Malware Analysis Report

2024-11-13 16:47

Sample ID 240712-h55zfatdll
Target 06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42
SHA256 06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42

Threat Level: Known bad

The file 06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Reads data files stored by FTP clients

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 07:20

Reported

2024-07-12 07:22

Platform

win11-20240709-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1128 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1128 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe
PID 2272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe
PID 2272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe
PID 2272 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe
PID 2272 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe
PID 2272 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe
PID 1432 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1432 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 676 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 936 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe

"C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4568bde-84b7-49fa-bdeb-466a5713ca9b} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aeef01-89d5-4229-9efb-811721dbfcd3} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3328 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb51409-93fc-4f13-9865-fc4eeaf6d540} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 2 -isForBrowser -prefsHandle 3048 -prefMapHandle 3120 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beea2aab-cf62-4fd9-9738-d719716e9519} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4768 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fb618ac-b3ac-42fa-9232-2ec1175bd543} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5272 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dddaae6-7a48-4726-89eb-dc89f017fd0d} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f92aeaa-470c-484f-8420-3ebfb11555bd} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd7a78c2-b61c-489c-bcfb-9714bed3f461} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDAKFBFBF.exe"

C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe

"C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 172.217.169.14:443 youtube-ui.l.google.com tcp
GB 172.217.169.14:443 youtube-ui.l.google.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 172.217.169.14:443 youtube-ui.l.google.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:49867 tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49875 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 172.217.169.46:443 redirector.gvt1.com tcp
GB 172.217.169.46:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1128-0-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/1128-1-0x0000000077D06000-0x0000000077D08000-memory.dmp

memory/1128-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/1128-3-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/1128-5-0x0000000000CF0000-0x00000000011A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 6aaac86a20e20b4688fd3c3b9c0d39a6
SHA1 eb16b670e707fb322a3574bd38a1756dc1bf94a1
SHA256 06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42
SHA512 637debc90b7f0c4f08a7019a5de52a6ef7487737a818a17c0997637e3afcafa28de77a7da435930a4b1e719fdc0b276e35eee66e95590bc62b515f6b3ac9f960

memory/2272-16-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/1128-18-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/2272-19-0x0000000000041000-0x000000000006F000-memory.dmp

memory/2272-20-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-21-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-22-0x0000000000040000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\d81de93904.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/5100-38-0x0000000000FF0000-0x0000000001BD2000-memory.dmp

memory/2272-39-0x0000000000040000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\c8b724af66.exe

MD5 a94a9befbcab8ba19e2c3bef6db077bc
SHA1 1bc51afed6a1cad1f58fb281629f687a11d50c4c
SHA256 b79e6357594a879fab838c3f445fcb09072f16e5708417d881a2768f6126c88d
SHA512 194c3e27a5a202a556e5033ea33d5f3c509a1ddad4f98258eb628a1d5535d999aeb1b9facaed1eb5c3b7f0446c8d51e7d59752c3a346ed25859b87cbbc3070c6

memory/2272-58-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-59-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/5100-61-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\activity-stream.discovery_stream.json.tmp

MD5 5054456b7dad75a2c5cf777c08165f22
SHA1 aa7bf8ef6fbddb64a85a6c58fcea3d62e6ca7d62
SHA256 4d520eaa49cf69a31cd4de3b297c3abcb95ffd4eba3a332d29a3d96fcc1c4c71
SHA512 84f5b26629ace27116b637bdeb1d2daeaca993271621d62623be1f84be8ee0b0cbc96ade65770e13faa1bac4bcfee0404dcb27db0b5cd970dd66f940481f2ba7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\887f84e1-555f-4793-8f02-4e73334d8a7a

MD5 28d1e39f07a2f001bdaace630bebc02e
SHA1 b941fc2c7755e4ada24516b6206b04e8129cc277
SHA256 eb358785d32acbc336dd7e96c2dd67a937b20ee41af2e9706282f9df27d547c6
SHA512 581d0397ae9de7bcf3a6061e378476294f7e13f71e0ec9b19d98e12e00819208c476278e8d9515e575bed6c2f0c289130adf19624cc5c3db182219208141c2e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\714c1467-71a8-46eb-82dd-815f0b2d1af7

