Malware Analysis Report

2024-08-06 12:54

Sample ID 240630-vpdaps1djh
Target reload-beta.exe
SHA256 15973284c2f6be38e8ab31e01d3d0a59d87ff03c98126754a61283265cd769e3
Tags
stealerium collection persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15973284c2f6be38e8ab31e01d3d0a59d87ff03c98126754a61283265cd769e3

Threat Level: Known bad

The file reload-beta.exe was found to be: Known bad.

Malicious Activity Summary

stealerium collection persistence privilege_escalation spyware stealer

Stealerium family

Stealerium

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

NTFS ADS

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-30 17:09

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 17:09

Reported

2024-06-30 17:14

Platform

win10v2004-20240611-en

Max time kernel

300s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reload-beta.exe"

Signatures

Stealerium

stealer stealerium

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\reload-beta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\reload-beta.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\reload-beta.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4648 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4648 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4648 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4648 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4648 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4648 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4648 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4648 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1944 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1336 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1336 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1336 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1336 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1336 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reload-beta.exe

"C:\Users\Admin\AppData\Local\Temp\reload-beta.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.1026958256\303944908" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0f97f67-934a-4455-91c9-8b56e858f290} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1836 179e1223658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.1199778461\2126157188" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a4409d4-40cb-48e6-8706-a22684a42e77} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2404 179d4484b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.850963934\403500167" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1e0d702-5487-415a-b727-3f038f422e68} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2956 179e3cf1e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.813715034\1650593338" -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08be40df-aff3-431f-a8b3-f9c959e8c32d} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3972 179e6223e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.2055166254\1053396644" -childID 3 -isForBrowser -prefsHandle 5136 -prefMapHandle 5152 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff585097-c40c-4a11-84c6-13990cd85800} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5176 179e6b63658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.2000207040\1623240521" -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9d4ee9-8e70-4879-998b-444c6399ea67} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5396 179e80e4658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.1085299681\437068927" -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d99471d5-2a28-447e-af6f-4a678e758d2a} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5300 179e80e3a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1263824193\503545032" -childID 6 -isForBrowser -prefsHandle 5932 -prefMapHandle 5944 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50064259-3552-4fd8-8c14-c509304405c8} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5960 179e98c4858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.8.1176202135\2125622264" -parentBuildID 20230214051806 -prefsHandle 6564 -prefMapHandle 6548 -prefsLen 28177 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a62b36b-5afb-4177-a082-62ed41f840fd} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 6556 179e6b61b58 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.9.833131591\989944936" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5372 -prefMapHandle 6428 -prefsLen 28177 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa6e27a2-8beb-4cb7-b76c-dd33e7a7d63a} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 6588 179e7e35e58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.10.315828301\1391875585" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 6412 -prefMapHandle 5372 -prefsLen 28177 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2be3c4f2-ca0b-4c83-a25c-f578f2addef1} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 6660 179e6823e58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.11.1930667713\798191177" -childID 7 -isForBrowser -prefsHandle 5692 -prefMapHandle 5184 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e0156f-eaf8-446a-966c-0ad774680279} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5240 179e9db3858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.12.1047490986\379206976" -childID 8 -isForBrowser -prefsHandle 7068 -prefMapHandle 7064 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02fd1f76-0000-47fb-a05d-00b13954fcb7} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4632 179ea76ad58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.13.456666421\555675124" -childID 9 -isForBrowser -prefsHandle 7108 -prefMapHandle 7112 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {288d46ab-d8d0-48ba-9e9d-600b6925ec7b} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 6808 179ea769558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.14.332669742\1510635642" -childID 10 -isForBrowser -prefsHandle 7256 -prefMapHandle 7260 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee18df29-95d5-490f-a8ff-6bbe2507d69c} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 7244 179ea769858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.15.486302553\1959511191" -childID 11 -isForBrowser -prefsHandle 6908 -prefMapHandle 6920 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c90f66fe-7a90-48da-b1f1-68bab9beba46} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5800 179d4476958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.16.1535035963\1104068743" -childID 12 -isForBrowser -prefsHandle 7528 -prefMapHandle 7536 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7d64b29-9c22-4930-8bf2-c7c4dc2575c9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 7520 179e7e7f258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.17.1083531790\1486298110" -childID 13 -isForBrowser -prefsHandle 7076 -prefMapHandle 7092 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d05cfc6f-f72c-480d-bef6-eacebd0d0ce1} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 6076 179e80ae358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.18.417060125\1913762991" -childID 14 -isForBrowser -prefsHandle 7620 -prefMapHandle 7596 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6e53bd9-b2f4-4306-9d08-71642fd2fbbe} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 7628 179e8ce9358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.19.2027984287\1916076896" -childID 15 -isForBrowser -prefsHandle 7772 -prefMapHandle 7780 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8906cb8c-864b-41bc-afb0-5bd389d6919b} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 7764 179e8ce9658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.20.1589391379\1887550078" -childID 16 -isForBrowser -prefsHandle 6896 -prefMapHandle 6160 -prefsLen 28186 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2205849-1d7b-47b6-b31c-5ae22fc57695} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5640 179e8ef9258 tab

