3d03ec2b0b5af3299a1b34e8f86de2036cc54710405c907467628a3d0f694941a2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\55a11f65-4372-4db8-8c87-ad9c93d7c236

MD5 64c09b21d936ded4357447a7c2e8e2e2
SHA1 1c772db28b446ace808a2f06e40cc4068f514530
SHA256 10fa976d6f71f3afc3734bfc9a3ac2b8cc6091fb9698575a66735a6eb074948e
SHA512 791689ca1bc1b73245d3d3843f89690f776b358e763892f39b03e6b3b600ee99a484920466e64fc680b3df41c4f30752519ab740541783a10b2741b94568094b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 f645b65917887fc713e7212bcbd6dbc6
SHA1 2b34a4d85193ad5b7840b9b86763dc6ed7d4b1c1
SHA256 ca74f261cf8584116bd2fab20c7025dc569bde016b62e177c38580162c06c152
SHA512 2daa5061c77b30d157ac166f0c3057678d279292e5e1f98f1a5dbd153f30d27e1711663425f8efc87c5cd10e62ed51dd9f382dbc5b6d711625bbe6aa74e32f52

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cookies.sqlite-wal

MD5 ea5657b8d198d8bb97775cc21dbb15af
SHA1 7fdef97ca888348932cd5dfe10a749fecd07e6e4
SHA256 da65921c827d6e1b46151630ca0539cb6887a55c8b2b101981743e08b7ad43af
SHA512 6f2913877090d91e3456e7084522a16f0475ae1eecb84d2ab1b627422ab5d48fc943e45f737233ef4a980230c3a839c6de52feca91ab76e070db4c5fb04fd400

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 da5f6c25f28937614a76ee101a41ddd1
SHA1 fcbedcfe6042bf7609f61ee6a79adec415978d4b
SHA256 72701ff1f3a70c1d4408d1d91b0e9ac5323dcdf26c9335a382b01f2b0f07483d
SHA512 b321e775c0f1ec58b145afa3cb43de1f492fbb851f37f06668d48815af6936dbc11a61a39059d2c8d5f832ace8fd5ca1438c68c1b7f81b2d1cd0212552601d13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 261b088261897321a100b2b6f5c72a06
SHA1 94c2d733f6a0a143429d31286a6f777c9f88ba36
SHA256 16640fe3b8a661499850d41b1700ebc9499a6dfdc0898a3cad19c621e4d85e9c
SHA512 959593acbf304d10dede8896e450be5d6449c5c73ee1c2eb6f846c05ee8c73dbbcc41d3cf0d49961d712231f7814d7a032874accf5aad8ae15dc1d882bb8ff4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 09b4a5dd8e9d4df9b6d20b4690d216ea
SHA1 7f4836c4294b0a1424a298bfa3af0b376a9fa03a
SHA256 0aa824390eb8ad09a477baf74dc751f46468c246f076b6f790d9d27ee613c6bc
SHA512 8e4d69af0d24274b5f615f95dbabec5b1f74cb10405d8ca190ee7d3b795ee77b5d56600d3489f1da30202244b43a8bab20cd655f350f1fc6e1a0d402ecacaea9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\places.sqlite-wal

MD5 d03b4b08617287a458157e4ce3d88038
SHA1 a2e3efd660c86369b82493c011a5194923387be8
SHA256 688d2402d40aa8fae1ec0b6efc64b343ad08a691a774bfe91edaef7fb4e07efd
SHA512 a79510c066034780dc5757368502ac70be12753655619318ae6b0b99484c7203cb3bfb7ee24d4b8dfa68d0e4606ff8af2a7300474ab201f058d9f4ba28be1895

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

MD5 078a4b855a71ea16e246b104693f044d
SHA1 cab1663c6098da2586dcf44649c64c51fe514835
SHA256 ad54f23c8b129e3ddc78075f62dffeeaf954174d4a58f9589bc9d2db27f21252
SHA512 9de817e06f40546d19e076b10b681de24b8011bbc2de1768985d8c1a1706774ffcb518308d6fd0dd9266cbf6053ac3b63e339cfd553e25e6e78efba62d29478f

memory/932-452-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/1732-453-0x00000000002A0000-0x0000000000E86000-memory.dmp

memory/1732-460-0x00000000002A0000-0x0000000000E86000-memory.dmp

memory/2000-464-0x00000000006C0000-0x0000000000B74000-memory.dmp

memory/2000-470-0x00000000006C0000-0x0000000000B74000-memory.dmp

memory/932-471-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-480-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-481-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-486-0x0000000000D90000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 5a43283fc787fc2f1b66d81292334501
SHA1 bee00aca842adf92f95271ca59d2800d1b05e5dc
SHA256 d22a44e74844c58d6c99d868f05591588c90640c0842be5e5620514db966c5f6
SHA512 05b607a355054a4557c533988e12e40c50e1e7889247eed14dd4b7646b39de7946c2c64223f4d9f820882ee46c767ae09ad51657d9e64b9e0e8a60c860ee5cf4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 0e6cabecdadc78f6cf78a95d16a330db
SHA1 503e00615d0252537ba4df037c79953082c9545e
SHA256 bd889b0673359abc1afb46b8f3f3afb40243975d5b6e1b987fa7c147e35634d4
SHA512 f33c1cfae2e3278c922883931a7c790ae8a69cbab79ceb8b3aa06662575ec7afd04d85ca5eebd275045353dc527897f3394afa7cc1de7b0994a70d83228cbb62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