MD5 294bbbf422efcc19e0f1c462eef3dbf7
SHA1 523b489cf159b91321736812f812d80bf8299649
SHA256 a9e97d6d55788d048d2c1426f85e3e0cecd15001cef271eb4f2681f9ccc5595a
SHA512 5ccce5a128433d7227a76c94c5f49d46941506b2af3c044fc37b71f18a8b1bd485acf5c29a250ec5d3fc957006262555c1545cd79b07c66f7c2ca26d16e43159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\2ae257d7-6084-407a-8bef-76d5daac59b1

MD5 a17e5976357df5a5bbbaf6422f896965
SHA1 28479ff1a1c663e70fbed5cd92d1b6e45eb5903e
SHA256 04022a993bd7b0fe76fee2566ea738aa1d520f330b9961aa1599f6acf377e0f4
SHA512 683f08261d614ef14492f4bf044b4c446657cd4a562c849771d2cbcb0788a12e68dbb2ddd91c7a386196d9d08a2d59b6cc3311e12f090a3c68aa37d2d2f5bf41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

MD5 ea2e248de8f50ce8a88b147a8d919348
SHA1 a2d8b0cde7e83e2782fcb989ec6eb622bbc00810
SHA256 b1cf76279c12535ca3bdd3ce9b58165a4bff908ccade6e4689d2bc76b76b6f4f
SHA512 0628b9da8a4e6d3e9be5c66580a71576a85875b20bbba9ce0b9b515ba7ce3dc706d4b68f5fc6dc2a864b6b8ceafcaeef69021047c9ab467008503d98783a4f5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\AlternateServices.bin

MD5 6d2595be7a41b51d18b71b01a7f8d930
SHA1 f77b6f3f2483d819fb2061094c8594fbd18f7def
SHA256 cd98474b442b9136f715e16ead17f4562355f79b7d5fd94c152e7a13d70808d3
SHA512 f7bf44611466d77280e6db6eaf3753fce85c6b1d1076f42cfd60be45a940e70a997ecefe973d0d629d2c7c35f72a5b62f30eccc955e9004ce9386c1c6dab6b83

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\activity-stream.discovery_stream.json

MD5 0bfd237dd9bd9d27a9d1bea010bfc1b9
SHA1 9f6ab77eb01605d707a4761057a583b0825013b0
SHA256 93626ce4fdad513a56b3c0a288f6c8f43403f9636eef045212f3fb7553d38090
SHA512 e5d8d5eed183f2e0652f324081041daecb90b3a923965aecef956cfb2d692d33b25b5677f3bd522b6193f622edf5c6a00dab2c4ee38803a1c142d8e18d1664d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs.js

MD5 cd7c1eb3ae09f5895995c86f43b4ac91
SHA1 2853261e0d41e265798b4d98e63404f49e5fc73f
SHA256 b8c968b6a587462dab6499d2b09186e7964b0b1756431cf7682f701c016dddd3
SHA512 0599260050449b9ab600b18f6176c57e665a7e6b67cbad1ce769db812f77e72b6fc53bb1e76d11ca0c2d2a768631bcd276ab7daca3862d0e1ef56c0b926190ae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\AlternateServices.bin

MD5 19d0948a1279c34e89a282f27296ec1d
SHA1 c847fbfa0a4b6dfe17d26dbafe70560a231e2e0e
SHA256 c87b4e8aeb5cc4d7aef2ff5a6c5ac2e5aaae69f4aa0487c56621145a0629da02
SHA512 8408f39b2114e0ab178adda4b2fcdb76876bde3299f975c2cb17b5cb9353cb61daee545983b4b5815158ecbcf5e48897367bb3a6744c3f508435f632d34396f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

MD5 efd27e1fa1435d97d64722689a172b52
SHA1 4698de1e9186d20de59eee420405aa062d4bf213
SHA256 692065316fc8494f3534bcbb9ee4a1eb5ea716a7e6de075fa4f2e0c718461766
SHA512 7ad0dfff431c467619eb413f639467f94f77a69b9b56a52b37d88e3bdfeb62132a404e7961a36e49e86da5be71c3fdfe9ca1514ad2295e2f8c8e86da6ab733b6

memory/5100-419-0x0000000000FF0000-0x0000000001BD2000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\cookies.sqlite-wal

MD5 9cf53c30293ec56d976cebdfcd360c28
SHA1 4759e4b7012611367bd0fcb79f4c567d6fcb6107
SHA256 dd4d5a141acdf48580e564a5ed9144052a248589fc7cb289d913b2c8fee7ddd8
SHA512 a281689e49436cf8fb10d311ba5ebab4247425a4dbf5646f824e812859a617bfd0b7caf3ee8e6576aa7ed5b7ea3de1422946830924c6d8055bd05bae13775357