C:\Users\Admin\Downloads\reload-beta.exe

"C:\Users\Admin\Downloads\reload-beta.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 252.70.14.31.in-addr.arpa udp
US 104.16.185.241:80 icanhazip.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
N/A 127.0.0.1:60233 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
N/A 127.0.0.1:60240 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
GB 172.217.169.67:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 172.217.169.67:443 id.google.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 anonsharing.com udp
US 172.67.223.198:80 anonsharing.com tcp
US 172.67.223.198:80 anonsharing.com tcp
US 8.8.8.8:53 anonsharing.com udp
US 8.8.8.8:53 anonsharing.com udp
US 172.67.223.198:443 anonsharing.com tcp
US 172.67.223.198:443 anonsharing.com udp
US 8.8.8.8:53 198.223.67.172.in-addr.arpa udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.200.3:443 www.google.co.uk udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 adsdk.microsoft.com udp
US 8.8.8.8:53 cdn.adnxs.com udp
US 13.107.246.64:443 adsdk.microsoft.com tcp
US 8.8.8.8:53 s-part-0036.t-0009.t-msedge.net udp
US 8.8.8.8:53 e6115.g.akamaiedge.net udp
US 8.8.8.8:53 s-part-0036.t-0009.t-msedge.net udp
US 8.8.8.8:53 e6115.g.akamaiedge.net udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 ams3-ib.adnxs.com udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
NL 185.89.211.84:443 ams3-ib.adnxs.com tcp
US 8.8.8.8:53 ams3-ib.adnxs.com udp
NL 23.62.61.194:443 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 ams3-ib.adnxs.com udp
SE 23.34.232.182:443 e6115.g.akamaiedge.net tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 84.211.89.185.in-addr.arpa udp
US 8.8.8.8:53 182.232.34.23.in-addr.arpa udp
US 8.8.8.8:53 s3.ca-central-1.wasabisys.com udp
CA 38.143.146.103:443 s3.ca-central-1.wasabisys.com tcp
US 8.8.8.8:53 ca-central-1.wasabisys.com udp
US 8.8.8.8:53 ca-central-1.wasabisys.com udp
US 8.8.8.8:53 103.146.143.38.in-addr.arpa udp

Files

memory/1944-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1944-1-0x0000000000900000-0x0000000000A92000-memory.dmp

memory/1944-2-0x0000000005420000-0x0000000005486000-memory.dmp

memory/1944-3-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/1944-6-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/1944-7-0x0000000005A40000-0x0000000005A66000-memory.dmp

memory/1944-8-0x0000000005A70000-0x0000000005A78000-memory.dmp

memory/1944-9-0x0000000006990000-0x000000000699A000-memory.dmp

memory/1944-10-0x00000000069A0000-0x00000000069A8000-memory.dmp

memory/1944-11-0x00000000069C0000-0x00000000069DE000-memory.dmp

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1944-68-0x0000000007110000-0x00000000071A2000-memory.dmp

memory/1944-73-0x00000000078E0000-0x0000000007E84000-memory.dmp

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\System\Apps.txt

MD5 1b5f8c6589ab448d606b40cd3d35e1e1
SHA1 841b7ed6540bbb9debb12559600aa9a5d82b2cc0
SHA256 adeb76b7be4ebbb54fecd6ee425130a04d821fe525a8819d346aaf91c002109a
SHA512 6598145c0f1e120ebd87c1e7b2f7ebc5ad92c8d1816cbdc7bb6f3f6c4c10a70feac1579540994062650c4e0980169a5dd20dc9033d909af6f528d4d905e89854

