Malware Analysis Report

2024-11-13 16:46

Sample ID 240712-crn6wavbpq
Target 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
SHA256 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181

Threat Level: Known bad

The file 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 02:18

Reported

2024-07-12 02:21

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3056 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3056 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3544 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 3544 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 3544 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 3544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe
PID 3544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe
PID 3544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe
PID 4960 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4960 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4632 wrote to memory of 3680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe

"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b192c709-be1c-4313-abef-f0e20fe6ca8f} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bf5fd5-6f94-4c01-941d-f49026662952} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3560 -prefMapHandle 3292 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afafe5d6-a8e2-43d4-b536-b236c4f3d1c1} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4036 -childID 2 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1fdb5f-cc7e-400c-a17f-f0cc7f9eacf8} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4668 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a86f42-e721-43a5-a332-6204ce31eb1b} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4044 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74452018-5927-41f4-9e81-301a79ab19f3} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d306c4a-5024-408c-981f-fb82fb885e3d} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60498aaf-a6f0-482e-9b18-382b667d0a3f} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"

C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe

"C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"

C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe

"C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
N/A 127.0.0.1:63504 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:63514 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3056-0-0x0000000000D20000-0x00000000011DB000-memory.dmp

memory/3056-1-0x00000000770D4000-0x00000000770D6000-memory.dmp

memory/3056-2-0x0000000000D21000-0x0000000000D4F000-memory.dmp

memory/3056-3-0x0000000000D20000-0x00000000011DB000-memory.dmp

memory/3056-5-0x0000000000D20000-0x00000000011DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 ad7686b6a3804dda1cb2b039efdcd54f
SHA1 d810885254abaf8d3ac93269209141833c45ce58
SHA256 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
SHA512 d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4

memory/3544-17-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3056-16-0x0000000000D20000-0x00000000011DB000-memory.dmp

memory/3544-18-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-19-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-20-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe

MD5 b5f67083e086299287f0dfb2a7bef96e
SHA1 dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA256 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA512 55c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654

memory/956-36-0x0000000000CB0000-0x0000000001891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe

MD5 37f0d7fac582e7e1592b3306f79143f0
SHA1 fe09db964b98769ebf71d780de5655958a4b9dbb
SHA256 dd8ed064fdd43873a7ece063734ef85a27549c4f2a90e05aeccf859c8c53ffbd
SHA512 3a020bea5a33387ad5e15bf22bc9a81406885ed0c1d40eb9d257d110b34fffa86598af61ceaaf5756a685e7bf9aecc976d951823c46eb48106781ca6e6fc1126

memory/956-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1120-89-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/1120-102-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\activity-stream.discovery_stream.json.tmp

MD5 43b447d90927e38b00f5ecac60f5bd8a
SHA1 eca289a7c4b339c0cfd08b9cb6bf130522d611d4
SHA256 345eb0fbd2ea12f1e27ab8b4b9813d579b6f994c6c7e82b66e8beca85be78b1b
SHA512 8538520f723be21150a3179c5c8964186d8b3222033b9be855b3d2c89ca8431a3f00477d50071a3b478c09def6dc2abd6cae93243c2e166ab1822f69efa96fb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\2d8f2432-bbb3-4191-91c2-86cd08183a3e

MD5 614d4058fc207933439d60ed068b5a4f
SHA1 461e835319bef3ccb91a49ba34eabefca1b43ea6
SHA256 c84b3c64497bf34079d4071d5130d3d51c4f7d5f38df6374b5929e6dee0a4254
SHA512 ba6394a8d66bcd0cb20b95de5a1b517afcd6cd7e58d236c8df37d8a683aa051842908c6816bb6d5a64628e5b4339505a85ee79277a817202fc52146607a8c961

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\656ca0b0-0bd3-4a4d-8b65-b0236c09c1d1

MD5 cf97017dd90bafc1027d322eb7b209bc
SHA1 7969cede1f199d467155072a1ebee8572df30a88
SHA256 371a9f3e6f499e8cc0e4b8c8b6754726080391b7c6a324b0c83820089198fa30
SHA512 4c266ec6ac248e672452443804bf0fb68fc13483a4b46bf844dfb4b37382409bbda4c765a18c00b69e8aaf2c3ccaec264cebeca043d751bc43bc01ceb2497d87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

