Malware Analysis Report

2024-11-13 16:46

Sample ID 240712-gyq19stfma
Target c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d

Threat Level: Known bad

The file c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 06:13

Reported

2024-07-12 06:15

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2260 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe
PID 2260 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe
PID 2260 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe
PID 2260 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe
PID 2260 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe
PID 2260 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe
PID 4748 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4748 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4028 wrote to memory of 1276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1276 wrote to memory of 2264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe

"C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.0.2027018123\1311811661" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {603ff18c-0c7f-4321-aa99-5426158b30f8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1884 27f46b0b058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.1.1623055604\1196192331" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87644c18-f343-4b6f-8ee8-dc907312550b} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 2476 27f39d8a858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.2.1105402852\2078876976" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62c91248-9409-44af-b15e-9e83ecf46692} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 2996 27f49a12b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.3.618337584\891296474" -childID 2 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {042ee8dc-220e-44bb-9ce6-86307a0adc45} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 4104 27f4b786058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.4.2058561475\964422659" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5228 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efb6b810-4f87-41b6-867c-55f8ecb54267} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 5256 27f4d79b358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.5.1569075193\1109182248" -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5460 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d37c9b82-a268-4a88-864a-ebd0731ba881} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 5440 27f4a15f758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.6.1339180564\1327656501" -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe8b52e-2b80-4961-83d1-5ca42cdc7155} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 5628 27f4d79b058 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe"

C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe

"C:\Users\Admin\AppData\Local\Temp\DBAEGCGCGI.exe"

C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe

"C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.238.192.228:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:64580 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 127.0.0.1:64586 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4368-0-0x0000000000C00000-0x00000000010C2000-memory.dmp

memory/4368-1-0x0000000077E44000-0x0000000077E46000-memory.dmp

memory/4368-2-0x0000000000C01000-0x0000000000C2F000-memory.dmp

memory/4368-3-0x0000000000C00000-0x00000000010C2000-memory.dmp

memory/4368-5-0x0000000000C00000-0x00000000010C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/2260-18-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/4368-17-0x0000000000C00000-0x00000000010C2000-memory.dmp

memory/2260-19-0x0000000000ED1000-0x0000000000EFF000-memory.dmp

memory/2260-20-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-21-0x0000000000ED0000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\f563b0a40a.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/2068-37-0x0000000000440000-0x0000000001022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\ca4be02280.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

memory/2068-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 e6b6c3920382834670a7fe73e70f49ff
SHA1 ec92f55b3f068deaf7133f3d651c7493e80bcea2
SHA256 657ed39b0d57b31c68cac674b4c52df8a2144ab2250b4dc7ad36e9c16262bdf4
SHA512 de07380af80190c151d575481c7ef44639953e4a025e5c23c969f8f6ceb91580c7836728550d3e484f7ebfdfc6c0eff000c8f3d92a9c5afc04a3dfb28e3ff9ff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 0e01dc508b788ecf73eb794e4da9ca7b
SHA1 eb2940a45c17c33a230a157a6546c7f87c26e89f
SHA256 5741b9839533842cd68a00dd5f4f1b321e6ff2788de98785aaa93bd3aa0cfd5e
SHA512 7f86a7f12cf13389e8ea3b5e12c07966760609a175df07147bcc017cff08c124e9beaa547924d90bbdfddc204544d4d4693171df13707610043756a07b298903

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cookies.sqlite-wal

MD5 6d64294bae051d38e6095687109fca34
SHA1 ff22062bdeb138802d6f8cc00da33e177fdd641b
SHA256 eeae09d97c077a5a68df02809c3e45a6071ca22fc9cdc94f8356252f72a30c34
SHA512 2f08812634623c2434e5ab402a4a27097d659b1aa3cfe9c770f408576097cd8ba40df354ddfcfe28fcc2a1f8503927a8259f282c9f0f38d88ec8b5c90fb67c01

memory/2260-211-0x0000000000ED0000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\places.sqlite-wal