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\places.sqlite-wal

MD5 5d0e6fd2274233cf11fdfffe9b0f010e
SHA1 e44ee7b0f987129ee669ba16d3693818eb6fc5de
SHA256 cc88818e1fb156dbcecb2cdd6ebdb6fae483eaf59b1dc27369086e0c984dbc32
SHA512 510745bd4b98dce74745856622ef8020caec4e1be6b454edf12a649d06e9211c9a3b8bbf0d4b904d372dba11dc2fa448677b01cac766a107efe482d2c070c90f

memory/2272-476-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/5100-493-0x0000000000FF0000-0x0000000001BD2000-memory.dmp

memory/6052-497-0x0000000000BF0000-0x00000000010A2000-memory.dmp

memory/6052-498-0x0000000000BF0000-0x00000000010A2000-memory.dmp

memory/2272-499-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2244-505-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2244-506-0x0000000000040000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

MD5 a0c08edf3088ff36913962eb3446ac97
SHA1 7f330a6ee98b22694faf0b90a5cd0be050cd0e89
SHA256 7ef402a582ed15455e34675d07b401452f5404ac46fe06dc1f2a716a2cddbd64
SHA512 04bbfb3a1c551daafef76908fd33846eea40edb138ba1c8d5638973fdd774c13a7fe297a514d367f1768ecf3266401d84ee9b141d1afb5fd4e1332cc4a0db5d4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 f31904391bf89f1db72a4e82401954fe
SHA1 af5aa171c33a9579508df5256c039ba40041de3b
SHA256 600a89eaf57dd67d9708929e79c1731c8cfccc88042009578d505e08a4df3bde
SHA512 376a25e426efd58e99b145d27769833649528d8628cac07e9cdcdb534a52b850cdd1fd942f689e184115dda5fee38abc2e4b0df23d7362060a028d5074acb95a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

MD5 a66aa6170a964729a056ce0a21000666
SHA1 b5ba71eeb2ccd0e81505a62aad3c0d3c3831d4b0
SHA256 7b380d5cc476b1c996598732bbc03f1607f3579e8d33b816970af049482fe981
SHA512 dc7d825d0f5747093bfdd8962424efc2e211b6149e4189f6e9aa0aee6c8af8170fed8bcf60d94809e2029857fed1a3c8c79c926552cf84c5bf96bf952e6dc93d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0ccf3f702b065964784af5b4913e2f4a
SHA1 d9edd169d56dadd5bb0ea649e32891314f00f228
SHA256 06782692a154fbb1ce23dc2a39a75aa23dccd22d9ba824975d29d34af7136c43
SHA512 af6d2940f1b1d5bbdc2330b82111de86d99c1b64d78267949f8e8cd46439974b537e236773404404597e15ff870f03f97c8b5afb6930c36a771debc0b75177fd

memory/2272-619-0x0000000000040000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

MD5 11f67096e4b32bc9ed78a8bb27e127e7
SHA1 89feaf71f06c5c398b9e67487c564ccd2976bf33
SHA256 544237654b629198f5fc4d84ade9744fc60042c7df12542d208dabf9699a3638
SHA512 434994c709d594ba87cdd1a66be98712589e7580b007728c13333e81fd5ad29e636e1745dcd4f69c397dd697e688ae8aae1a2fb54370e579f6ddd1131277fb08

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

MD5 561efa4974d3aea1f6b5910dce54a8fa
SHA1 416119f263b586b17587039a00c1662d9999cfa2
SHA256 751950ef3f05b671b3d36f620d7f94c268b79191f5256f44c1cca6a8d6c84dc7
SHA512 c708e85afb44fd9ba4ecc9139116c507d0c5d17175e81fd9d40868d7018107adfa981c0b00ed301554ab27bf0f740a4119ddfd357d4af9a0b03c35f8614eabb0

memory/2272-2500-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2880-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2883-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2888-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2889-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/428-2891-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/428-2892-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2893-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2894-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2895-0x0000000000040000-0x00000000004F2000-memory.dmp

memory/2272-2896-0x0000000000040000-0x00000000004F2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 07:20