MD5 831ea42015001446fc6b9b31fe007d6d
SHA1 3d30f9594fecfb098c90eb9b77d592427acff2dd
SHA256 2d778c8aa6773a7a0137bb8e543bbfd043e5cffa66bccb50c63507aee73a6d1d
SHA512 9cdaca51d4547779da2f815b91b7df91faa7c32f92d96e9c74228d4c40e2460ef22c60b46c4abc708db52f4d885707273dee62f42f0d98096fb72ce721434352

memory/932-591-0x0000000000D90000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 6f802db861406ea55f23fe2579e67977
SHA1 b6f9d5e8731a29fed31b835677aa492b933a4705
SHA256 5dc69bfa7780c4bc86a95c0b6596c3f2fca3e8f0e9df894989abf1b1cb9c35b2
SHA512 9664977ee79d7c294213ae5d153df567adcfc862f9c44db75a4f37762b7a848d4a47b231d4f2639f76e1f4f56b76dd2c80dd8681c7726c2bea3c605f75da77d0

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/932-1752-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/5860-1914-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/5860-2154-0x0000000000D90000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

MD5 9c36e76de6da768a42e49a883734b3af
SHA1 354199bea6d818c6e6e02edb1e326933ded7338c
SHA256 1cfba34ea5bc00531d40e3173bc42a5d61a92781f9c2f7d2365c8b1890021b90
SHA512 0238eee7b175e55fc7122467021807e594655374ec9357f28a0b39e4d22e0e263fd2fbb824321034e8cda4180b3d83f169a059148f5fc4de0365af261ddcc724

memory/932-2634-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2640-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2642-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2643-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2644-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2645-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/1580-2647-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/1580-2648-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2649-0x0000000000D90000-0x0000000001244000-memory.dmp

memory/932-2650-0x0000000000D90000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

MD5 9317591c229ac7ae495e3e6c1ea65136
SHA1 23d0092e094bc18ff02ba5abb18b51936d618436
SHA256 99d5f9b50c3941491a6ea5147b8bf1c2eb2c27cafe3e1d61c2cd60a6a7c50896
SHA512 732c7a7ca8e7a87f663e71eecbe5aa2a28bca4fd5d36efabaa17cbf5726bc18a4e235a1a7dce6d19d7cedc9f81f6013007a10a371f323637457ee506b58b5a73

memory/932-2660-0x0000000000D90000-0x0000000001244000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 01:09

Reported

2024-07-12 01:11

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1372 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2196 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe
PID 2196 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe
PID 2196 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe
PID 2196 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe
PID 2196 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe
PID 2196 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe
PID 6080 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 6080 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2880 wrote to memory of 1888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1888 wrote to memory of 1164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe

"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d026475-adc6-478a-b703-71a1c49e2970} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {206ca1ed-a44c-4a74-9833-20a0b8ed5d74} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2800 -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 3208 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ebb93e-c8bb-442e-b045-91ac919a09d4} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3904 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9355398-9741-4e10-8023-3b714e95d631} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4788 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e69bd074-90b6-47be-bc21-fb538bd8878c} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b124394-8bab-4b1d-b463-6e99fc10fc7a} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4094fdb0-d1af-4e6f-8128-7ff9612757d6} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5896 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94219399-41e2-454f-bc7c-d1789a2b8d09} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHDBAEGI.exe"

C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe

"C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.youtube.com udp
N/A 127.0.0.1:53042 tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
N/A 127.0.0.1:53050 tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/1372-0-0x0000000000A40000-0x0000000000EF4000-memory.dmp

memory/1372-1-0x0000000077334000-0x0000000077336000-memory.dmp

memory/1372-2-0x0000000000A41000-0x0000000000A6F000-memory.dmp

memory/1372-3-0x0000000000A40000-0x0000000000EF4000-memory.dmp

memory/1372-5-0x0000000000A40000-0x0000000000EF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7eac58c3aac017b11c5a2a99ae66c51a
SHA1 570339f867e074afb6f0238ca2152a50356647e1
SHA256 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512 d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769

memory/2196-18-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/1372-17-0x0000000000A40000-0x0000000000EF4000-memory.dmp

memory/2196-19-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-20-0x0000000000650000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe

