Malware Analysis Report

2024-11-15 08:56

Sample ID 240709-czqdxasapp
Target setup.exe
SHA256 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 02:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 02:31

Reported

2024-07-09 02:34

Platform

win7-20240705-en

Max time kernel

37s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2752 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe
PID 2752 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe
PID 2752 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe
PID 2752 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe
PID 2752 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1624 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1624 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1624 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1624 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1624 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1624 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1624 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1676 wrote to memory of 1656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 1656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 1656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1724 wrote to memory of 1224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1676 wrote to memory of 956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\c05fb308ff.cmd" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.0.1637238868\1377168081" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ed066e-7ee2-4aa6-8dbc-3d6cddcc7721} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 1336 46f0b58 gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2140 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.1.48230423\142371242" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6bb520d-fd8c-40fa-b5d7-95d0359d74f0} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 1512 43ec158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.2.1393878139\1031137540" -childID 1 -isForBrowser -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef0395f2-544d-4649-993c-1693e7423137} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 2160 1a589858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.3.479574502\1296555556" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b95994da-c0c9-4eb4-9b62-0f6b6a7a01d2} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 2764 1d87fa58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1120 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1332 --field-trial-handle=1084,i,5753049933259329831,13183628721379893004,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.4.754519895\1254547528" -childID 3 -isForBrowser -prefsHandle 3908 -prefMapHandle 3604 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6fe968c-3fdb-4846-8f2f-8edc7ae50555} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3768 1edc9258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.5.1618636687\1745301175" -childID 4 -isForBrowser -prefsHandle 4004 -prefMapHandle 4008 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7065109f-82b9-4fa0-b6ac-467c2d1c7307} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3992 20b6cb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.6.146503710\753812509" -childID 5 -isForBrowser -prefsHandle 4188 -prefMapHandle 4192 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d84fb32-6385-4816-8070-809972b4f9b1} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 4176 20c72f58 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDHJEBFBFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe"

C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe

"C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe"

C:\Users\Admin\AppData\Local\Temp\HDHJEBFBFH.exe

"C:\Users\Admin\AppData\Local\Temp\HDHJEBFBFH.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
N/A 127.0.0.1:49262 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
N/A 127.0.0.1:49308 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 216.239.32.116:443 beacons4.gvt2.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 beacons2.gvt2.com udp
CL 64.233.190.94:443 beacons2.gvt2.com tcp
CL 64.233.190.94:443 beacons2.gvt2.com tcp
CL 64.233.190.94:443 beacons2.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com udp

Files

memory/2548-0-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/2548-1-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/2548-2-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/2548-4-0x0000000000020000-0x00000000004D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 c21e9030716bbf545c1a6aed23780cb9
SHA1 7e870d396ba3c4e05a942f1d5834e8ef0e102ef1
SHA256 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee
SHA512 f40f08872ed7add791b3c8f5b5d09e670b131e64eaa837b77ceaa198c4fbd3b1ac843cd7744fd29eebc654c730560a07840ae5dd333d1ffd591d6524a96500bc

memory/2548-14-0x0000000007680000-0x0000000007B36000-memory.dmp

memory/2752-16-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2548-13-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/2752-17-0x00000000773B0000-0x00000000773B2000-memory.dmp

memory/2752-18-0x0000000000221000-0x000000000024F000-memory.dmp

memory/2752-19-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-21-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\577f4e566e.exe

MD5 e6a54ac6b35b2def5a7d9b9699388f26
SHA1 5f8a57b2e8902523bbafc50434f3692fe1d92b74
SHA256 25d515f52e58c10727895f1ee1a269998e37d3b4308e6ac6f1419186c30290a9
SHA512 8cdfb2da836614148507585645613432f7dd802ac8c80b89a4b302c9dfbbc9a96decd4a2df6468843ccfebd479968058d7f184e67026cf6b1d8dd474634c87c4

memory/2752-39-0x00000000069C0000-0x00000000075BD000-memory.dmp

memory/2752-38-0x00000000069C0000-0x00000000075BD000-memory.dmp

memory/1268-40-0x0000000000030000-0x0000000000C2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\c05fb308ff.cmd