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\System\Process.txt

MD5 b328d4be1e8121536f29ce6f2ecb5a4b
SHA1 c47422833c131234e1d5502bb149993433790b26
SHA256 9c0c9eb6f5654fa74be8769d6c2c77c7983b63679b45dfa075fc286674a7b12d
SHA512 415b59c8a67c871bdc8201bcd1516b62f542bad578a4b4c1a447c42709b11ae034d068cd3e5c0ce382828837337b8199bf301d811b99c5bc4472b44401f0b893

memory/1944-203-0x0000000006AC0000-0x0000000006B3A000-memory.dmp

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\System\Debug.txt

MD5 ed3c96be56feae986383bc7c237790ea
SHA1 01ccdb60b1821de5c9ebe9e409a149c5047f4353
SHA256 c6441a5623e0997899d9c288d70ab76bc9b299f2629053c69bdd22536458f76e
SHA512 152a92d8df3e897c1552b882a9d80fad1c087f1cd28204bf211bb67716fe190928883356a3f4e5dcf1e33f4d7f9d0807e2cfaf382b79748887766b110a7dc9fa

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\Admin@PVWYNMDT_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/1944-276-0x0000000006BF0000-0x0000000006CA2000-memory.dmp

memory/1944-278-0x0000000006CF0000-0x0000000006D12000-memory.dmp

memory/1944-279-0x0000000008090000-0x00000000083E4000-memory.dmp

C:\Users\Admin\AppData\Local\453fe21cdcee167aaa85567f7cabe586\msgid.dat

MD5 c24ca5f96b25e9bca11f468198b6cb57
SHA1 528624de8e5dc6a3850cf02874e772e111a35f93
SHA256 de26bbceef0088291acd1574cb97d9616df97c06aae930f367a16a92a3d160ac
SHA512 1cb9670e4b707383128ce770f09a6d64b22bdac7a549a8d376b187058cb27c39635a465272bc0ca6ec956f986cde3a005a9808afb52e50cb96faf837bd3e2ef1

memory/1944-291-0x0000000007430000-0x000000000743A000-memory.dmp

memory/1944-292-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1944-293-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/536-294-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-295-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-296-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-306-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-305-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-304-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-303-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-302-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-301-0x000002465C190000-0x000002465C191000-memory.dmp

memory/536-300-0x000002465C190000-0x000002465C191000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\activity-stream.discovery_stream.json.tmp

MD5 2db3cd208ffde955df273ebfb3b227ea
SHA1 27158379fa12164e4f42a01971ddfc8f28c974c6
SHA256 fc8b52b2c61280f6824ec8b74e7642fe870614608bda68da1d39db949c46db89
SHA512 3b27b7f5dcdefb3e7112a670391bfc13f02f769531755862d2bae7bb83db708a8a7194ede2fd23987a7bc3adb53a0644b850d87efa926c8f6a37912a0b6b149b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\prefs-1.js

MD5 7cc047e2171168d4061233738db21e98
SHA1 17597a20b806b33aa38cd34f4a232b84efd3dba7
SHA256 2e0edc18872269797a52b41316075dc11c3d649b477017d3e44469b1aed7ca8d
SHA512 6c7391aef1158f6fb16b671774f408c6c32e7c306303ce16211253d7c2f4b4b7167ad3f8184d2cad3292ccf88f85976a60a652240fab9f2c0bf10d96ce119301

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 078c739780c6feff55ffce58510c3cad
SHA1 70d03e35cb1686b4dffb9c92718d949162f5737d
SHA256 8f7bad16b30b0ff8e695ba54dedd8f224e334c7c07d48a1c225155f139285fb7
SHA512 69a7cf5183b3123b6cd60f2682301c3165c7f15f2baba62de6dd37493168a900e6d970ef44defae61a90169ed5d7d21c368857c876fc1450dc8bc1c17d5db56e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\prefs-1.js

MD5 123da4ce77dfd9b01cf087c623262d02
SHA1 d9a3aa99691270a4902a3ee84c6b6978126d7725
SHA256 aa8c16f4c3acc7229a68b5950775650f1da50bc423858a844744516fd02b9269
SHA512 94bcfccc82fc068e33393b0bae5b67249da2fe87068148f8732cc882310b619e0f379ee9a761eb188b5a5d1dc39528591178759a7b782179da303e5fba51a110

