Malware Analysis Report

2024-11-13 16:45

Sample ID 240712-gwlc1a1flq
Target d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4

Threat Level: Known bad

The file d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 06:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 06:09

Reported

2024-07-12 06:11

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe
PID 976 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe
PID 976 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe
PID 2264 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2264 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2264 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4396 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe
PID 4396 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe
PID 4396 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe
PID 4396 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 4396 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 4396 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 2992 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2992 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 1624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe

"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIEHIDHJDB.exe"

C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe

"C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a60cd2e5-63f4-43fb-8174-e93242540a1a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04f0160-2f35-47ba-ad0e-c657ce211931} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 3176 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc167505-6587-4656-b990-1080a2971162} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de49b3a3-e65e-4601-8ce6-91af482fb4e6} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4684 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed6ba39-868e-4b41-93c3-07b7af8825bf} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d69594ba-4714-400b-8c2a-604009b6aca1} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e1a3a5-6ced-4202-bc76-b218c1fc4403} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db10508-9afe-4fa1-9d9a-9c22818d5e73} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
GB 172.217.169.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:51762 tcp
N/A 127.0.0.1:51769 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1516-0-0x0000000000C20000-0x0000000001802000-memory.dmp

memory/1516-1-0x000000007F6F0000-0x000000007FAC1000-memory.dmp

memory/1516-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1516-76-0x0000000000C20000-0x0000000001802000-memory.dmp

memory/1516-77-0x000000007F6F0000-0x000000007FAC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/2264-81-0x00000000005D0000-0x0000000000A92000-memory.dmp

memory/2264-82-0x00000000774C4000-0x00000000774C6000-memory.dmp

memory/2264-93-0x00000000005D0000-0x0000000000A92000-memory.dmp

memory/4396-95-0x0000000000890000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/1728-111-0x0000000000790000-0x0000000001372000-memory.dmp

memory/1728-113-0x0000000000790000-0x0000000001372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

memory/4396-132-0x0000000000890000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

MD5 43f44d4e5d7197d093ccfc56713464c1
SHA1 15dc6eb40ac53644d491018e0f7f42d04a7f9fc4
SHA256 8e4c316cabe75ef73115b4f22ca6bd59fdaf5604643643efd85a3ccb8fedddd1
SHA512 03cdc90c347a31ff4423a7b570efad4ddb5aef18872157bc0a03e5c78c898d4140814f77b1764a039f17689cf8e5f34a10a15d4eef9980d52e29b39ba7dd5b8c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp

MD5 8b94e4274372c68b6cc95bef2fe606f1
SHA1 def18ca9b6a23c331fc26299673dbdc112faba3f
SHA256 d929e7660500da559acb41b799741eff9a666899206f3460b7587ee7f0fbbe6d
SHA512 89aae345dc35b9b4996c10683b0cbc8c6ee999629be10810d719911f87f825f0d4b44f96e0ea1beb03d93c6c4d840c71d164694129a09d0118fd7dfe699ebd5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\d56b0b07-2bbf-49f8-a9e3-6429cf3593fe

MD5 044228c23afb3b6f560c03e4e6fada36
SHA1 9e4b9b86eee605fe2f2867e6948537c13db2b9d3
SHA256 4870e400002cc7227174b2e7cb3a979dfeb2512e7937f7c006cb0157bc5adefb
SHA512 8bbcd2fb27cffd7b31740c9d14de8a0460f8e9370b684f492b7954168ae1d4dd5377c361804fc465687a012eee0e47d6e5960398cd42638626d6175f0baa427e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\4adfc75c-4da9-446c-9f9a-cdf9b4e5cea8