MD5 c1b73be75c9a5348a3e36e9ec2993f58
SHA1 84b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256 a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512 fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

\??\pipe\crashpad_1676_QHHIHELANYQVIZMC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

memory/2752-106-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

MD5 2dfd6b002bfc35115b3d035c0536710b
SHA1 4215a363cbb47850ffae0bb651f99056be0505c9
SHA256 c4249cfd6f359e239f5a1a2bfc96799a2cb13630e23f4a4471402070d72d5e44
SHA512 50d6d14be34af981515c2304c7f36d31112a7285336e5f75b670f7854b37a61e9054b17d1c31290a1525b038b3dd700810d16ba7deed6707e5aa2bd83cef29cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\f2f756c3-9c78-4f14-9f5e-8faf1d886892

MD5 7dda265cf9b8337441ba06788b3031aa
SHA1 0449f1677916fddd23954c547d0d63e9df0253ed
SHA256 c35eed84eca36e76bc73b25d84168602d7a0dfed1137995b88013f1042340d63
SHA512 40d4287da6a906a0c4ccd8bba148a4e55db98153dcdc1d9d3d3d8d0cbca6973fa09e04c6081f3026d0b5c6837be36f51b5611eb2fd292bc986a95bb7dc28fbc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 8c80751136f0410f02083bc832fc84d8
SHA1 05538ac745d10e7adcae10be9455c5ce032228cc
SHA256 b181383a28c8752101f9d36b34e73817442c32562091f0df018b13c1b972a0dc
SHA512 55e351c8b6b133f191f438e473cb5b3d4333f4cfd5746cd868c2e2d4b91c7bb44a29b1da56484199ce2210c9861e88912d1db17a543b290ad24c7d5d2ddb4004

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 17ed1248ccf2fd81618e49db6ca2edb4
SHA1 c213da81dc24301fba60aef4938e3d457b0f6c6c
SHA256 4b2d7dc310b8f45f7c679290dd4c5267e368d659c7a21738ba009d57cfe2ec88
SHA512 2a91090aa770c31b9d250e41d5fe616bae2aaa810a9eae1d794b622f903c05b13b8ae874becf658350a1ad57d29a83a2d4d55ccddd4904b7d62ccbb69ac657df

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 5d00a580b4022039ee234f0bc6cd0031
SHA1 0fc32c10d1262edd7760dd84b5297acdcf77092f
SHA256 27a0de26cc090563882ed24aff94afc849ddcd97e558b6a0ac0f6daf303d7de1
SHA512 3f4113a77d70569885ad229cdb24f9e9ce7035f76c7121920f8ee79290189a4e4ccdc91af503cae780db3d36140b17fc211522899ff6d14a7d007741171afdb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 d3a492cc659de3615951959c61ede1b9
SHA1 9adbc81b805a747390186176c78904f12844ba0e
SHA256 6fb74c5359578e9069942933eba8681f75b228400babe47e15db93e340acf6aa
SHA512 f2cde8303fa458564417e2fe06d71ee8945f39bf31f8a51e6caf90a3d3cce962a1a446436394b37f660420bdab5298ade73cabb805b7c854525ff446de750da4

memory/2752-249-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-263-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/1268-264-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2752-291-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/1268-292-0x0000000000030000-0x0000000000C2D000-memory.dmp

memory/1268-306-0x0000000000030000-0x0000000000C2D000-memory.dmp

memory/2752-310-0x0000000000220000-0x00000000006D6000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\cookies.sqlite-wal

MD5 88f7a1ae8407ebe61a6cafb66d9f7db3
SHA1 ee3704b7a19cb2ae8c7b021f477ebca570851ed9
SHA256 48a2df99f9f2442526ebae9737605970446096ebae18367db31d263d04c2fd97
SHA512 baf2a1edb5101e94b51331d819ed51d893503ad5b4f9db5d3b8bc6bc21b5f979a8868ae9f8aebf609997ed76315fe3b9f5f7d160d4b84793c2c1e30524065727