MD5 67887669eb3bd941f0846dddb85cc003
SHA1 492e0791c2acc94683134a74aafc09c66f190694
SHA256 c8a914dd2f272dc7d2fc2067ef63f7ebf89c0f519d64ce213117430d46b9c7a3
SHA512 000b09820f676d4e90a89de103c449954a51bcb652ffca275a014b8a96ea1bb7ea761b4d4fab1b863877e18a4831baea3b1bf79dc5f627a9d07e9a87b57468a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

MD5 7a70248477e1a6715ebae29db42558c4
SHA1 10a991979e225ae72786a979422f7fbddd400b68
SHA256 6fa75cc76ee6878722dfc13f84a04c7dcd324546dcd85c35365dad57ce6fcca3
SHA512 09662c2975638cb78a54d18373247b540223fa73e458fbd5998e1920edcc8d8adeb5195e1dc3be852a79a54c375640f58432324a269c19870fcb724b1fea6fd6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

MD5 636833065fe2497c72064055a218cdf5
SHA1 f483bcac41fb67162c1a8b3cabbdcf1a15168f47
SHA256 0a23e5f134dfce247bfaafc125ea3ef92de9ebb3ab688dec718d47be7f749745
SHA512 e3bf4094856c5471798ca15db3ea6c07572a1fe792c3d1954e2fd2ed765bbbd3f9c1031b165f36826fdf591864fd8956f1577b57d8ddb2ebe97367c74c375242

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

MD5 4a6eac83f105180d0392df1730321066
SHA1 92f2ba6f7115efce48ece69e035e11ab66c206b2
SHA256 2b33dce41d91e0b2ab0011ffb0bdd6b9c6d5121c7183665d3cb4e27d10828561
SHA512 add7e0009e4f64ecf25770eb2595e1cb7000368329e845bc1e28b928edc4be2f69aa89f4afcefa17b5c83a73251a17179cb46e6630cce24cd35c47cf4155b035

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs.js

MD5 32eff4d71deca0b14cea47da90c32b4c
SHA1 a585c38c6b2632ec9151d13c26190ebba0c37ca2
SHA256 daa0a7f91cf8accab8f7dda4fbe862dcfe0040d20f655f7b38f147f23db16e50
SHA512 30a7e884cd2f547c8302e3ed98e48e7e9a1b31397fa6828e5f45220c363e7f445f993d4243f7529766f5099ad1f6750f2b64c2f321d3c38cc10e9794458a9f40

memory/3544-419-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\cookies.sqlite-wal

MD5 6917a7698218d0c8a94c9cd6150872cb
SHA1 43015f615203a220f1413dae611292825df8a83e
SHA256 2a129e7cc6ad8419ebd887be216fca453965303d31742989baa97ca316420aa9
SHA512 7ab6d66d8fdf91dafc23970ddba15b755bd9bec2ad26a8ab6cf11ea27fd147b79741364cca72ca21167ac967670fde29b887c17730952944f76ce973628d09b8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\places.sqlite-wal

MD5 e5fa70d53ca1dc02d078f03b22b2e789
SHA1 8c0a9459b9670b4450107685ee738138486d89b3
SHA256 2a9d8c02d908d4ca473ecc8b3e3bdf8c41d492f0da02738e918c6652ae0d715b
SHA512 017b05d4b63286be7e9fcb1456dff17dee683eab2e092c158485e405a765ed117e7dda985073277bd888f560c18898eee132ba9a15bc57fc7c4bd81d91469789

C:\ProgramData\CAAEBKEGHJKEBFHJDBFC

MD5 9a1720bae506624f697df48ead857498
SHA1 5b4315dc3e01c03fcae7c1d36e4d5f3d79bf3329
SHA256 9b81e8956df5f0e884659f6ba053a18b0ab0088e82d83acac8e43af0768cbed9
SHA512 e1d3ea79c58b39de211dbdb37a1a9eb4d2a2ba1314b1046dcffb048d23c336ee2a5a6b6ccd49a4a25dc1ecdfdd9706da9151ea8de0f0549aeec63d03479645ae

memory/956-447-0x0000000000CB0000-0x0000000001891000-memory.dmp

memory/3544-462-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-469-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/1492-470-0x00000000004D0000-0x000000000098B000-memory.dmp

memory/956-477-0x0000000000CB0000-0x0000000001891000-memory.dmp

memory/1492-476-0x00000000004D0000-0x000000000098B000-memory.dmp

memory/1396-481-0x0000000000950000-0x0000000000E0B000-memory.dmp

memory/1396-482-0x0000000000950000-0x0000000000E0B000-memory.dmp

memory/3544-491-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-492-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-497-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