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5723f8cfacfbe251503fd482a5135806
SHA1 b1675f4e352766634dae0eccd8e3f61d8a475326
SHA256 daf90505c69d42e88c5ff851678b25f932160812224a2aaeefc78351572b265e
SHA512 c75e5150618e7a1be88b0ae9dbdbdefe77c31f3675de0c4e1fdd7ad631bb854bbcda1c3e69aafef42438758ec08da0d44068a3373b545084cf5047d3b6437ed7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 59f6cd7a8f3f9197eeca502e1b94cc81
SHA1 743b5287b837dd98592bc58c9182c1f4d154f74b
SHA256 01132d66cdb8476d9a9041787005bf25eaad835812cb8685b2d16d3a6e7bc1c4
SHA512 f4ff94e7222297bc3a726272f185fa1397f3189718b69cdb2945c3a51a41117c05ce60971d2b692af4316f11d414dbecf2b7990b6cdabb4851b0e75ccbb2f08a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\7768

MD5 0a72ecc61e38213d584d4b9866f6a64b
SHA1 32fdc60ab267bd27c0da2522c4d5b07516f68cfe
SHA256 2958ea10fac66f14e792d8f1f1d2abbfe407b09d6e1ea841e6aa392a5a903175
SHA512 2053120a8f8300cbf51f4dfff40cae47430fc952909aec8c3ab622b86a123acf61ec1e3980de8fec7a6467268f01a068723e4dbf438afa4a448fe27759c69f97

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\8712

MD5 d15ce324eafec0108385e818115bd205
SHA1 9aba0a22136c84502a8bb09e511167e456f169c6
SHA256 4d8067f7685a76e7acbca2227838687cc3c9d0ad9687a005d131de74e761733d
SHA512 1d9be93822f56d68b32cdd7d3e42daf8a3d912b4d8441a5c23325ec9eb316cd2561a51ee2e2d357362380d7c8e173fb6526753aa4bf03eddb953f898bda0fbdf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 611e6d474be274d804f9b548a874395c
SHA1 afd3029d2d5adcc3af97a44a547d2503c148b85f
SHA256 ef09b7e7150412b398940f81442fccbcbb8b1bfab0d97df69dbb69cc88f508c3
SHA512 9075f9f9f9161282ec2b5e965c0cc6d600dac4d754ed2c0a305b779e7fe9b069e21d68ad0bb7c8954c9ec9abd81532180628297ae29c60023495cbd0d05dfdf1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2d90aae90bdf0d79206956e4c3c6588c
SHA1 c075f5e49f2cc14d4d0a26bc9fc938b76fb5a29e
SHA256 50c82ca0b408b85cbccd737730659233b43509e929932c86b32454d5b826e070
SHA512 79dd03fc4b20c0dfdf8eaf4a8211134e84cca00c84dfba73bd354961735a47b9df2568b8016d3abab184d69064b015b9cf7173d76ad411380f2efbb9d2e1e389

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\31814

MD5 1f730a01071d44cf02c97483d93ca74f
SHA1 b0aaef169aa22989f9a963406b22feb0977baa8b
SHA256 898a542b4b798f52dee0c0e9239893f50b3c5d9084e1a54e8de7adfea2e38f87
SHA512 043ac3bfd3f9cee16092b8a9f23671da2bde52be90a3f7672aff6970639410bec9c9c0a46222ca45a1a4ca63c8e7a35ab392a7ee39d69d1840bc5380e3a5f60f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\6409

MD5 bca18701b221e7802db49130f082cf33
SHA1 db416998d96c153392aa38e6c470c83e519c6830
SHA256 573c76f0877362cb9fc998f45ea86b49f022fa9c34f44506378911b170c21e9f
SHA512 c2d8ac27ae2a44637be7dd98713b8ff6e976e694ee0d83764f57def2fa5456bbd35a550df8fa57619290401b1fb9f00706c873bb7cf3467a5772e8eaaa714414

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b3b229552570a24a69d64f30aca39dd7
SHA1 99c6318f33ec50caf7ca6d30fcf4f3795700c3ee
SHA256 354eda7a6fdbc90aa6edbb34e0fa8a3f72b4c08c1025cd381db79aff01d52d75
SHA512 c18546cbe9c65c5fb26f208e45f9173282b49dc02b9e2d18faa7b78e569143fd37cc68899f4030179082798426f8db24172c50e2067ef51c90a757a39ddd2a76