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\places.sqlite-wal

MD5 5b51ab9c5efc3948f73190765d8c5141
SHA1 3cb47706013dc80f4395c1e78c17214d6e64f712
SHA256 d7697e7ce1ba66aa5004676a72ad56ff2dff44a6281feea29b83364ac0754613
SHA512 f87252efe7e5e239a3cef783b1e6ebf1ca7ae49ac955bdbeb0fd8fe58bccb4ba44459fa03e51658249dddb43d8b82eb2243b16d39fcd5fc8f2b3be43cd2f49ef

C:\ProgramData\ECAKECAEGDHIECBGHIII

MD5 dc181d9507245748eb6e3b6282aaf401
SHA1 5a944db12fc583c35c9d6f2e3146abc9ea561b97
SHA256 388872c5e3b12ecb8ce59f0ce9ca45900e9f1bde4e44ee645dfa00295e11076a
SHA512 dad653e43298997eafcab41803eae22ae29da6b318c6ff362625eccea8b4f17ccaac9b157374e790b022f1ae2ce8a4714257da54113848ac23d92557a46f55c0

memory/1268-352-0x0000000000030000-0x0000000000C2D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

MD5 dfa5f0e49b9b4d79c973fd7dbe682337
SHA1 978968fdcd8132f1bdc2600f6a117b3ac7403b91
SHA256 ba0363c3c9dfab346c2c541415d8c83f1678ef1d42df8ea0c8c567e0ff495773
SHA512 c865e57ab697cb8ff162af74b4bfb711449885cf678c89845f097cad818f71e2489476759a38da699c99ee5cf1bfdb68509f8eb33150d9eaacb0a2b6a04d3793

memory/2752-358-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 f1be8587e998a9c77223f5b206598ba8
SHA1 5eaeade1748f464645ea6994035e3afd9a9f9b4d
SHA256 ecb6562b25ecc329bcfad80dd381a7eecd72d7f7ab984325a4c331e74bb8b446
SHA512 3fa68597f9e66809096e9c0dc551086f471c8d790ebdfafa1418f28a3330a9f7898c9adc4c9df741ef08ca1748d5eca98972ef48ef77781a4fd1a0ef7a17e178

memory/1268-401-0x0000000000030000-0x0000000000C2D000-memory.dmp

memory/2140-411-0x00000000001F0000-0x00000000006A6000-memory.dmp

memory/3840-409-0x0000000002000000-0x00000000024B6000-memory.dmp

memory/1852-406-0x0000000000980000-0x0000000000E36000-memory.dmp

memory/3872-404-0x0000000002190000-0x0000000002646000-memory.dmp

memory/1852-414-0x0000000000980000-0x0000000000E36000-memory.dmp

memory/2140-412-0x00000000001F0000-0x00000000006A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2752-451-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 38cb0186ed124e8dd9f09b21164262de
SHA1 ee095cb7d89418a94646fcf66c7bbf4f2097038b
SHA256 18f6b3fc3f4528a43eac9ce18f189105aa3489b81804a69bad6a20c865339e24
SHA512 b699a51f70f43c53e4864959044da64db8ed93f196338739caaa25a2cff7f4ef891c036b7580f754582e4f3ec41971cbb98515dab8d96619fc34d5a4a1da0dbd

memory/3872-467-0x0000000002190000-0x0000000002646000-memory.dmp

memory/3840-468-0x0000000002000000-0x00000000024B6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 74eafab8f8ddeb4c9a3b9f7a849e9cdb
SHA1 1561335cfdafec7552bfcb3ea8ebe348ae7cb8f3
SHA256 98a91f3bc89d572a47e70ef2673924d24fe70a4bb03ba353744b384d399c028c
SHA512 5db79ba769329a51671ee64e26413b281c76bcac3b9d262717d3d5a814741d87665f3b979600b2da73cba295d2bcc79090a9d46c061944c84a36e172f7b6dfd8

memory/2752-476-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-477-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-486-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 565a4bd482c67e1ff899dfde8de8b87d
SHA1 38189b357b0e690baeba4476842d65bdfd174fee
SHA256 b07d17764b42b6cfe495925a281403ea0db0825d9c2d015f598bc1281d768106
SHA512 c4c93ff93bdc8adecc072a4d3b0ba5d8a25589f9256147d8891b715e86d46efcd63b52c814541c604fc5de29118cc351e3b56e90d0d73d17d9ecc1de0f8f4cb4

