Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-2rpj3sveqm
Target 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
SHA256 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1

Threat Level: Known bad

The file 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 22:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 22:49

Reported

2024-08-12 22:51

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b740206d4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4b740206d4.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 544 set thread context of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 set thread context of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\004c0c619f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3144 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3144 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2116 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe
PID 2116 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe
PID 2116 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\004c0c619f.exe
PID 2116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\004c0c619f.exe
PID 2116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\004c0c619f.exe
PID 1948 wrote to memory of 1516 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 1516 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 1516 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\1000037002\004c0c619f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2116 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe
PID 2116 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe
PID 2116 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe
PID 3540 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3540 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2572 wrote to memory of 2328 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe

"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\004c0c619f.exe

"C:\Users\Admin\1000037002\004c0c619f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf2a4bd-0993-4bee-ba63-dd33dbe21876} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dbfe358-012a-48a1-b412-0bd7b28b9a6e} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96981efc-b796-4d07-b94b-1d735d6788df} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 3032 -prefMapHandle 4000 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38ab5151-0863-4a66-9b8d-13db076bb969} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4436 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bba19ab-3bf8-4aee-829d-9f872bf97a8a} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5556 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60d6379-e6ac-4d58-8b42-3c60db15f0a0} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646d114e-e2a2-41a3-912d-c639b9ed93c4} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c38d377-62ad-44e8-9b46-c7308db4fd91} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6600 -childID 6 -isForBrowser -prefsHandle 6608 -prefMapHandle 6516 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72f2e460-92eb-4541-b45e-5c6fe0a1d4a1} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:55267 tcp
N/A 127.0.0.1:55274 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3144-0-0x0000000000740000-0x0000000000BE2000-memory.dmp

memory/3144-1-0x0000000077914000-0x0000000077916000-memory.dmp

memory/3144-2-0x0000000000741000-0x000000000076F000-memory.dmp

memory/3144-3-0x0000000000740000-0x0000000000BE2000-memory.dmp

memory/3144-4-0x0000000000740000-0x0000000000BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 1c001b7c1daa650908f734203a11329f
SHA1 d5cbdc631e0fc50f85ade35e12b9fd1d78053205
SHA256 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
SHA512 7f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7

memory/3144-17-0x0000000000740000-0x0000000000BE2000-memory.dmp

memory/2116-18-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-19-0x0000000000EB1000-0x0000000000EDF000-memory.dmp

memory/2116-20-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-21-0x0000000000EB0000-0x0000000001352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe

MD5 0034ee4a88a9fc8d25c363524fa9fa0f
SHA1 c1f17b6ccea75290c2c9c8d7f42856428e7fad29
SHA256 45b08cdfdae665ef8140d7a099c7031c7ee582ba7a30dc9a484ac03775ec29a2
SHA512 624e7aa712e79fae69a4e1e301f01710f584f0a85768aeab7a18739b26c9e1c146d007795b776c8e23721f42dec98d6a7edd04cc168e1995345a58ace71fa85a

memory/544-40-0x000000007352E000-0x000000007352F000-memory.dmp

memory/544-41-0x0000000000CE0000-0x0000000000E10000-memory.dmp

memory/3540-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3540-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3540-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\004c0c619f.exe

MD5 184ac865439679ad7884b845084b1aad
SHA1 cdf22ebfa466e18e2e7e2d7bfa419e04d0bca2dc
SHA256 a5105e830cde1a2cd8b5464114e3684b7c71b4680122918e6e213d86cb62b59f
SHA512 cbe62b31319dbc5775cc67855be5413f0c13e050629cf12a4dde478080e22f0210078ec7b0c718346ead1cb5cec7959f907d4167d003877cf10d0e14f539c10b

memory/1948-66-0x0000000000020000-0x0000000000058000-memory.dmp

memory/5080-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5080-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4184-86-0x00000000009E0000-0x0000000000C23000-memory.dmp

memory/4184-87-0x00000000009E0000-0x0000000000C23000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\41a8f4a1-9193-42a3-88d7-2826be7e6567

MD5 dbdd1679647b13c43e0970d4ef01b8ed
SHA1 c4b8672d15321ee1cdba7c0a5fab90c8583ac7ca
SHA256 a00d0c665653622d4e58dc9aaab747dedbb6597d11f7ed80db76e631268c28ef
SHA512 428d9e7c8aa9e76b1f5aa19acac5af43e16ce2043f34cfabbdb6c2c7df91049ca363c1be83a95257b94d623b8cbbe09a1eaffbc51eaf3564092f0728dbd7a8d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\dd80f20e-f427-40a6-9f78-52ebf257db00

MD5 0bd472804d29abc418e560ce7404575f
SHA1 5aec6bbdbd2b0a213ed58b56d9a1acd87d44e4e1
SHA256 9c36fdd2781265d8b8ed8fa728282f17438024a6d587283a5a791ab1d8fa92fd
SHA512 365e99abda22dfb3f99647559a9bfe272232b9ed269feaa60fcea56189f75a6006d46c0b6306d77a65315e9c85ab52eeb9317ba710a1ae658a689693845fd39d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\72dd1379-4fd8-42ce-880e-c239a9b1f481