MD5 8540ef4b765c977aca154e66d760d2ed
SHA1 be4cc426518a61eccc49f3b4bc2a38b7378dcba1
SHA256 76fd29a832ecb7be3b9c7a546205cac3f2522b25794007b193cedb3eeef7310f
SHA512 39bb1b0d669772e43934f34fcd63ffe2ab43f9dc7ea8823d4edf355c1205415c5f17b2e46ec6af39b8f399cb71b77c264d6c143363c0241395271a059bc9945a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\2a93af1d-b134-4ae0-83e3-3039160c0107

MD5 aab0dd196b1739e8043abd6ece4072e9
SHA1 2d7b98000fccbe6cc269583d567e3e17e3e8cad6
SHA256 e13930b6d7b7445132dcaae5cfc70cb9d0473a2b219f925aa39f73edae90a0d3
SHA512 892c34ba2b596e7ec9a3cddfcb7179e2399663e1433010741f95166a64999e80dd4b054bbc1009b8b3fe446613efb8acebd1b6fda4d590fb5e80951377cea012

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 09476edcc957f3075a249b020ce4bdcc
SHA1 e8c67c7c71089da8a3d79b406ca84251d5bb9eff
SHA256 75b5f3f7062473a2abe306ec12b06e32d9ea9ff70167bb0f8d1200cacaa00dbd
SHA512 f97875281510e243eb0a918c1d510be4c989c62444bab95c7122701c6cccd475be7ed7bb09009b238cb9408cb88ad783bc9598d294e4ac4eb24a70e8a8e3f9cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

MD5 ca20f928bd38f4d22f33b035bb292d4d
SHA1 d99bed3055057177784584ea61313ef069f98497
SHA256 f3cef16f1ec3b5bce7f3f0048898dcfbe65e6eb90711c91a0b5f190ab44358db
SHA512 82e111433bcaf5916bf801c3c936acb6fd0252d0bf6a3139d7b482238aca158bca80ba6156a2a45c315fe1599c2275a855d1d360b6f1870be0c7159dc57d81b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 a4f2a5ec5c1135e0a7c184930f5ff68a
SHA1 20e15c9d66a6b1a50d25cb5999c8b6e48ffda20e
SHA256 fc70d9af1ae5f1a5ff93ebfa81879d278914c7c150068db4b3c17380494e02e7
SHA512 b714ad22d756a6f15d8148b56fe0fcfc15befc8e5159693b87fab3faf807a53e7a4ef193826dcd3be7a0d4266d7a3899ccbe1272c7afdb481ac73c47857b9272

memory/4396-468-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4464-479-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-478-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4464-480-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-485-0x0000000000890000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

MD5 d9418dc76083f658667a859718766bd1
SHA1 0af40ab41621ed28a878123dfef3cdf1cf17d295
SHA256 4ed980668b16aa81adc4216d2f65edb0b250d25771ccf639c47b4b7bc3ad2977
SHA512 8fa5d185a9f74a6d09cc431eec85f1fe2e6ccac9ce9d975a6a26924c49e5f44356af382392e4d0d9d5574f5403084cacefa05225efcd997d764b350a47ba8de0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

MD5 a3fb8dc2bbcd20226447f11f434d6e55
SHA1 5484a7ee5661b4ed5f316a1c3f69395078434096
SHA256 1ac39e7968433a7a2c9dd0b0ef937d3e5c250f7a3f80e922a91a2d8357e0c562
SHA512 3f54e6d625da1d7846af31f05cd01141c28cc85073a870a43ee08a5058bfcadc0ef7bf7d43706ffdd1841d6c312d91a45cc122bcdadcc658979760580f0d24ed