memory/2752-502-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-503-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-504-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-505-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-506-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-507-0x0000000000220000-0x00000000006D6000-memory.dmp

memory/2752-513-0x0000000000220000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6e59c9938c1c825435ce16f599d302cd
SHA1 65e44f1386b02c078cd02f9987e7b6b6cc4d4533
SHA256 0731d08a53f05740ed1edde4c6ff5df873590738153262c7764eb6c8c71f239b
SHA512 b91e7e2800cb8774512998e877346259e3df618c75e3d59d3fcfcb2d51a5657cea6a2d8be041c85c6bf78b70100c48ec0571badeedcbc07e81292b8ecd70de8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 02:31

Reported

2024-07-09 02:34

Platform

win10v2004-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4496 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4496 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1708 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe
PID 1708 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe
PID 1708 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe
PID 1708 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1748 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1748 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1748 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1908 wrote to memory of 3292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1908 wrote to memory of 3292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 32 wrote to memory of 2920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 32 wrote to memory of 2920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3288 wrote to memory of 1700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1700 wrote to memory of 4036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\ffc72350fb.cmd" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0x80,0x114,0x7ff8dd62ab58,0x7ff8dd62ab68,0x7ff8dd62ab78

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8dd4d46f8,0x7ff8dd4d4708,0x7ff8dd4d4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.0.1259180117\2144374189" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b77247a-6643-414a-bd98-054f895cc8bc} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1832 1bb5fd0e658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.1.2092191323\1922469647" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ea04f9e-f377-48bb-96c3-0711c2be0887} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 2476 1bb53187558 socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1820 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.2.1515435875\1980912875" -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac02fe4a-8323-492e-94c0-501d88b50ef0} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 3256 1bb62648558 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.3.1695423771\62141772" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2908 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59bb9e51-a099-467c-82bb-dee66272e883} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 3832 1bb64c2f158 tab

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4064 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.4.1382311650\2001281612" -childID 3 -isForBrowser -prefsHandle 4808 -prefMapHandle 4828 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91628e04-9818-46e3-8f4b-019946559545} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 4820 1bb66af3d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.5.268516969\417187054" -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1afcfa08-eb5a-4be8-8901-cded07d4eead} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 5360 1bb66af4c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.6.1147595722\115787467" -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3070300-2d32-41da-a0ef-e18d4126f071} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 5652 1bb66af2e58 tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJJJDAAECG.exe"

C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe

"C:\Users\Admin\AppData\Local\Temp\DHDAFBFCFH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5491268165573491726,620034041022145514,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1384 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4476 --field-trial-handle=2316,i,12379192050963984020,8323126225299410000,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 107.222.33.52.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
N/A 127.0.0.1:54340 tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:54360 tcp
US 8.8.8.8:53 udp
US 199.232.214.172:80 tcp
US 199.232.214.172:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp

Files

memory/4496-0-0x0000000000F10000-0x00000000013C6000-memory.dmp

memory/4496-1-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 c21e9030716bbf545c1a6aed23780cb9
SHA1 7e870d396ba3c4e05a942f1d5834e8ef0e102ef1
SHA256 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee
SHA512 f40f08872ed7add791b3c8f5b5d09e670b131e64eaa837b77ceaa198c4fbd3b1ac843cd7744fd29eebc654c730560a07840ae5dd333d1ffd591d6524a96500bc

memory/4496-12-0x0000000000F10000-0x00000000013C6000-memory.dmp

memory/1708-14-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/4496-15-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

memory/1708-16-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

memory/1708-17-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\fd6482ab86.exe

MD5 e6a54ac6b35b2def5a7d9b9699388f26
SHA1 5f8a57b2e8902523bbafc50434f3692fe1d92b74
SHA256 25d515f52e58c10727895f1ee1a269998e37d3b4308e6ac6f1419186c30290a9
SHA512 8cdfb2da836614148507585645613432f7dd802ac8c80b89a4b302c9dfbbc9a96decd4a2df6468843ccfebd479968058d7f184e67026cf6b1d8dd474634c87c4

memory/3924-33-0x00000000002E0000-0x0000000000EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\ffc72350fb.cmd