MD5 1c98dd7d7c5fd9c8ed8d4f11ac7fa05b
SHA1 31577f49fb90c9c49468234f7dba03b60286e6dd
SHA256 2f02ab2c2a834293647c0402889c7f3fc496461a6f96125d1c513a95c357367d
SHA512 970be49caa98637f9060fb24980e2ecfd9ce1f0a28f7f52b654c204b504b3cfe60cddeb6642f454c65d1aaa30acc4acdff383df3bff25a41a982d8ba39ac52b2

memory/2068-223-0x0000000000440000-0x0000000001022000-memory.dmp

memory/2068-228-0x0000000000440000-0x0000000001022000-memory.dmp

memory/5780-233-0x0000000000310000-0x00000000007D2000-memory.dmp

memory/2260-231-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/5840-237-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/5780-238-0x0000000000310000-0x00000000007D2000-memory.dmp

memory/5840-240-0x0000000000900000-0x0000000000DC2000-memory.dmp

memory/2260-247-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-248-0x0000000000ED0000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d1fbbd3a7fe1339f0368ef78fdb7f7cd
SHA1 0a4e31491f346bb10263101b3b39234957d810b6
SHA256 7122f4e15036236b010db7b7e2b86f0a4c95ef8e209d02edaf56f7523353fce3
SHA512 0057a785ddc39dc8da316ee5f82a5da07832752fa2fbddda63a95c04e5ed1626b94154c1ca4ccfd7a5fe889c8326ee228ed4a47d72ddbe553b6af7b00da04903

memory/2260-258-0x0000000000ED0000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 6d979f1fbcf291c0f4d8e2c4f2f07aa9
SHA1 bdf78e449e1f57752e76f090a51c9de5f0203d50
SHA256 e804d6f0399b2e57e4c3d5f9c6251f8054760635acd4cf8c32e4dc6d3464cf6c
SHA512 3897111e36a959627f14d81ea29501ebb3aa4cd02b99a5f34a14d07d0a8427b27d083a599d55ae4d4b19e353ea0840a2a2bd070446bb2c680cfa3651d6ca372b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 8c5baf4759bcfe5b64e1c2cbafd094b9
SHA1 013b929d3fef8d44b5b62d39f8101ba73cf32050
SHA256 101adf7031f2d2b2cd982afdc468582e253962e7b79ff8a6021e1c0d8573775c
SHA512 1ff251f34170b2527430da480c7f8e0b1330ccba15c5afc8fe67a6e86b396f45f486ed6f95a23effd176b4cea01ce7d6e1297a839c6e706b5db5680896ce918d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 cb0fe8dc12d188e078a022292be1dc79
SHA1 fd1ff68f12514d2b8407d44af7e86256f5d28b8c
SHA256 180dc245270356fcc4157c7a659fa702087703d12918061d6ef864b05f494150
SHA512 11fbdbbb9562d92824e853e9c4a72c2e1d52c04a2f67a5284969f529abb40e469b4715eed60be80a5e38924e995699d66ab0475673386e0c9e1f74c619feed06

memory/2260-462-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/5984-1518-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/5984-1671-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-1802-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2253-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2272-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2273-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2274-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2275-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/1680-2277-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/1680-2278-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2279-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2280-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2286-0x0000000000ED0000-0x0000000001392000-memory.dmp

memory/2260-2287-0x0000000000ED0000-0x0000000001392000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 06:13

Reported

2024-07-12 06:15

Platform

win11-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2764 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2764 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5740 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe
PID 5740 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe
PID 5740 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe
PID 5740 wrote to memory of 5220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe
PID 5740 wrote to memory of 5220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe
PID 5740 wrote to memory of 5220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe
PID 5220 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5220 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1816 wrote to memory of 1728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1728 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe

"C:\Users\Admin\AppData\Local\Temp\c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab01d5d-c0ff-4e66-9dde-e9da16592a21} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2316 -prefMapHandle 2320 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1503ed6e-6efe-4bc8-889b-138ec203e127} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2568 -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2960 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3edaddc-4855-4944-9de4-b7c90127907f} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 2300 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c956f294-c407-4b63-80da-0536c307c47c} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4140 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0de77787-03b2-498a-926c-3caed5e1b8dd} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c48da92e-39e1-44d7-b073-8affc6c8c2b7} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32c18d61-331b-44d0-96dd-64a4cf0f1be5} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5996 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da4a53ea-9dfb-4052-912c-ace6a49afbe1} 1728 "\\.\pipe\gecko-crash-server-pipe.1728" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHJDAFIEHI.exe"

C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe

"C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
N/A 127.0.0.1:49934 tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49945 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 172.217.169.46:443 redirector.gvt1.com tcp
GB 172.217.169.46:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2764-0-0x0000000000E10000-0x00000000012D2000-memory.dmp

memory/2764-1-0x0000000077036000-0x0000000077038000-memory.dmp

memory/2764-2-0x0000000000E11000-0x0000000000E3F000-memory.dmp

memory/2764-3-0x0000000000E10000-0x00000000012D2000-memory.dmp

memory/2764-4-0x0000000000E10000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 a7a231ef5b7166696111b8b2151f0b2c
SHA1 4ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256 c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA512 27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

memory/2764-17-0x0000000000E10000-0x00000000012D2000-memory.dmp

memory/5740-18-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-19-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-20-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-21-0x0000000000C30000-0x00000000010F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a08feea111.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/3884-37-0x0000000000100000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\459af31eb5.exe