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\0099812D104B05EC6985BDE4E828F5A43432C9F4

MD5 62a932ac170869250aec7056642b871c
SHA1 fe0c0d998bc53ceff19671f7f13552e1132e9a65
SHA256 c623473145ba11bfae916cae9958c1b82b523c5578db38cff09d354c460eed48
SHA512 b1e1c26a42ef8d66b83a63b24ab1f5fa0b2895894af087f74c52160a5a93260d9882b1bb4b323cd485bfcad11c3b41ab5768551d1b93438d84c679b44a6274ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f6a12312106f4243ce5bf5e56c84daba
SHA1 0ae3a3dfcaf8d270860304a6a385e8355c416cc7
SHA256 a68d8c18b5160588a0929371db72ac42fde355667e21869313f7a94242cc948b
SHA512 9a69cb2c0badd10177961af90a6b86b6aaea2d3fd6564ec1c91cfe3ba309b0328203fb41016c501a1c207318d3733041b0f1bf6dee2c8ce67eab9ab28c9e3031

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3d5be75cc4837dacdc09f6fb15187f5f
SHA1 0ccea368668d2dffb3e353a69ea2ca8c03c796a2
SHA256 5e53fc3fba8b770dd77abf9eda3906a01362014bb373568f1732ac9ebbf08799
SHA512 65b246263971877936457b5917b0c02e98304f9c928c0536be2c5801d79919d7540d35e12ae703f3b64193da8be2f8e112ba6412264988c5e751aa308d87d686

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\98548360A42A21A9012B7B8CEF232AD237A057C4

MD5 eda751357ef675a4da0eccd6a5a6c582
SHA1 ca8416ff9f72fd76ada50134a5d7c917751a4cce
SHA256 65a736c0b80624ca7de875b313ec1a432cb76b0f40ce8576d99fd6c574a79c6e
SHA512 f5b85c47ca5c98a70a057504517e05ce582c2a79ba70a06490c430195e275989d621ea5526807c2520bbf6a8c4ba770275ec4b1c38fcf7b16e666a3b691115f0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\5D24F2F336986383C5107E4D8ED17A853922EC53

MD5 5ed9e8932becf12a9543764200b83f1a
SHA1 a5b76751a36a36b3d2966681589599eac7cc70cb
SHA256 c99cec09cc88cf50a58697eb10cdbec99de630f26be0f1f370edbdf3e26377a5
SHA512 be877a820840c1b151f7edc659b590cb974b0b234f3bbeab712dc28560ee474b22483fd5054e1723c74fad3439f3ed0143deed08783fc0701e765df40ab10df7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\5932A00535DD4D44EFE39BFA0DFA865E5D718649

MD5 5a106e80807c33f8d28086ff48892787
SHA1 0ce69bab08d3dbbdb315bec8473bb17619cad4bd
SHA256 f73e17f9e1a4eb6a34ba65771a8f56af7f44aa302d353f2d51314c0fdba59dc4
SHA512 9d89c924323d9915919d4a5f6c19cb6c6b4b4bbc93eb832050bb9d3405724f5828d4edbc9789b8a71889339572e892380c0f1cd7c941ba6127ecc1ddade7a71d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\10787

MD5 eed519cbc9de53e5146e98562ac7930c
SHA1 467191a48b39ebc38d5d5b4200e5a08bb1a17664
SHA256 bd3e07061d393a078fa222ad2eb719768d5329f295e883bd7e53eccf4cdaa584
SHA512 fbdbc0f0b47d65a6e6bc14f68d00f92af9618a6becdf5d8a1d26af9469235853c645cdb9f0e06c4c879a8e486c68581237bd105d2b4e575c963d863444dd6e08