MD5 c1b73be75c9a5348a3e36e9ec2993f58
SHA1 84b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256 a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512 fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6ae84fc1e66cbbb7e9d28b0e12d64550
SHA1 100430bb653c896c11b94ac0bf2297a389ea5ad8
SHA256 856a9c0ac8c29f738a3501b6bd007fd8cbbac211e461b91f4caff52dd41da75c
SHA512 7fe7a8639d96118b843e67a6a6d397271b181dc6b049e6f7de77bee9c9214690b1b7f73164f7e463e117406dc978334ea02397fd639140598f60f89c6aaddbe8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 97f8be9c465b0ed67c2415868506c354
SHA1 cdb221d6debcf55615d3b5f30796e32065046dd9
SHA256 b606a1ee10b65eb9077e7d2f3b34a0d7a1ed6a4802a169fe55449c975332ee02
SHA512 a0fe0ed30624658127316873137f4fc488a5916005e5e3f1f55b7d6442b54010c08d7037b94d0cf3c3316b1bb4acf91bad9e64ee6d15302e3cdd62bb18730542

\??\pipe\LOCAL\crashpad_32_SYNLXNMVQQDZAKJV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 592714a74befcfda15b5fc499c6bb21c
SHA1 7d77b3c7f0d07d7d6044cbaf438d595315b40143
SHA256 d9a57da02eb36f40916e4853dc4d0fda3bfbc891b33cc0f57f27757cebed2146
SHA512 e6a7e2c666970e9eb6dcdf1ee1c7901e40dec9443b8a1b172cb2f52d2cb7454aa59609c6b47632ece1dea7f708367c8a25918617fc1bfcbf7f39e82b24c311c3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\activity-stream.discovery_stream.json.tmp

MD5 a3a2a19f594bae43366339fbdfb626e3
SHA1 5dcb20dfdce44a6dd415560857d7268fd07f73c1
SHA256 d9b97ca7c2134457f545cb9bb9365831f8581483cb36d4f3de7d94e5a674a165
SHA512 d603a74d47640ffc55f95a41b2427a1a751e8921e7629453d2b677d7cd26fde9e56d9c3078894bb6f86d91c1b411c451578bbe891768853f0f5f992fc64ba257

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\prefs.js

MD5 befda0487935dee5693403bd09085beb
SHA1 c9b8398797bebc9293f7a0a2d4050c303283cae0
SHA256 796d69f33a7d5a9bd9c7d1d4391aadcb908c1990577d236b9d1384acff67834b
SHA512 a4719508f8e8e503966471a67068d5c0f2a1b0be65dbb62855746de4e9c379f92776babb07e36dbd232b202d8d9d228035ccfb6339901f6334a2fadfd83763bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3924-173-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\prefs-1.js

MD5 594b4df315c3a1e26f366168b695a542
SHA1 46948611123c6e0fb0f13a464bc1cd85d6b07163
SHA256 70326d3c8b3c57f9c6b70a73fed6a2073f3e5ec8646ad68f06e91f11c642791d
SHA512 5d51264bcf58168207d3cce0ed9df88f30ad0674615e86a3089d7dc69a5530a00f4bbddb50803034a967a5ce1b4831ea7b1afc5bae427f4c00785b2a009527c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 51c3c3d00a4a5a9d730c04c615f2639b
SHA1 3b92cce727fc1fb03e982eb611935218c821948f
SHA256 cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA512 7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

memory/1708-237-0x0000000000DE0000-0x0000000001296000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 1c0c8433626cac08202f23a1dae54325
SHA1 3a5700eeeacd9f9d6b17c2707f75f29308658cd3
SHA256 7aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3
SHA512 da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 103d7813f0ccc7445b4b9a4b34fc74bf
SHA1 ed862e8ebd885acde6115c340e59e50e74e3633b
SHA256 0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA512 0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

memory/3044-268-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/3044-274-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/3924-281-0x00000000002E0000-0x0000000000EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e2405995138ee4c1b0b98cadf9d5f00f
SHA1 31a6d2ee738e7cc80e5d71013385fc0f1782b3cc
SHA256 130edf229bec7154d8f87dbfc6531770dc8860431670bf2b471e892ce2f14f53
SHA512 16e3aece21d889e4829f9eb568dc025ffae29a60a3d65f56c0e974652c9dfadb5c0f775edf858d71216332e975063ebd0aeb1454adc303b49b620e875240a965