MD5 c9d56cd0a203897f2a7e757c6f56367d
SHA1 f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA256 7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512 ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

memory/3884-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp

MD5 de24714c4090cee1a0efcd6556078097
SHA1 4e695dfc6e30bfaa6b34c5cd5203a26a983a758f
SHA256 a49be59e68bc23357b3936720c9a38564c90c5bb6908d333fdc5ee1f6019021b
SHA512 3f8bd1e3e84757c32f4431a73c3aa420f0a64c3281e28d545981876f946655c5fc3f7f3220b6cca0ac7d2359e8b8fe518f1c23a9f4ee8ec698636d1214c538f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\dabc4dee-a4af-409c-b734-8203da6e5d2b

MD5 3c4ac67c7cf45fb5b6e4e0ccccfa8f1a
SHA1 229aae8b081d98d93ca41a6141b27a7bc163aef6
SHA256 07fd2ea85960fe1a860a62dc7a242adaf3d93bdd4487bfc2a13b4577b942cf8b
SHA512 1d2f3949ce50f0491f23042ed00212662f076e572556ff68fdaff1f3f36e56f0d5b8b7d2884dcfff5992e92255d032c648a9139079ddc544080d335c87373b94

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\22681845-625a-4c57-935e-5213cfcec6b2

MD5 09db98dccf506b471016a137ff913b72
SHA1 f3d2fc83f5b0b2d816bea7cc2972971198da0f86
SHA256 be8d69c4a5529e442f277f5232b4e933be3782ce562f903141452384719202c2
SHA512 15c64967e756c839a258f1571e15d0b67c2a288ec0ca84295f6543410e6b2786ac7766e888ba7386a617687308daa43e0acc2c793384efab2d9380aa104256ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\7911c036-8684-4708-b850-3c016f693485

MD5 7cb3ffceaab61d3cef5af29dab66b92b
SHA1 6cdfcf7bc1b534cf8a80d2d1f328cee1b6ce5226
SHA256 402bc23303a034772ead11a35e785c893b73d0b1de5ae00a05954f7411bbee62
SHA512 51b0c39cea3d67a129d7a0999f4509527c5c43fbf7e1418ff4f7d398077ad999337c7cec65bb56f2bc1aa680e931880fccaabad7fcb990fb07807909c839ccb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 81118c4bb4254e1032c02b21bdfee1e7
SHA1 e7f58d9a9cf5d50214ce5e8aeb59602ac963c85a
SHA256 8b8f967970c19831c1ee3c47618642e998d12b8989e97ff6217519c33fb82018
SHA512 b115bee974bae14a14f40cb49b44179755716470fcdff516aa91ed3591d252c176a99bb1c49fd86bc4fb4e8870cb3a17f4e9a63c69245d052b1c984796aa37e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 3273174e90b52747117f77371b5a8731
SHA1 11b1ac4c9c76b79b26b7b2aafebf58be41ef8739
SHA256 5291d1b9c0540c13a89c457e6f6148fb6ac0662c7492e7268b677ca112921a87
SHA512 ab49918b25d2069fe0252b6112f7ba380a32ccd7c235c69717b73396855d8c536dddfd56c60263fc1e999a19117ed688c9dc121317484cc5b4a50051c1bf2317

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 c0a105b0dd0432eb2800b2ee20f416a8
SHA1 e6a5e073f098d0497fb854f81b78041131f71cd4
SHA256 c634c3d9c2bbf3f9d9fd953b815bb83135d8f779080a34da070d48711832eb59
SHA512 ffa93d4c1aa1d588db671334c941a3ef2b6465ab6ccb3d32a4b2453dc1da37a33dbd377b0266daa98d24ca0cbeee1aeaef5581a7784dae000bf2ccf5d6f57eae

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

MD5 35b26d4401ce021eea5c2928246c68b8
SHA1 6d32720baea1062a3a36ad67f7516957812e0f51
SHA256 2b4f83461a562e8335c496fca46200c3dbdd3b7ddf2517dd40da15c921ccd83f
SHA512 bac56b68dc6dedfadf8f53b4ad98a3da9e4212617e44e13b137f56f499affb3303a09d1087b8107f687f79024fa3cd4b9f73c6793e846e85d61b27bf327a8cf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cookies.sqlite-wal