Reported

2024-07-12 07:22

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2476 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4848 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe
PID 4848 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe
PID 4848 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe
PID 4848 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe
PID 4848 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe
PID 4848 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe
PID 2796 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3912 wrote to memory of 548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 548 wrote to memory of 3952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe

"C:\Users\Admin\AppData\Local\Temp\06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1892 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d17c4d0-fa84-4f8e-84bd-73ed705dff54} 548 "\\.\pipe\gecko-crash-server-pipe.548" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be803201-6a57-44b4-8694-16829f2a17d3} 548 "\\.\pipe\gecko-crash-server-pipe.548" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2852 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3036 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a84caac-a2aa-446a-ad13-eb867e2ca8d8} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e481203b-8df6-48e2-90a1-eb6e01d12d0d} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4516 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43e1d096-2451-4998-9ac1-3dcbb73a13a3} 548 "\\.\pipe\gecko-crash-server-pipe.548" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c28b86b-2c5a-422b-b6d9-35184adb38ea} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a20e061-2c57-4e64-96a9-b5bdaec97448} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c077eaa-b51e-45a2-8101-743fb8470b7a} 548 "\\.\pipe\gecko-crash-server-pipe.548" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAKJKJDGCG.exe"

C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe

"C:\Users\Admin\AppData\Local\Temp\JJKEBGHJKF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:49622 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:49650 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2476-0-0x0000000000270000-0x0000000000722000-memory.dmp

memory/2476-1-0x0000000077E74000-0x0000000077E76000-memory.dmp

memory/2476-2-0x0000000000271000-0x000000000029F000-memory.dmp

memory/2476-3-0x0000000000270000-0x0000000000722000-memory.dmp

memory/2476-5-0x0000000000270000-0x0000000000722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 6aaac86a20e20b4688fd3c3b9c0d39a6
SHA1 eb16b670e707fb322a3574bd38a1756dc1bf94a1
SHA256 06763b6eed5b1999d49c14b4f0d6dfd32da8a0b4388491a1fd88d62f5be52a42
SHA512 637debc90b7f0c4f08a7019a5de52a6ef7487737a818a17c0997637e3afcafa28de77a7da435930a4b1e719fdc0b276e35eee66e95590bc62b515f6b3ac9f960

memory/2476-18-0x0000000000270000-0x0000000000722000-memory.dmp

memory/4848-17-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-19-0x00000000004D1000-0x00000000004FF000-memory.dmp

memory/4848-20-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-21-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-22-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-23-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-24-0x00000000004D0000-0x0000000000982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\95a97ac93d.exe

MD5 08c7502b3315ce651b6b57849c1d7308
SHA1 25d8366a04fca7105e7c38eac267ab787456f8c3
SHA256 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512 d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

memory/4848-35-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/752-41-0x0000000000A60000-0x0000000001642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\bbace69e27.exe

MD5 a94a9befbcab8ba19e2c3bef6db077bc
SHA1 1bc51afed6a1cad1f58fb281629f687a11d50c4c
SHA256 b79e6357594a879fab838c3f445fcb09072f16e5708417d881a2768f6126c88d
SHA512 194c3e27a5a202a556e5033ea33d5f3c509a1ddad4f98258eb628a1d5535d999aeb1b9facaed1eb5c3b7f0446c8d51e7d59752c3a346ed25859b87cbbc3070c6

memory/752-60-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4848-102-0x00000000004D0000-0x0000000000982000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

MD5 b5786ebbcb277f36aa5540a23eee5d44
SHA1 92e0d4f9f60a9a4fbc9cf37fa9e7646b9d6d7d40
SHA256 2386b1ca97f4193b75668d6abb41cb09c844866d9fc9933110531ceef6fc2b76
SHA512 0dedbeb5ef30a891dcee655704349968dd22cf01961a404b78d776e6a084bc3479d46b7d055896201e22218f6e6685c638a748d5b01ce652f91bf49377dfd3cf