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\24793

MD5 f6867b3006a5b7fb49efa6006ddc5b6f
SHA1 cb864b3ddc62705715783f6e74407cbddee59be4
SHA256 0ae7478ac627404acf172286a0ed7c3d3669bd1bc6dd1aebdc00f9e5fdd144cf
SHA512 a9f2e552bfdb790cd5ea03929d0fa03e60659303dae99a97416c8f8532e079b579fd86cf643fdb1f0b8019ce233724a58413056163ccc5d0802da75376a495c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f55703414cb8bcbd37b8d0b9d6a78c9a
SHA1 940e55476169254a6e1908d8974bd24a2014c8d0
SHA256 42ccad3aa1ed0e945a4b1db65ca6fe23d5fe30e59f77709c6fbc82f058fb5de0
SHA512 6b27d07fe5be72d6f0c5404a8cf9152c9000c41b24f5d01f96ec5e0ae92606d8245f1111908cdd36fa1aa572bd17b11d697700db5fa6954d4acd09dfb0f8a1c4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e11415f6bfac34cca425f264d4f972eb
SHA1 477872aef972ef74781ef1aae7fde67375783b85
SHA256 c9602c9d5e3b6cc4a9b60296f1e7d9cecc37eb771f53f2fabaae680e4d83181a
SHA512 92b337888f524c407316a1b5790759f3c3ac8de4f59723015a67464d25c189b4d10f1dc1eb0e844f263e53be75f4d83a6c76fdabdd8cd9cfffafba09bbb7085a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\ED81A02DDECB28FE01F886986A755A82E2F4427C

MD5 dd8da50621bf271dc8f58fc684ca6fe3
SHA1 1087ba1375f146f56f5cfbf69b8951e96d7c5aa6
SHA256 ba49a190182dbcb6faabefbae92e5a4081e4c946fd7dc8c5c7141c7683bfafa5
SHA512 31099ba35d37f50f0343200fed441018ecdc8aa1d2469654fc25e5a2d89984d50ffb27263127d852c49d209ded18a5cb24e2161c8141b7e994e28512bb99920a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 78b3d75999c612fe63af46f2284e3779
SHA1 c5d85657e3c4a6f862ed575704f4dee409b8543a
SHA256 34c0e06785aede7d4433749bf2af0c873b756a141f43979c1a28be6e09cc1342
SHA512 e05f44140f311c8adff9f9d07d1257b4852d13e4b490627e562401dedd5225d9f80b7346b89da856d5840f3cd707bf94e7805fc1abecb735d5ec26f9a38edd8e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\C73D94290C81B1D57B6B97906FB1B2E8D171765A

MD5 02ffc847d6548f557c160ceaf0991269
SHA1 052ab102354e7ba84399018476e06aa18aec14bb
SHA256 2221bb3f1713be1b4bd52d3518a5014a6a48b08286120b006243b90a0a5d3e92
SHA512 9374de73cfb945713328ae85d980f82a9fb48f2f96aebafc9cae41cef27427d4a9c84adc5e5339c0343153fc24aab1f86f8750837d9ee8eb01de7c1b96a6e9c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 bd9367cddceb5dab169ba293cbe138b8
SHA1 916665c009bb9625027f4cddde3e0dbe2ee29a01
SHA256 07fdc6550ae122423ad732c65845a6411b8aef4f00bb100c2e2a1d0521b26537
SHA512 8a3186ef286e0c4c3fab198803fc4a24b7e6cf9d9cae7c4decb1c0705169a0a43a9876d0c602b55d78e0878b67c15216c6ccae7566f1393570dba5f1c1de352a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\4722

MD5 d6a3875f8ee4f7674c5a03212bfe3ea8
SHA1 818d29f40d1cec339a306c1ea531283d288ec3f0
SHA256 6e97f8235b1bc541ebac4133df953872b517d09d824f6751be64fefd42ebe04c
SHA512 79df5b6d40d6e2463324213093590e0899db57fc7493d002fd0f4a791bf1d29b07c090f9b368f993422529fa19be6d8e5e803740d287f10d6085a1e5c218757c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 a979daf7886e2027dfb33bab81ab1a79
SHA1 9e8a6671839bf060aab1083c43528e071fa54ef2
SHA256 1dd2b892145bfe2d13bad650c2cdb64cd9711a99cfd09a1fd4a733ce43540e7e
SHA512 8d32fb51ce15b6480c57a88d98a57fc41c7a19f5ded389685f72c9133660fce94a0d1dc54479e5fb2eacf35ed99d92f1340ffe95a637f53cd251abe746e5f9c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1b07d1356ed8d2a812db0b918afb2c42
SHA1 065479ad034b0a3d32e01e001c52fc8b9bc2ff9c
SHA256 3204848408901527b4f5c971454d0ebf34530bb4f564f69b40812a60a39feb72
SHA512 84a3a88df1d951193a39cb3255d0a7221a7898c2b9b16f9ecec15a48e1aad015095316e44701bd2fd9201d5680cc3255a30f298a1bf293ae3aec5de9eecdaeae