MD5 bcbf3ae8eb93e7a419b1c3a83dee31ae
SHA1 bc8b105bdf794f8f00cb2b5c4e6fa4949f3800fe
SHA256 6a916977e4f29b7539872cdb6bd1299d2891df7975f6a375e00d670958fb04a4
SHA512 b486e7092e6e3610a38f86c4375a5e914964a1f567a1e2e3d77547ef92c29f8166500ff2faf1089d05d348e0adbc52c1fa3131350bb92762184ddd5a9e2f149e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

MD5 436cbf785bfce9cfc2928405ed416c69
SHA1 03697db9f483b619311124b7aa1e3fc62e2bb3c9
SHA256 8784f46d6fbadf6ee45b4a5a5e858c097a232b21c866aee861c9a71b00ba4f95
SHA512 1484bd63fffabfa0ee98c27f5933ddb071060b90dae22d20f831be214ca2ea51aeb8c89dbc466df58938ef78acc814695f9739ad611eff1118d2eaed37b8c39d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7dedec898d10283833f4d5e5a6a3ea98
SHA1 e7f09962a509ca6b591c93c109ed9ed1d9bbd202
SHA256 c62d8ad7a2fa9de0a9d740a7057f54e1994da641d887429d14649809eb33d6f3
SHA512 a961870cdbde27a62c8e3fe5935b3b232ce1fbfaa0b41e8a4c272eb75987d3fe3deeea1a6885b8c9afa1ebe2097ad1328212dbdb5a9c5c3499a4a1c871bd303f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

MD5 69c479678464f6e4029a369f0ea641a4
SHA1 5dc46710273b9b7b1f9a3d02e0065cccf3aa47ff
SHA256 81ebb59fdb0fea0e318e7ad302710dcfbef5344288fa356e7688ef44ed443650
SHA512 c7aa87fee7e24dbfabff83ce5eaf3f5cc45a8c168aa5a5697e7a360f3c320542353a2eed4be24666a57d05f4519a56e4bbc60a9a4a1aa780a608ef5d2c5b6812

memory/3544-801-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-1995-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2614-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/2260-2616-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/2260-2617-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2623-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

MD5 b3066a9e4e8dae6ad4b6d549f4cba42b
SHA1 19b99f5ded378a89560c2e8ca26ccf68fe504cc0
SHA256 6218f13e470926c05c64fdaded093c1f969e0edc0c59b2acc14576e6c7fb5ae0
SHA512 77b1bfedf97cc21289958cd35d42c391157c81ef203cb1900fae820fcc2c76450bdf09f8df2a8bbbfb6d068c8dcf31113395690a8c1cadb0fd85bf10cb8aa380

memory/3544-2627-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2628-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2629-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2630-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2631-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3092-2633-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3092-2634-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2635-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

memory/3544-2641-0x0000000000AF0000-0x0000000000FAB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 02:18

Reported

2024-07-12 02:21

Platform

win11-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3916 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3916 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 708 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 708 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 708 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe
PID 708 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe
PID 708 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe
PID 708 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe
PID 5068 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5068 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 804 wrote to memory of 3596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3596 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe

"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1876 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c4bd56c-0b44-4a5b-98d1-76dca708d586} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b69606f-09e0-4f1e-adfc-543f84e61b4c} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b29c4e-ff66-4819-9b07-19703aede96d} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3524 -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3564 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7af3360-47da-4a98-baa8-7405e1fc9e91} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4700 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9bacff3-4b0c-45b6-aca0-14bd33584160} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 4692 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c03dd480-4d96-4a23-89ec-e0338273f6c1} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c80f97-fb02-4fc7-96eb-efb4d8598d3e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a44e13a-af27-4d7f-ab14-3dc4c7eef11f} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDGDHJJDG.exe"