C:\ProgramData\AFHDAEGHDGDBGDGDAAFI

MD5 6ad2ddc76cc6b153bc072845f303b8d3
SHA1 16d528bdc56360336c57244269e628d56e014995
SHA256 c401c7c8b2c21600024d832bcae28a3f86bf4090443adf085e29db6f38db02c6
SHA512 19d8ab08c1f0e9db88e8b5f8998c8ba2e144660f44ecb2af0a54b0da119ead9a76e262d2e9c24b04483942567aaf58fd736bac1ddce153c51ebd0e03cd2a4f33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 ae94c6912872f9e33c35a3369ad9f7b0
SHA1 6944f37a8a184dfc99d2e8a9b52336605988ae4b
SHA256 052a4c64858a013172aa042b36d17423f6e6d6374b46cdf66701f886292b3c17
SHA512 f2ec2f452da10dfc4885f6582d4964a70c028ab5be6a284905992a13df0df735a1a30d20edf2cd4af0eebf8d78e7263a3d4d333650ff7f1dfc3f9209093afdf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\f39299af-e291-41e3-b7c2-0f07d8eb1f25

MD5 c2b74aaca6f166e35d07a4f12a86ad9e
SHA1 4876d2763b40418933040edb0bf98a3f6b40dd24
SHA256 930cbde9dc2a42137a5489bb48b4b026c503337c7f2559c665437d3541c70837
SHA512 73ab4f5537dbbb428208c7d118e29728cdcb4abdb11c57de65a9f11709da9603f88ea879e52ac68156dd9c5fe7427c960826508ece7a3cbd87b3a25e3d97fdc4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\7e9f4599-e266-45d0-ba0c-43f8ee393dd8

MD5 72a11817693acc6fb4d641d2f5f7b3a5
SHA1 259da3ddcef17b4be04017ec34c7431b350e2e30
SHA256 24addeac861d42d97de3b077642b385ac819731a9381a8c6b7613c042a04714d
SHA512 4615dc777b4cedc6d01b714253c5cab8ac8d05863b5a8ae982ceb7b2a768955f513b26a1eecfb5623b2f32da8c4c5f0c7315418ab2ca48fc6c69813862854921

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\3dfd6a0f-0353-414a-ab7b-c87286d83b35

MD5 3fd5d57c22306332c4d3a939c27507f3
SHA1 28e12031c63167193c607ac9edb5bb7f55e6387a
SHA256 bbe45609961109a386a41f1e8f6da67b83a83006df689fbe69741498dfa9e996
SHA512 c9992365d7160a8a882195b8d25ba7f8606f662647e81ba565e684a9dd239accaeb08d14f025608519ef131ea8286ee31f981a0fca37e9889174d1886ec082d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 b18b821020b4600914066a0af96e7c20
SHA1 e4a532ae970607c8c6ba6afe5ca6d3de1a77b277
SHA256 2cb0fc54ffe41c75a6bfea604a7dcdc631102aa3150260e4f0d7d192801fe20b
SHA512 dc01abc108096cbd80c97b13d169d9d26ef9ccda192084ab355daefbe22b6172e92d84af8449eb06fa4be24918efb9decc3f6f8fde21a4f35c94b27a1e646ed6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 9f119be15802e653caf783ab16b783e0
SHA1 ad97f7fa6f395bbf64db958b2a04a0126a89f00e
SHA256 a913aa1b0a6b26b73b0aeb867d0de0a362608f3d395c3f06f647a42a42d9c85a
SHA512 8aeef92127302a0a1600e3016592b614b34c687a83558ade4f53aae4c4a7e3adc06c8f5b1ce038d6782d0fd1d21a05070af4e560b79369143002b9b659344e3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 9bcb790e8566460cb3b6e732bd0c03d8
SHA1 d5c200fce83fe25a664f4ac0c22d687115f4504d
SHA256 840a1bd7500c2148be60cd953ccdf184e86cf2db061a67b7c7169fe620d2626c
SHA512 0d3390504bf5aee0d244f03d227ca75777a921d4bf3b929a60637c862cf3d6fd4155d293d8df38b30284e3b2068b9d1aa353bbfe25438855a4909f19d435fab5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 be0636391bca5f87b05c6649e2a98c8d
SHA1 647f82bf65e3980d6aa5d4d100a15bbdb695d035
SHA256 645188496162be6ee83f53bd8972aa3b65fa706fbf8145e816d994d9fba33243
SHA512 f18e1d3b025622608de19570bca864af8004ceac91757cc22b28c68f09c526a1695c4cc7ab6d85a0b7ae46006eb0de7081938f31d50c286f25bebb07fe5c0011

memory/752-473-0x0000000000A60000-0x0000000001642000-memory.dmp

memory/1284-477-0x0000000000360000-0x0000000000812000-memory.dmp

memory/1284-478-0x0000000000360000-0x0000000000812000-memory.dmp

memory/4472-484-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4472-490-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-491-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-504-0x00000000004D0000-0x0000000000982000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 699429dbebba73c310259c0f52eafa17
SHA1 4d554491a87e15521be2985681cbe8ac99154d67
SHA256 588d4b3cbbc17b0f6419f9fc295a9184f77a3f032ac1a82b6085d11c05443fb8
SHA512 c70b689a4229dc85dc12046df7e278f48fda0517ddf0076c11897b7a56d5acb415029fb365663528f94eb1d14ca9fbb796544e7b68073c8644cee3ab6ea6ddc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