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\doomed\20778

MD5 6124b0f5d7d0841f19fba8aa38924846
SHA1 084d34dc6732b4ff4d537f380b8c92e1ef9cb449
SHA256 484a643920be0494d175e61f2ff28dbeb20038429250831ec39ea24767b8ec10
SHA512 e607cb3a19f9d791602718758abcef725db42d048254739f06a8fe9e0e7dbeb2b376481cee67f83a7e3db820b81bb8dc3efd60bf302c4d5725cbf0858b0a2e3f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\3AD4F616737571F9F0A2655AB529F348A755D2A5

MD5 611e7cf71bab325c4616068d942f7b25
SHA1 a40b449080e95c25fd997cdf3fce321eb285225e
SHA256 05967a21060866c273de441a8f4cde04b29777084f327af3f2f8cb951d0815e7
SHA512 8cbf7628f82da6eaf82a6a007e43231c189fb524ce36eae4a0423e772dbf55cbb01ed7728d2449faca6b1485c97a0515c092f480fc00b2c76cd5c5b23efa7bee

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\239FF326B02D4534F0F29B999455D8D5A2A3B03A

MD5 e7c7d68eca697479b8820b23f0a42645
SHA1 2f56b3573d4a72f3b050c126d259b1938355da74
SHA256 136e6cbb4d97302b61f4f6aa1301c9d68f73d99aa0f76f319bbfb1b381d1b1b5
SHA512 6cae10e56f5c95d6eefd3ff6542791989858dd0e34c59a24478df2affa2640a2ca14a431c54ff3dc3587a2f4d82cd516345f4fdedfc784dc334d9b65eb86fdab

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\cache2\entries\192B5597A9CA9FB8AD40C79050720568C71D7353

MD5 a01a08eb9069d9c461f2d11189d706ff
SHA1 7f3235985319f5460f71c26cae64bcb850f8ae6b
SHA256 b9b9437a36fd3ca6532e076ca6165fccc9141d0ddd93a80fee0257e77729f711
SHA512 5fdea5a2f18a8f746c5ba37913d10ed546286142367cd9d6c1f70bc692e09403648b0707c64f61a58a79f05de59c63dd192e44b60981604f68d1564f5ea8c674

C:\Users\Admin\Downloads\reload-beta.wVSqjYYW.exe.part

MD5 e6e117e1517765ed5892b9abc37bc63c
SHA1 a14d96717d12ede489ebfb9b25089d7d8c1e9ef9
SHA256 6b855108e9a81ba25844578507913ec9fa83b481a43237767ea028b36d435980
SHA512 9c7c07a291b25e9758aa1ce04deb7c7c1cda4734b1434b67e96fec0af911015c84e997aba111a0918d39b3ca1843530438ef0c285479ade0d0fb0c272c1778e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f61b23fdea968a8623d4ba5ac676b30c
SHA1 303533e0e5c32f068ef9afb3e6ad7743396d288c
SHA256 88f1bbcb3ae1b943e9595de73c25f4bcda83cf9f2aa8a0019ba426aa4f4931ca
SHA512 27073cb38409465433a62f69c673447965f36d9c729b5a43c317f6d9d3a4accb29a48d163c258e4dfd03711666abefbc72ce862476bc59d674c67aa50167570c

C:\Users\Admin\Downloads\reload-beta.exe

MD5 281d200e4d94f020e9945e3812aec967
SHA1 7738475daded508bd105bd296d1f47ae05febe68
SHA256 15973284c2f6be38e8ab31e01d3d0a59d87ff03c98126754a61283265cd769e3
SHA512 600e54b853cbf68f3862728d80f0ff1ad835b6baa6dbe57e2e28e81a90d4026ee56a7b395f322b353dde018369084bc45fb470fd550d231f06b39522c75aa9b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 17:09

Reported

2024-06-30 17:15

Platform

win11-20240611-en

Max time kernel

298s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reload-beta.exe"

Signatures

Stealerium

stealer stealerium

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 840 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 840 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 840 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 840 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 840 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 840 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\reload-beta.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4684 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4684 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4684 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4684 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4684 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\reload-beta.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reload-beta.exe