MD5 7ccebfe91b4c5b3c8feec467941c3557
SHA1 a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA256 41fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA512 5b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635

memory/5544-36-0x0000000000500000-0x00000000010E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe

MD5 89d94c18987eb5d638be8f74bc307ac5
SHA1 5f7d6e6d18cb0dc610dcfa684d424b38ae4f7ff9
SHA256 384ce4a6f2794b0cb3c5fe36dc9b19b755315c9918ad19c925401099c41be9e6
SHA512 8f3880137b1a7e511dbbc3164c0a28cd1933776a009120df4eba0476f07dbd2b7764dae406620da6b2ab324ac0aa8011f914db6aad213fbacc4d73f0d28c2a63

memory/5544-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2196-97-0x0000000000650000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

MD5 82a1d19edd293611329e5581b088b195
SHA1 3c630ea73ff5f234a1323ad175037bd280c14a0d
SHA256 f9850b3b3609b91b5deacca2e886f1320df2b2bd0771aea7aacde7ecfa58687a
SHA512 d3f06d7ada2139f7437971f674671c7623c2d984209fb83fd361cc0e51c40f9724d3148bafe1eb1070d27ce5bc9323e27c1a0bfec7b89b77f80d5cf6867ad462

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\91182571-e101-4d5a-bfb8-368d84354657

MD5 31f167ba35971065a56ae080af22bdf0
SHA1 b7885bc6f2f42fd8eefb18de5b2cd21942bc0104
SHA256 a02c2c424f40fb35d03864f9fd952ffecb9f8395823aab56264a597b8a14e276
SHA512 72434da407e63398db592ca9ea114a03bebdfa806235b10c7080f6d0ad86028d0550e4a7f6b059130bbf29f7bd57a99044731d8d0d89e88ae81a0aac6eca3a69

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\98457052-238e-42a9-af5c-09af3d253f90

MD5 2aaa362ff9678c3a0ff31c90e6a05ed5
SHA1 d386e7fc980796f702bf1a50b3e86b73dd6c3ed4
SHA256 8965044dd97048faf8dd36612e5ba344d770873997380998f2a86ea98f8fd620
SHA512 2492d95b376745caf41faf868494f702d61b2374c7d213fecc68699c6048791e8124648da0fcf81922907b0125cfabd85fa533252db04a2aaa5ae4a37e3f16ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 d823896a5c0cd3bd7ee6ec5ae138ca7b
SHA1 623a407a381512281af73abc311c03a40dc0f4ba
SHA256 e795079770723d331b1387650d8f2b5c9d86a834a589891e7435c5fc4ece7cbd
SHA512 91775e7c54400ba535f95cfb0b34c2f5840c3f5e984b8bdeec731ec2af599fc04d1fa9c71f6b0652a0bff0f0f4a07bfea7a9b992988c86c3505f64c5fd9f4dd9

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 241947430580f8bb36d999567df53ea8
SHA1 abb997d4087b2fd57b8b977f186547d2c347ff66
SHA256 841a65d81de50cb7cd988f14523b51a181189b6b1ca8b66a055e0080fab9a441
SHA512 9e78c0ae2e5293758b73f33f7a60012c6f934790c3b8d2dc654e5497e14404e12f30cf7914c82b9871b8f48e19b778d89c3bca7b4a590c7dae3d91cd7b74b020

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 89f841796296790059f120bc55d2f6b5
SHA1 612f3a3b7cb293c4db5d8ce382311ce794db19de
SHA256 aa155d96cedb734820d5648c853be81d59569dbe43cf05190d53635fd20c184e
SHA512 c46b102bf29a727fb712902d30c91e4f8987c0c145934d539ac01e1cdd674d42f0ddf3af80fbf3ad45086598eb91c924b53684df7632250d6890667a0080d960

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\places.sqlite-wal

MD5 baedcb749d698eac265180ad98538c0d
SHA1 2304a08c551368101caab2b00ecc5f1496fecb03
SHA256 db18a073b9fb04c03a4d81b0834d9edcea92eb52db49ebf690be491a4c808e38
SHA512 f182976cee662d64df6afdafcff3f50a66c1c72b36ab0765fbc8aa776b27cc6e33a90d5c0b6849031b6e91c0b1b89b472f9c575f90c8d39d8f252306c0176d5b