MD5 20375ef1499a6630b87ecd4198f71ef8
SHA1 cc6cae749d6aac923c21b864d1363acf3648ce0d
SHA256 1e5adca796d2ff69b450f771f7e8c3374cc7dcea50eef0c50170b1fc8e661577
SHA512 7ff206bc895844c42caf7645145acca69aea4695242943356cae74d651cf04440996d49a2a679320807f8c31558dc90030f8c793eb01443e3b5059fb3a374e22

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

MD5 57c2e13a4ad86fac4f6ce14afd825318
SHA1 204e23026fc477ffc1d202e05783ac180cd8f809
SHA256 6f19437c6f98d0c8115b044aea34912e93de0cad9022914e0760063277c059bf
SHA512 2c88e435c67535e450c2e105f6939ab1cae119989e2c8c6d38ed64593583ea99e59d1d1dc5376ef6ebfde409385ecd7f0014cc82a28ba3577c045a8ebd670c21

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 ae7237c7e4c5cb8d4fe2403c34f2fe22
SHA1 8eeb5ca2603738a25902ab8126b45ff3d8a2dc3c
SHA256 560480431d492fa402fdd79ef0ecfe84fb9d8cfd43dff0c657ca4004fbb9953c
SHA512 e8b66621e220ef6223e7d673e90283cb92bd690955e46536565d916f798e124e78c6a219aea9ab4cf5f04888a244de06b67a959aa00ecc8a270447e1b279261d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e3c46d20a013d2286c2db8600bc461af
SHA1 47e4f9ec73b0feb4f0ff9eefd5987acff272b1b6
SHA256 be1ee15974b4a00efc4f0a2efe268898a603cb634f08fbcfa8f4010f8bc1ca78
SHA512 a6b7b0010cedc22dbca361507ff0972607c882b82ad6085afee51c5acb16eb98f7188cecaecbad06642fe0044a1b08b74af254c1bf488ff166e1aca90b426bd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 17d257157e035762d471eec683a4fa65
SHA1 498432bc525132cd5d969cd6f3d90456111e8100
SHA256 e0cca42fca4984aa0eb2cae343ba5f6b3c184b6a4fb98dde0317b3fbd8a7af26
SHA512 d899b66755f31de538e8843fa4de7be838d0d4d62d5ccae012cf2b9dd1df42d2186d22f99f3776351ba0a685b25971d6c728e9e7ec429a42fe07eb59731b91f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

MD5 4a88cea30562c44e69607541699163b2
SHA1 37828a0d10c5f46207def2cdf7c423a5ed108dfd
SHA256 96057400af20de8ed2fc8eac5dd99f14004e66e6ba8e501c18bbaaf0b6926d23
SHA512 d615f9a220054bb005c7b66cf0d1a4100b7388920fb66f21c91a25305c5316800c7e46a8fefda12405447f5e4ac848c8c9b6ce193a5b56239725a1f8fccc991d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4848-782-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2395-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2594-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2597-0x00000000004D0000-0x0000000000982000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

MD5 4be3ca4d3852944af067d1360e2ee472
SHA1 d8e304cd43fdb219f2d4f801bf1b69d248926369
SHA256 752942eeadd57b7085318eb8878ac7cfecd0b2012aff13d3faf7295bb4a7f9e5
SHA512 5c33c84149d7e31a3bd9ceb1ed4b595536cdefa48b33167f02ee192569159a1ff2c17d162b723beb81850907cff5dba6d9a1c22239ec826241d1991a4a50daec

memory/3756-2604-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/3756-2606-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2607-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2608-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2609-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2610-0x00000000004D0000-0x0000000000982000-memory.dmp

memory/4848-2611-0x00000000004D0000-0x0000000000982000-memory.dmp