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 40dd09d1a6b8ef064441794d340f211f
SHA1 6e43368c1467117e2d1aae3c5f385957b66dff69
SHA256 cf39e052a5e5bc14ab9faff1337c89996cb6aab7dcb840aadaeba3ea6366d78d
SHA512 d24318681c7ec0144fa306b8dd8cefb70e26dc9d18f6a756deb194004105d15b3f8bfe7eaa38a3b929b03c3e5a11746a1bf9bfeaa07fc283c14916d2377ac01e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 db5e2366b7caabee207286d5d3790a1b
SHA1 8829687e15d8a2327bf1bb3f6ce73369f305d98e
SHA256 9245c50e2df5757a5e2cca79889f7c0e6327cde770a905cb1de103264ac9d7e5
SHA512 505bceaa6bc111a274d4c337ba2506cea7c5259088ea47a1a8a7f71f87591a030856051b8677afe945b93adcd173ff09b28848baa2634770d58d7b88ec7ca908

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4396-724-0x0000000000890000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

MD5 1dcca2ecdbed77490dbc5eb4db62481f
SHA1 f1032fff5ce2aa415a0b715434a4c6a2e233107c
SHA256 9d38cfd7dfb5fb6657a26d98f67d91bd528fb186fdc940da8ee88b43418ae82f
SHA512 c12c2a821304d7c06a1052572861e66f25ebd0bc6e7d79f9c808ace58e7784b833fa44657d035252eeb2dc6a1bc9a90af634a6bce3f146a1c912a96c55ebdddf

memory/4396-2308-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2604-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2607-0x0000000000890000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

MD5 8d57fa5aa1cfe9b932aa931c3cc291f0
SHA1 ecfd102f53b77c47b79ec53a791c7c003b0219e3
SHA256 2a05cc0df37e0335448413af6508c7ba727f6907d5fb0b255624a89bcef3eb64
SHA512 5574df51302cbda8d065d2c5f3867ddc71b1f262a65ba7d6d7f4851778c6880249bbe26109158499f9811cd34112d183095452b2af3f69892c56ece351f24f24

memory/4396-2614-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/5048-2616-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/5048-2617-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2618-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2619-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2620-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2621-0x0000000000890000-0x0000000000D52000-memory.dmp

memory/4396-2622-0x0000000000890000-0x0000000000D52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 06:09

Reported

2024-07-12 06:11

Platform

win11-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe
PID 4924 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe
PID 4924 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe
PID 2664 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2664 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2664 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2968 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe
PID 2968 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe
PID 2968 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe
PID 2968 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 2968 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 2968 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
PID 2844 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2844 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4832 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5024 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe

"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"

C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe

"C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0970aa4-7420-48b8-a72b-d2793f4bbebe} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2312 -prefMapHandle 2328 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbcf5138-d79e-4e28-b1ca-0ce3db864863} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abe896c3-f84a-495f-b630-3fbe658e3cc4} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3616 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2285e0c-835b-41e6-ae32-3b381e5054b2} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4432 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4400 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87991970-55ff-42a9-a67a-cb44ee318548} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfa1d778-5831-4856-ace5-c490ad554d2f} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65444d8c-dfde-4d98-b08b-190daadebd72} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5844 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dfec077-3987-4b50-84da-ff60f4cfea9c} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49873 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49881 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 172.217.169.46:443 redirector.gvt1.com tcp
GB 172.217.169.46:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/3472-0-0x00000000006A0000-0x0000000001282000-memory.dmp

memory/3472-1-0x000000007F170000-0x000000007F541000-memory.dmp

memory/3472-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3472-77-0x00000000006A0000-0x0000000001282000-memory.dmp

memory/3472-78-0x000000007F170000-0x000000007F541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/2664-82-0x0000000000A00000-0x0000000000EC2000-memory.dmp

memory/2968-94-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2664-96-0x0000000000A00000-0x0000000000EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/3384-112-0x0000000000320000-0x0000000000F02000-memory.dmp

memory/3384-114-0x0000000000320000-0x0000000000F02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs.js

MD5 ec131422acbf09d378394a407b9a30fe
SHA1 55f474557f74880ae0ff04f33ced4c68fd5f385b
SHA256 e54f2981f6cc43f4bf1abb3bbe03bbf9a80ce2857e960a49a9bb8970d3fabe61
SHA512 e291cb9e372ca97b5dab66821a8dc72ad8578e3db46d29b4c8639b2536f47db16968e4ebb89bd8056fe35a3a841260409c3a17e07b9d1cb2a7479afdf2251e40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp