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 02db61ddd033c9763af22941d528f839
SHA1 83be9a209433e3c8abc54a69a51589a6f2192d9c
SHA256 4aff7431205672447298503290d41b32af326b9e7e7f14cb9e66ca37d74bf05b
SHA512 96259029d1141a3f5b015fd3b88cd750f24634c560d49b1bdaa795c93d4ebaa470bec841cad2fdec6102830cdcfde5bd061063e3d4cb2461a59c6b567ec751db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b0ce245e35d9a7184ab8735b4214242f
SHA1 bced0768a37a59ee14f4ee05a00980e35bfd9f85
SHA256 250843de39e0afaa82c9188e02b190e051237270818be075a7089415d294443d
SHA512 06810762ed5380883e40254b8d0368d40c562b1fb79a443af74247fc568109148219da7e1740217e783c3e0b98fdf1b9dda7881c0dfcad4e28a21f5904a421a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cdbd2ce66b0010418cbcf33bc54f952a
SHA1 26eb727a27528d3b3ae6f24ab9d7383d1b2111de
SHA256 1f93db19d62872d8c94ed7f212a86c40c3c84bd33dd0e2f9e5de1b319f9c8b04
SHA512 3900cc43048ca648d1d4da3a833eac5ace451f79565c774177ecf856282056dfe9da01d922ae262f4e50775141a20bd2aa2b872beffdd68ef5bbce86ebbd0c90

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 371305e9dfd043b60f6c731edb6bcb3f
SHA1 3df9e199404efb4b8c5a0517c31869d2a71a918c
SHA256 2af0fe4c0de2c82ddb0984eb6e46236d3dec989e4e7b016226389afa59eca634
SHA512 668d0e7cb440d8183d244c860fe2a115c3ea3f4e9ff44e42b4b84f3ef53fd3352c365bc9cc47a579c47bebddf90e418ec509c46826be11cb7a2429bdd6c0a51f

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\cookies.sqlite-wal

MD5 c181d5f520c0e3113684cbac3658f403
SHA1 f317d2831d3da46a0db5889b8437c5f88dd016c7
SHA256 85895002ab05874d2c53a2d166d7532f36ec11e2fb67bd85d0be27d4e00af3ca
SHA512 947f25e9a347763375d5bf2c1bf5b185b260289001498295e17062bbeabecedb1684b5aa8e7f59ae117016fec4cb816543f1caca51750dc9fe0cefb5020deb1e

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\places.sqlite-wal

MD5 ebdf260c370a862844bd44bf29469b46
SHA1 c2cf8d77977596f81551769723d3d747d924149d
SHA256 bcdb90c0f11b3238c903f175130666c38da7e6ec7b6f748c5f4e4a73357a2f53
SHA512 fd2bcff8a02cbec7c6d856cf9496268f2815bd9c28dc6bd01e68be166c05d2fb8d9cfb2a2246e33d0c8b77198b4c1fc54ee34c0bc520c66c80f43768a9a639eb

memory/1708-341-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-342-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-349-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

memory/3924-355-0x00000000002E0000-0x0000000000EDD000-memory.dmp

memory/3348-359-0x0000000000380000-0x0000000000836000-memory.dmp

memory/3348-360-0x0000000000380000-0x0000000000836000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\sessionstore-backups\recovery.jsonlz4