C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe

"C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.169.78:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49832 tcp
N/A 127.0.0.1:49842 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.187.238:443 play.google.com tcp
GB 142.250.187.238:443 play.google.com udp
GB 172.217.169.78:443 consent.youtube.com udp

Files

memory/3916-0-0x00000000005D0000-0x0000000000A8B000-memory.dmp

memory/3916-1-0x0000000077B96000-0x0000000077B98000-memory.dmp

memory/3916-2-0x00000000005D1000-0x00000000005FF000-memory.dmp

memory/3916-3-0x00000000005D0000-0x0000000000A8B000-memory.dmp

memory/3916-5-0x00000000005D0000-0x0000000000A8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 ad7686b6a3804dda1cb2b039efdcd54f
SHA1 d810885254abaf8d3ac93269209141833c45ce58
SHA256 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
SHA512 d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4

memory/3916-17-0x00000000005D0000-0x0000000000A8B000-memory.dmp

memory/708-18-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-19-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-20-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-21-0x0000000000250000-0x000000000070B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe

MD5 b5f67083e086299287f0dfb2a7bef96e
SHA1 dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA256 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA512 55c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654

memory/220-37-0x0000000000060000-0x0000000000C41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe

MD5 37f0d7fac582e7e1592b3306f79143f0
SHA1 fe09db964b98769ebf71d780de5655958a4b9dbb
SHA256 dd8ed064fdd43873a7ece063734ef85a27549c4f2a90e05aeccf859c8c53ffbd
SHA512 3a020bea5a33387ad5e15bf22bc9a81406885ed0c1d40eb9d257d110b34fffa86598af61ceaaf5756a685e7bf9aecc976d951823c46eb48106781ca6e6fc1126

memory/220-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/708-92-0x0000000000250000-0x000000000070B000-memory.dmp

memory/4680-94-0x0000000000250000-0x000000000070B000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\activity-stream.discovery_stream.json.tmp

MD5 8936a12e53b0fc61478bd2f088cae1a6
SHA1 728cbc476c10160b69c21208a128f610f3d7438d
SHA256 69fdbb6162b12383065140db07d54ef0f74f755f8ac4520dfbe313463fdc1cba
SHA512 436ff369c7b89c3f990de8c375bc8ea316319fe24b347ced391820f69f3fb659d72787773c6e25cf2d17ea5dd63ecf91613531779ae912c3515495cd722d73d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 95cce94e89063e0f07bdb4742e969a08
SHA1 7d65a5ae009fa0ac96265ccce06e9a2375f582c8
SHA256 3ab6b8e58b91d55509991a499fe0a31b2c20e383d2ecf97ba498ad37021e09f3
SHA512 a5a62346183a60544519da12789968dffe48a95859edf6d819f5ae0ddce49749a6efd488981aa446f544b346778324e1d361be90d2b9b640a00bc52b229f9463

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\bffe289d-e7cc-49ea-9d19-91a844b3ef29

MD5 4e4b74f7afa30ae97acc726c827c20d7
SHA1 2dc140c50c9c18e8eb9322c1d100544afccb9af3
SHA256 9792934e25fdd5e21b819bbafbb37c273ac552f4f0d8508e68c6e0a773a03409
SHA512 6c14c2d2ce8cc13d8a33e5b34dbc21dced8a3fbeb82ec7ebed4772d2d5dc87714604ccdec0169eed4fd2238d11dfa7df3e363d18366728709612ca3e7e3568a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 c6f098747dadb0d193c245af99c40c49
SHA1 e93f96522d8b8ea352fd8aa5c7546383aaa512f1
SHA256 d2f5abb02abef295a61883bb817617cda0cbb008d06cc431825636cf2173484e
SHA512 5cb5ac5eb0fa36434e31966f6df3999463b90b77d00fecac547fb945c4d980b92439fa4cc8d661301ec0a7c784a0e6812c4089ff4f62ce879267a8b379d53f99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\9bd14a83-50a3-4a56-8541-c57be1b7cfe8

MD5 a827063adbf6516ceefb7e1d5bec9062
SHA1 dac06e886c3238166d4f25f15dad816a995b45b0
SHA256 ecc6eb531ecd012f834722d916f8c039df53ce30cc6a3de3860a301ad609a4c7
SHA512 07e54d051b999d722b1cbd1a90b550a416b5f152499d532876e966af362e34451407aa052cad96efe597a410099bdc45613337f97622f2086c81fbb353499404