"C:\Users\Admin\AppData\Local\Temp\reload-beta.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 104.16.185.241:80 icanhazip.com tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 104.16.185.241:80 icanhazip.com tcp
US 162.159.138.232:443 discord.com tcp
GB 51.132.193.104:443 tcp
SE 192.229.221.95:80 tcp

Files

memory/4648-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

memory/4648-1-0x0000000000600000-0x0000000000792000-memory.dmp

memory/4648-2-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/4648-3-0x0000000074CF0000-0x00000000754A1000-memory.dmp

memory/4648-6-0x0000000005870000-0x0000000005902000-memory.dmp

memory/4648-7-0x0000000005900000-0x0000000005926000-memory.dmp

memory/4648-8-0x0000000005930000-0x0000000005938000-memory.dmp

memory/4648-9-0x0000000006750000-0x000000000675A000-memory.dmp

memory/4648-10-0x0000000006760000-0x0000000006768000-memory.dmp

memory/4648-11-0x0000000006780000-0x000000000679E000-memory.dmp

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4648-59-0x0000000007320000-0x00000000073B2000-memory.dmp

memory/4648-66-0x0000000007A70000-0x0000000008016000-memory.dmp

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\System\Process.txt

MD5 b45c76d851135fadf1034b4f14e7ee81
SHA1 9be5170226c373168dddec0080d66fca542ec14d
SHA256 f90ac9c4c329d15159a539a730927d078373cdd5c7315c064f8879a127cefc0b
SHA512 e769f57be0361bc2e8ee401b42977b1018ece066acf2f2776848cc28888d6824aa04ee71ae0051d5a691b85250d7cc8a43e3e21f13d266692182902a0ec0a83d

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\System\Apps.txt

MD5 7820449a1928a58eed955cc7ca45c18d
SHA1 2f3e7745aec5a034c6348a866b2a9bf806ca73bc
SHA256 c9250c496a93e82418ee80dc671caa3d579799934361f0bbea2622719f873e2e
SHA512 f3d0788227aee56c1b9cbba267e216b278822efce2d1ed4db57f66029d1067148031db03ae3c11cd8b8cbd0679a9ae67dfc97856b2c90923493c1a164960f9fa

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\System\Apps.txt

MD5 1b0b37658d155b7cc8c3cb3e87e1df17
SHA1 d1c01677976345a68fea1006b867f359bf22f079
SHA256 bd366fc766490ddab8870c39334b29a7dbf671ebe75b6a49603a2be19ccd6b76
SHA512 c5350f23615b76c1a3ee4d97067f489cd15ec3950c1e4260fff8bfad6aad41208c2b67912a424b85d43df7fe459d90af59b02eb0de8970df61bd36045d62f23b

memory/4648-195-0x0000000006A10000-0x0000000006A8A000-memory.dmp

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\System\Debug.txt

MD5 43c912a8410e1dcf2c1e7d2f5d3ba725
SHA1 5af52ccd801f620dbb4caf0aaab68c27ffed5849
SHA256 2e6f662d0fa87e1d13444b6e8e61c48cf7140da9db5cab732290da84b0808276
SHA512 b87f984746a93304e5f9f1310181d99a0ce8155be911fce5d8ace059e147124b708fea9886088611b5eda9f1cd76a8426cf9518c8a58a2186a0ca45a0d8a29ae

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\Admin@TLAWPKPZ_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/4648-264-0x0000000006B70000-0x0000000006C22000-memory.dmp

memory/4648-266-0x0000000006D70000-0x0000000006D92000-memory.dmp

memory/4648-267-0x0000000008020000-0x0000000008377000-memory.dmp

C:\Users\Admin\AppData\Local\7d5cb00908137b62341e9516db3cd422\msgid.dat

MD5 7f15d31fe9120fb143f2c7ad8256f81e
SHA1 0432192ea70d9ad0485212f8468e38a182b644ab
SHA256 a3ca678c0f932cea1892f43180b7d100ec4665b1267f8f1d4bd4461dd5d11640
SHA512 249b2b8e58b303ee948f26a37338dc1df7a9c337e58a3fa31a1a8395f3beb5927eee5f98094976d47ff1d6afb38e2dd59c35b697f541a9af722d649c1d4fb35d

memory/4648-279-0x00000000070C0000-0x00000000070CA000-memory.dmp

memory/4648-280-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

memory/4648-281-0x0000000074CF0000-0x00000000754A1000-memory.dmp