MD5 882d1e073769927691e208ef1de2c838
SHA1 62afa69b4fa275fae1c176f4b8abd53bee1e1b32
SHA256 27c84f9a2539ff62593aa600f0512226ae8f94d520d0d48f137ee8879f2b1b01
SHA512 0a65ddeef591f4d58fff13c6f9ba32ce8dcc1df4aaa4200082c7138cdd35701666cfa91bf0f41894d6bff26f134334565236a1672f9ca122dee4b54becc42dc9

memory/1708-367-0x0000000000DE0000-0x0000000001296000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 05718907dcd314892ed1ffd516aa092b
SHA1 b5c9e641502119e885d51c85cd31b8084f945545
SHA256 0cc07cda380441ff67cc217ae17fa4067ecc7bc4b22c71df308856700ab64dd0
SHA512 383522fdf34f223a394428691bc7df1d80591faa03496cbfeac77809adbe14160ed3db965116303033ef0777a510444c23c5f97825fce78ec0ee31d437225478

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 047b95fdd83fc8165793f098b78e51b9
SHA1 1e02b609292d80d909e2a6c8ed735cf7a114a6ab
SHA256 f12d6c46d161aa9885c508467815c4ab4ea6b825a62bda83b34268c70a664ef9
SHA512 0a047b5bb0cfb1b56c4cb5e8820067e3a87859c9e629e3fddd372a3eb2eb94904edd7595121a887411cbf7e02c93b981f85f6726ea1ecbaab91f19cd50fdce77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\prefs-1.js

MD5 954ecfba7d8799a1ddad13767aa3d2a9
SHA1 c74bddde48011f5ca876d7b0df2a048783edb720
SHA256 7a517284e76dbf202568eed14d3d77242450eaa4cd3475a2d7a1b501fb5b6b73
SHA512 7d2844c5af0fe13f16e6126038efd3f91c5201cc3eddeffad975faee799bd6a037a42d77159cd81b74f175baf664f1b26272b3f6c7e5c2d6fb89e472947f2de3

memory/1708-393-0x0000000000DE0000-0x0000000001296000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 9d8a901780f06751c470a0641f847528
SHA1 1d6dd2600b5c251056d830b278662656aebfbd93
SHA256 36a68cc9cdf0e06ae720edae942289020abe7b6c70f120fa3a78acc8fb78d6bc
SHA512 d2afebf144b3ff84619aab01a81567e26d0bf50cc8fc31962675ff9f4b6e732ae13c6691736d04b6f2bb066a225fe8034b5f177bd1416f72c24a124071b789d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\prefs-1.js

MD5 ddf03a921d5cb892c8392ea41042c3c7
SHA1 b9efa9e4b8edeaae82db292f4542b556bb10a36a
SHA256 38ed4a975dbe9b48166cb5d57216c60fac80bfcee40b1401e574c31fcc0b406c
SHA512 abbb6de5c99b6462470c1a83a2fc3a189e64e3c0572fc06b065d54cfdd8761f96edcc54ce320eccf87c3894af33fc786bd955f584f28c82f78164344bc286d00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

memory/1708-806-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2245-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2382-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/4188-2387-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/4188-2389-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2409-0x0000000000DE0000-0x0000000001296000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3b606bffbeb01972329a29a0f294fd45
SHA1 a21f96c55e40d8ce9ecea5d0a6802f65ea82867b
SHA256 2464a068f26f7cd63ffade4118ea34d71674ed677668dabada8295be89f2669a
SHA512 2a698f164006933f9d77c99bc97c563134e6a511659b36e4b1e1999b5a66e37f8dd6db0df25876f593282395b63ce64f66227036186b18264813956d1bc15fc5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 267f6a2eb7e61f55dc3828f864cb6bca
SHA1 68efc6a28de0739fa5094a1261c6f8de525d2b14
SHA256 862d833b4616703950f3307ef68368a4e8d445f9ddaf861b84938daeb8897761
SHA512 2c3aef62333b8a299d589bb461e652e715b7ae04c03e341fbc6510b12a949b1551a5063afb17ceeb9073d742e84e71d78fc0a2182afcfc6299138e1f29e8d493

memory/1708-2420-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2421-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2422-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2423-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2436-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/4416-2438-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/4416-2439-0x0000000000DE0000-0x0000000001296000-memory.dmp

memory/1708-2440-0x0000000000DE0000-0x0000000001296000-memory.dmp