MD5 e923e7fdacbf535cc2e617fea862fda2
SHA1 a60fd3c54df0b7604f22417b8d39d8efda1abc72
SHA256 16977839ee713ec9528ab8a3326b99f0c0c65b59c0be156fb3e3fcfc9f5eca25
SHA512 7eeb4e5a156085b15a5171f99e9aeba3061c51212376905fec2c1d0f0dc3640c683f798a0af4a1d80e1579bcb76dbf0f401979f87639c7aad0c381183c441bcd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 900514b23ddceae3e9f6d002359c620f
SHA1 2859dbd9d98654bddd894b1cab6eed1570baa717
SHA256 6c17599af47ec5467aa6619395ce5ed2e07c04f03bfc875370ae3b5865bc63fe
SHA512 74283f03a7ec2463aa1a0bcd556c8be3281379f96b395e7229176773c31948b916a84cb4a5cfb16ecce154015602d929c2ddb4e6fa5d723ff61126ae843d16e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\26617b8b-4c46-4592-a989-85e9dc52d6ab

MD5 83c2c2758a23b0a68d33d43480640ac6
SHA1 08fd6898ad19a7838b713ce0d5fc46b2dc10ef45
SHA256 af91ce1898b2256f67186e92ab286472971cec3472c277f4f6c15169dddb1a7f
SHA512 c6e15251d6426cf294806f3633bbb93df8dc11aa2a7850f9b91248d9861d1ec23c61c9aec02ace1bce56e77d79ca08f5afa801b1dc687feedd39951f36d93335

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\4636df95-23d3-4981-bc37-7b5073c8b414

MD5 e43b5b22bc6c1050b69a70ba9ad929be
SHA1 886b2ee4624566301cf9f9e53e0819b59e73ae54
SHA256 4397b0103f7989224e1ee01d705391f44c27ec6c6266610314dd383de42c7a87
SHA512 d98e4f89fcdcf26ff46833f55a28e05b5312a534382b118d208c25edd6dc8fb6458de4cd82d1d0007236cbfa2054022c857e87799ca93040ab4a92ae7826d934

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\73062e86-9cac-43ba-aaab-2fa468db4c65

MD5 56da6cc89617076bbb97fbf4a11d32e1
SHA1 549e501da1266ad7252ae15fe10e73a73e779756
SHA256 460e7c84bbabc01b30df3f1ad666fe0f94665dd637761c0a0636029671adaba5
SHA512 6a48902a942c7f3cdda1b011fafe564225f07a829dc196ffd42d1a8553df48707a1f56f2be4ccc60a00e0f12abf07ee0b02fc67661d3ba0f0e8cf6d9bca9af1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 f1696abc0e81cd8ef46fe54c8421559f
SHA1 88568243edd8c599f878f9cceffa020ce0c38c34
SHA256 24ad9dae46263be6c956d674261d73c114c37c0f7df113e70e793f7b761cc96d
SHA512 9199dc937449257676a8707e9f7ff15e45037a915955c6acf7158c504b876ceb9c1fec068615cf9c4c24f18e18df9b1c2abb78f78da177249886dcc111d3437e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 a5d33ec9e40fb7fbdf52ee87fa533ab7
SHA1 4bdf5ed1eda3501814e31a2b9b49cade874463b4
SHA256 f50a718cd64d312c22af9d4ce917237526b6f5a85630f7ff13b4cb2b89b949d8
SHA512 f71c94c14cfbd359421032e0a603b18e0f9801b4c6fb12ff2233bc02df80b21c85993730f71b6cdede36a0805c887674039b41f92df233e51378f54ddbe3460b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin