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 b8d96f8e6d3bcecff6662b2defbcd35c
SHA1 9d8a98235cec4c0f93e9fb3b9f6227003af151c9
SHA256 05325e4ce3f33aaef418bcdfc53a8a10ccd168664cac23f93fddf012d2bbc9d0
SHA512 6599b82ce6dd8e6b03ef32c8c26b540c9e0303d3dc1908d34b842b295784e9f79938aca1a5a19c1438bc178c7e4233b84c7fd0f78c3403d53c24ab0a691fc8d8

memory/4680-358-0x0000000000250000-0x000000000070B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin

MD5 9dba40ce51919633121e021cc24f587c
SHA1 56f69df54ffbf4ca9ac1460e953907f72d9f8a78
SHA256 727b594fbc152b344d48ac79a7453dab50c7860f8fc2e77c7913c8111d9f9e9a
SHA512 536ab4aa6e2da13e28b5d5ac982a67cb9574a9f1bb5d5bd38480311b9f3dff50d01926616e5d78d33cd187da2bfb63974b08b7dbae4e7bc0830f0fd91b4e79b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs.js

MD5 decca1b9eddcbaac476701df5a0f0ef2
SHA1 08170f9a9c595d8fd3c6a8d497246392efe7dc2b
SHA256 a66746de02a96e14b912e1ff3a5447b04223becd7ba5a1fdfc8887c90a7298b1
SHA512 2dda955907071489d3c5ef1369fb3dbe4125d5bd94531e1c9243cb4c2b495258d04d60fd28a40144f8ad777ed94ee4e100e5ec1c33b8ee9b7411071fc7dc1bf5

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cookies.sqlite-wal

MD5 9b71c7cfa7eb3bb533684a269e273cd0
SHA1 cedff485c33bc46b34596d91ab3370cee0ebc825
SHA256 36082a035840ac2a99e91a908fa4e4804534f7dc2d27352752434c2ae0ef4402
SHA512 7119708b33ce2084ff843041223779a634d78d07bbb06cfa1379f38b92a2000400cc9401b21dab7c65d8838aeb33e4a013e07fc7fce48aa2123e7fed81467e58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\places.sqlite-wal

MD5 618111df2df5db0a1669f19776980b95
SHA1 a362a7e476c240259a3ed4d2e37974e9013e1038
SHA256 650c5a48a3eae9be8b359d4023af2387734ab4d6b5722fcde0c03c48002988c1
SHA512 05ef55a607dc564bc8d692fb4483d87968592f047592ecc2e8dd6ccf0e4ba2d796fb88c0b01eee39006b5be40470ad442161dfb0eb24c65e0ec5604169445939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs.js

MD5 b426f5419304adfd43c8c2669b45bbc6
SHA1 87990a02fc874ed7d37e0ac2a9a9e0c3fba1b169
SHA256 8bea75212b40ebecef369ec87215592df9019eb04f067fd2f8a8d28417ff4a3a
SHA512 e2d576113dfa84ff11ef87bdeb233d113d6a18e5943e0aac8b81715ad736cb4cf422970694296f820d600fd7341e55d4830f82736dcbc0a81c15c5c8885162ec

memory/220-458-0x0000000000060000-0x0000000000C41000-memory.dmp

memory/708-459-0x0000000000250000-0x000000000070B000-memory.dmp

memory/220-469-0x0000000000060000-0x0000000000C41000-memory.dmp

memory/708-473-0x0000000000250000-0x000000000070B000-memory.dmp

memory/4352-474-0x0000000000FF0000-0x00000000014AB000-memory.dmp

memory/4352-475-0x0000000000FF0000-0x00000000014AB000-memory.dmp

memory/708-476-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-477-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-490-0x0000000000250000-0x000000000070B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 d45997703294a78f2fadfa07b3831168
SHA1 f119247301294eb19ea9f085d8ca79f7c56bc87c
SHA256 479ef1fc0a4ff87df4939b1da73040547726cf871df3ee6cd44969b179094f3f
SHA512 5dfcbba91bc35f543a676ce284cbaae905da0524010ad5ba13220b5d251f36061bf4fea4cdfef1a10f4f90916f73bd54103220e4e68e13f6f44a14dae2447570