MD5 c3aac37a50304d7b2b35375739f8cba3
SHA1 1e5e16ab75b4484a1778e71e3bb0479ad371f12b
SHA256 ce47f3c85f2ff62f66794a9e7378a7f3cff4bc510e9d3e7130529a34db4b81a1
SHA512 62f7579da1b7b2efa5658b9f5651a1fbc892501b697c716be11d77b2f416e97220826ecf0045f0c614731c522ae03340a76bd04b1c57a56b8a8b65a329ea4bd5

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 18cacc8cc0d6ff15169421cc905ae1de
SHA1 7c06f0b9f005da1db19bda11f8df13b3db5f705e
SHA256 72b78808a04c005fb83a9526fb0c8b148bf2ef7f4ab51f69d3daa7c11a0523d5
SHA512 e9edc23d5fc330595c11a7a5e87b3868639e1aa029c139ed67e8fcc6d7208bff28c9fc769c11f3443a4fd5c2384424469e2f39722eb13e1db95a52952da59c08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\places.sqlite-wal

MD5 a85f14a36e8e73db49744f1116a02338
SHA1 40de167a9813ceea2e98f8224a5fc0a1034fae6d
SHA256 c806528b9a8434e234344b6ec79cad80fa88ec3d1a5cb9c8d1f545dde09bf3ec
SHA512 d49570bd6a753c90894c446cc0f332334dea4ce74ca2ec183d2832fe622f9abc799481e10c50d3d5b9bd364f204426b9ace0ebb5f1fe004595c42ba40d47b3d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

MD5 400c72729fff699e1137d1f418841ded
SHA1 5c5d6eb4bd96b56e448e4afc9ddb1dfdabb443f3
SHA256 87ec97a1fc222c22be09105df131ece4bbe7cc5efaf11928c553d2382dae76b2
SHA512 d6ad394c4c782538e8bd8bec66044e38738b330b888d3e5cc0079ac0c488fd6aba65fcd9606584dbe1636a10c34a56dbbbbd5283148b058515e4f9a9e8564ce4

memory/5740-467-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-468-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/3884-472-0x0000000000100000-0x0000000000CE2000-memory.dmp

memory/3884-475-0x0000000000100000-0x0000000000CE2000-memory.dmp

memory/5740-479-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/4616-480-0x0000000000650000-0x0000000000B12000-memory.dmp

memory/4616-481-0x0000000000650000-0x0000000000B12000-memory.dmp

memory/5740-487-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-488-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-501-0x0000000000C30000-0x00000000010F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

MD5 f7c5fc22fc8607e17ea8f6db61a338a5
SHA1 988f92deea94fc0182010cda2fbe1703328faef0
SHA256 96176fd83fc9a8507b82f7c2db16a8c5f862725a1306e867553a9b4e47e338c9
SHA512 04799ced738678d55dbcf9a70b2c593de60e98684989e63966179b216b090692bbeea3a2d712a69a87feff94e358d7094657668a1f3e8005549203712a5d6a1a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 03e88a6b72d75462c3bd06c0f3c6c4a3
SHA1 fd2f02499b00287ebd11c30abd207aa420b270ae
SHA256 846f39bc8d2e909fe372a4b416efb8979dabbabb79f45070674fe51464417c7c
SHA512 1b101b26ad1e71213d831e847e06a60178e12898b79d229039116ea9c55e199e6adbba5efb80e39d87f4fd220399c9c9b370dd6c72ed236eb4af586993c314f7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7fb147961b5007759a260ee4ee00ea82
SHA1 3bd7bbd4352e5ebbd2e7283aa775ea41d973ef27
SHA256 9dbf09e57aa7b37358d64edd2df81824d495053a67b684bd753b690bf2be82ce
SHA512 8813ddfe9c9799f1ec1b63ed5e9fd32a2bc574e1548dd0206d45df6b4f9f3ab7dec7e0bb19769e0bfa73d89aa520783a94ae32bc0931a78ccafd1892d64a6ca8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

MD5 dc9a4da9c258d99cab0bb3e1ba738420
SHA1 3e9d35135ac90fda1312a329d9b4105ca20d6390
SHA256 de2e183caee49cd8f9dd6fd39bb4d22f1502a4bb200239c057e22016880d1850
SHA512 41dd2472c2fbe29e7e0825bff6b4ed0892692815ed09cd391e318fc69e4e66684757f1e7e171071a9f9458cb2d1ce7220381408c0698b6adc2a93b061335b8fa

memory/5740-807-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/4036-1638-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/4036-1800-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-1921-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2641-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2647-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2649-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2650-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2651-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/2836-2653-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/2836-2654-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2655-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2656-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2657-0x0000000000C30000-0x00000000010F2000-memory.dmp

memory/5740-2663-0x0000000000C30000-0x00000000010F2000-memory.dmp