MD5 44353d444f92c370e3770ada5f88084a
SHA1 bdd2cbd804a283817ce6edd88e81d5c2d6f754e3
SHA256 1b7f34a20c862ea7fca356d7b81c83673500dacb753026c980d04f00343e24a4
SHA512 961a1f943e98daddbd5e2dee69b626eab7daede03b63c059b4a6528b5ad48cdfb66ff94a3a94b0fd9c67124df8fdd475c57179e0831e9ac2cc9f060380ed498e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs.js

MD5 8254b574891fffed6ef5175fd7ba6f4f
SHA1 c1b16de70536753f98c806daa51d1c1f3867827e
SHA256 e715af75f970938aa6be8a2ca1c8003c34026351df30b40d3a1aed0cee366046
SHA512 2185a99904bb6f13daa96e3a00552af03e3103d141f3771a02e93f01fff42761f6a4e1b5b49975a73506f7dfef068e03bdc7251a5b09768c1659b1cf3ffac653

memory/2968-467-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-484-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2732-486-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2732-488-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-493-0x0000000000790000-0x0000000000C52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp

MD5 956cb816c367dfcc0f57ff6f8966484f
SHA1 7643ae1e9bbd80f2ba6bdddbb370ab3a501ac246
SHA256 dd312e38257d71f407f3cc1824cef8bd53c0d437f35e6233bdc9286b33ac2ab1
SHA512 178a559b8caa26c2c3801c88cbec53d1f5379c2bb3728e63af049cdb9505c5faf0438e0cf462692d4c6052d75d091dde2fe626137c651b2bf1743f3642aa8a78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs.js

MD5 ff8d26327ce9170cd9247dcabaa9e71c
SHA1 46c0c530fff0e7ecb45725b593204cb9229ba3d2
SHA256 1aa78d40777ce90a46acfeab0c987c4313b61d204f0b7086ea8234b47e1cf108
SHA512 aa34b5ca4d961df7c178c829470541e4377f901865eaa0ae4ad6fb810f76dbf7d0c7a83797e195816441338992c26583506a77c55e07f12ae30ac4fbee5544f8

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 e92aba46c64cac912ff70246d1e5a9e0
SHA1 29764cb543e59d0c1aa748af35db225f50ccb3ff
SHA256 b1a6dfadd4b8f498bb50f63657eefa19bfb92d9a35e58a93d5f8b9ca61ce6e09
SHA512 752b69c44f9c06e1abfd2021b9d9631c0c6923eaf4015665c758b23b9583b352c77408c922c9469f16b8441465f316850ee5bbaaea8443d482ce2b36fe2e1e83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs.js

MD5 5652f1dbc4a0f838139dffe0d16e76fe
SHA1 239bdb10b4b512a9988655558f77f82ff7599a7f
SHA256 64fcbe258f7788129cf54f9edbd2f1c4feb3d39b3d9ebf0d62f0fe0843b5efd7
SHA512 f596f6230a9d44778538ef1ad5282d81cc0cc7b7e9265387d2e779448af508412a485325365773f4369ae244645a435fc67ea4b763cce586a5ff616e1e5f1782

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e6521633a0724f0ac9cb3fa6afa6beb9
SHA1 854a6b1334ea3b471d3a54f484de3d28103e0c48
SHA256 894ff64cad662f87d85232e0d2bf821ea6665edfa95d60dff1f55b423f5a896c
SHA512 06b02fe8471d6fbdc5e923482bb856a72da1e3ce387e864c9b5829e861db347fa8d12f6183834023ecb0bb62067dfa78fcf9f0a14eabd929fe4d125d66f561fb

memory/2968-1038-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2261-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2615-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2621-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2623-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/1424-2625-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/1424-2626-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2627-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2628-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2629-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2630-0x0000000000790000-0x0000000000C52000-memory.dmp

memory/2968-2631-0x0000000000790000-0x0000000000C52000-memory.dmp