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

MD5 d65d24d04edc68a4eeaf76075b8193de
SHA1 484a472bdf29894fc6bc594ef39b0b240196e415
SHA256 fa3bd44328834a3990c983a441894d129ad32cb8a8b1facd1b5e982701187398
SHA512 5dcc7df43515d99533a2f332e0abcd3b4d43387287a5936f18500b3cee04b3bd5274b8b15f7585a8978077cbb4f9b44f770b7ae102107fe01360e59d7e392c4f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 d1915c15310565fb19294e8f97970e8c
SHA1 3258251885cce28696bed394ef01ca0b7ce600f9
SHA256 dd2fac28ff13981d9d0a72a28e08a784307b0fd1e3d3677037d503e8241b48e8
SHA512 fbdc1eb16ae004be7b9dd3dfe5f7b012b8bca3b8afccae67f75b361c8bb90ff2d282e23c29c8a69f5570cd932d4e3791b7ef85051f3257c5f6693e046dcc5f85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 79d6dbc2b57c0effff31bbe4a754f404
SHA1 8185a055f621d041f6ecc0e16e2f9edde69da732
SHA256 da860f82a576f2629e30fda201409a78950d6ab81a53b81c6b6b02628e34b10e
SHA512 976c6da644347530a492b2bac3558a6ef806cadb87f28dcb3e3be7329cfc3b6947c457ebb75054094648789ff42319af6e63965070594c66dbb59aff140d66bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

MD5 437b60523a3a5fd0e96310735cf194c1
SHA1 a65f26f8e78a814d825d3e35b8afdaf0b7d18893
SHA256 c1141afd41bd69f759474f043cfce89432c24c5e8e9734cdada2fb8cdfc27095
SHA512 cf8b2d022de8b84931a3fc77abe6a73cb4fb5835fee652cad1bf972addaecc54853b918bf551476891c3fa234f73d776dc8da68522a4c94f1124c5fc0ca3614f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d3fb6332271639096eb3c93d28e17582
SHA1 fb64ad5f97e7a7cfccbe1a33f19a028e19b4bf5c
SHA256 5591b421bfe5bec6d04f7dc6164cfbf4c18510406eb6aa3fe07d9e0bc9f144fe
SHA512 8db119886b9d5988e959eddd1ca2d8d42b1ad9a0ace55db312415246c3c39f44f0ff29918167e88bae03beebbca42251c453eaf2581f5a07dc4ad1ac47e1b52e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

MD5 39fdae9b4fb18fee3b6346bc969fc8ff
SHA1 5d745feb9a0d4d6e291094a3ae8a89cbff726453
SHA256 13524e128e2e2923b538e04310d4b4d7401793e49ab9306711fdc917f1af9392
SHA512 4937f4507df7945e306e3f77fa1813ea9926b46ddb491acd1ce7e41e9680dfd9eb1d4662e7612af22959dfd0d75682c080cfd2a5ed55a5ee6385056ac3be4cc9

memory/708-780-0x0000000000250000-0x000000000070B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

MD5 5962e795d09ea2178c8355749fc1eaf5
SHA1 a6339f3243f265ebc67bc1be33d8923107ee2359
SHA256 57cc47416f0735c8c6a4595e52db286aedf05d1c7703c1cd977507824b7ec132
SHA512 c4a3e4b4764224eb13a2d2929ad2f1a0d480df755bbc529f4f28d23a802217e20613b737e609409a7605f2a63085e9c4872912a83f15a22fb375134496687c61

memory/708-1880-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2633-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2637-0x0000000000250000-0x000000000070B000-memory.dmp

memory/3632-2641-0x0000000000250000-0x000000000070B000-memory.dmp

memory/3632-2643-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2645-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2646-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2647-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2648-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2649-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2650-0x0000000000250000-0x000000000070B000-memory.dmp

memory/2488-2652-0x0000000000250000-0x000000000070B000-memory.dmp

memory/2488-2653-0x0000000000250000-0x000000000070B000-memory.dmp

memory/708-2659-0x0000000000250000-0x000000000070B000-memory.dmp