C:\ProgramData\IECFHDBAAECAAKFHDHII

MD5 5c62863c7732ef38226bf0c6acb6ddea
SHA1 2d3328495bfd3a0180c85c3bde9ae53a98196cae
SHA256 998d8f94dcf5a5b873b19c88ff1ee73703c328fcbc4e189b51a85b917cb54d76
SHA512 a9acaaf0a1e3b9797c02546f13807c0bb7b6738f4338d01ae45316078df935973e33a99a8e515266edda00009976bff1b7c0bfc456a03a1850f41437c5f2c584

memory/5544-444-0x0000000000500000-0x00000000010E6000-memory.dmp

memory/5328-448-0x0000000000F70000-0x0000000001424000-memory.dmp

memory/5328-452-0x0000000000F70000-0x0000000001424000-memory.dmp

memory/2196-459-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-460-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-461-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-470-0x0000000000650000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 45350de60c7934485bd9380688c15f47
SHA1 7136391ef21ae40d8dc120fda1aa1a527a05fded
SHA256 d57a5a0a678ff8cb1a769ef01e9d49fa61c8b15ff654d2d59a3f8a6936e9a1e0
SHA512 e558144b232dde9d9a9815482fb50a822233d00acb6b5787459cb786761dde591da20f3794295894b2cdd968c94171fc7082e02a288fcec921adcd07c25418d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 7169eb9684dd78cc1c0f0c1f2b9ff3ba
SHA1 6d45213cd24e78a9df077b0e40373960ef75d49b
SHA256 bd88e7d2ab2c9ff819b8f12dbb359efdd9879fdd481ca2ef0c519fd2a0c61fad
SHA512 03756363e608f506142c3505f44b227354133199b4ef333d685ad3211b4511b6a4937a92ddd02be3ecfe3509174260b42bf65297ec4fb6d69c9b67a6c1dd63db

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 f22d24cab745da6ad639e679f69025f3
SHA1 a3c279b32e2b31004fa5a1bad8a8d8ba59b9ee2c
SHA256 8307f80ba2395a3c67c21b0c5aeac9d530ee61a06cf20d8124d494c7de6905e0
SHA512 0fac9cb8d81e2d1dbd2542b489cf98d62dd996b5d04fffd27461fc83f97b3c2d2060c918f9240e704c3126914dd9ebce24b25c080ec9b776be30372cd294b0cd

memory/2196-552-0x0000000000650000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 417a59c128c20e5d89cb90b11190fbca
SHA1 9c73b3ffaed36c509004ec6eb116825edb360a06
SHA256 cefcce5a94c72afd748689006057e7a459c4581ff855cefb07aef7b4efcb7e6b
SHA512 8b3facb32ee1637825faf0ade346e1c80f7f270ead32ee9dc69a40048395c7debf614a043acb697fec1545d4dd8505e54079fb20a2d7616e6ff0e281d3047c07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 19471bd5bc4049a79f70549ec8d19071
SHA1 4a0eba9590356d45eda2a617011fbf33aea5ae9e
SHA256 bea55c5f941e5c4a97c78c3f013327cc25dc0f888e2e84241374141181539e7a
SHA512 037adaf639cb9a72cd8d82392eb19e3d7393472aecb26cf4792512b388cab5b02eb7d6fc007079f85c79f5bc961c54af6bcccbbbdc5553ddf62f90c51e262d10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5f8bec4f493f151d2823f629e745e12a
SHA1 bc52607679b0bf23575762f232df13a4bd46446b
SHA256 ec8452746902e1d4110f82cf76c2088535bbe12fffc55a14f3553fac928c0d9b
SHA512 1a1638be6bbfa7d91732b16869b99aa4aaf542218d1d194107c557e677032172a17ba9ffa7962eba130bb3d95e6ca3777201101bdded897fd7839ed9a958935f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

MD5 ea210637fd33afc4241d4c25045f2738
SHA1 af6b1c175406b3485987db4a3e7d16f8ed0b9e40
SHA256 8012ba0f6f2ebef165f5c9f73573afc55803ce69f5736182112b4af88e7ff121
SHA512 12694452447c66932d099dbb230fa0622061ee962163f236e133a1f62d611b64a09e05728a198463481171c848499814198e0cef884fa9cf8b65fc71871b963d

memory/2196-1161-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/4168-1627-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/4168-1833-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2622-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2629-0x0000000000650000-0x0000000000B04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 2ebe017180e754f6b2c8bb515eca5f1d
SHA1 f1e626a415a59242a9aec13a7ebc12c52e9c6616
SHA256 632e41378062aae041ca05542f0728142e844ac67cb313e2f78caf5439b0de36
SHA512 a2bbb77f40cf86f6e26a3bd113b810385a5f5b2f4e934dfe3a8ae7ddee3cd3a75cd3f9708e8398c9160ae18d1daeb65728aa342f4007fd01e18e7f3dc9d96681

memory/2196-2635-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2636-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2637-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2638-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/5824-2640-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/5824-2641-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2642-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2643-0x0000000000650000-0x0000000000B04000-memory.dmp

memory/2196-2653-0x0000000000650000-0x0000000000B04000-memory.dmp