MD5 494a2eacaba107de831c59a2a0f58b76
SHA1 498a3e5bea62721a93c62c99529d37dd46018452
SHA256 cda54a3153936b94122884c4523688a02d2b03dc2d751831ed800be5e392c86a
SHA512 e28833661f93dae21665bc5bf743cfa42e420dac4ac371446f718570f5933019255a80b7295996eda6e947164a9e912ad76dd29b3dcf1f14784c8457c6e5dc67

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 d7c2f01a9a7de6f8b662a7bac281c4b7
SHA1 d2ab0ecd0ffe4e929100fa8663f49d64cd78049c
SHA256 38d6dfce8a8f42a61c7784924ff9d070cc6a8cb8760599800a36a9210bc3ffa1
SHA512 7783e6a16de8b06e28b2ee49c912146bed4655372994e2303c5d179760cbfb61052cc286fbcd714b05729b2a235b785ab8765360ae6fd855883d9d2c21664615

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 cbee26e6ae42d84893598223b50c8676
SHA1 62a02b9152166d6c75976ecd3ca7161cbdf6c1f2
SHA256 3ac8de18957a6376e1610498af5964b6d212cd404bd1773f67e2748b138449af
SHA512 7be570a3718b19f13beaca1813bb238290c669c50b2a0d7872a521c3493452d0d0113fabcc0a04a092fa87f15199da6c04c3ece10815752c6f92a1a7873fb360

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

MD5 af2325e86f7c935a016fdb9da1453176
SHA1 73515fac53941fca2e706b1335337a84a1e5ecf3
SHA256 ee11df9d2c7d8fe6bf84f68106d8f1b85fccb1a7c5fe3b15af77bfee6441e44b
SHA512 385513cff9e584e9aa301acb0da262fdb8dc80e23fe4b2e3f451975dcf84ec6987b05c1a07b7a3fa16bc3fbeedd622ed54853922e05932e9c7583690f930c2c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

MD5 a0f3b5158d81b2fbd74906f2c8a28408
SHA1 873b71782d6fefa44e83390c2e53dfee65679de8
SHA256 fe1134ded02e45289066899f8ee271051db6fcbbffa84ac9ec2b8f6b6a752760
SHA512 fe86d6d76bb24fd3d9f66b14f6ef2ce94e02beb67e9620431b339b2c5cc3a3be83fa2d9150dc896302a79544c1b12dad745610aa1525d0aa9196c836f44b3939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 5b486b71e38a8c12a62471fc16c359ed
SHA1 187fd8d02b3add7ddbc6e4051d4f184cf3be5c0c
SHA256 132536e91c434cbbf875d3767137820bfc6fe3acc26c7a896d1cd8f649c580a7
SHA512 b0c506f1fd48aacb4d4e46af7150238a374f7d1fd93be978cf1b1018ad45f9be19ebd9b10a8768270c6d605c0ff8f4685b14144390b841804e7537124ff27bc8

memory/2116-425-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-443-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-446-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-447-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-452-0x0000000000EB0000-0x0000000001352000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 ce689b86559bd7562fa47ea9fad899e5
SHA1 d5f54568102b92cd824fb3da47194f5710f6c6d9
SHA256 1e549f375f4f185991fcd0c2ee009fac9ab642eadeb47c7dcdeb80b3d67d3d4d
SHA512 ff79e785bbec3a8eb002ed4cadb79331c87385a9f359ff71542f8375bfe9bf79b6f21ef728a3b56156aab27c1ac7db04f147bc5ab49b619b1348fbdecb989e53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 b9be4d26f240cce56372456a49c08d43
SHA1 681b0045a65ce001050e25f2f74f3ff2cf8cad3c
SHA256 7f85094d6ac8978f265c732ba59d61d328c898f313bae9dad8abd6e7c690bfcf
SHA512 af4bac9d552385100e98e962ed8a62f2109f50be3e1ab87786416090ad125401a04c58df2e6542af231111673efd62ac6d67e011fe23e5384c11e06a25141eb9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 cd3b5a150658841721110d493ce8eeeb
SHA1 b45dda4b383fd5ccca90fe5b345ac061d7671e4a
SHA256 8cda48c5c521ae0a089f210465e55cb98300805137a1001bedd1249776845121
SHA512 8811720314c7e921644285dd63de44946d84c8d4623fcd15d71fac75de537c7db4e6e43050840db83a2b12dddd75af63b24fe57ceb4c8d4dbe22d4669dbc6300

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 93f5fc7d2c19ce3e83fd3d643a446388
SHA1 5482cf6a44cac0819b8841c4604512e3d1ca3845
SHA256 3700f28dcc63b34ad1c15fb3259d5df6d99b9c205b617499f1a6037c766b8adb
SHA512 c0b4465845b1c404a0ca597d0b945970c51fd7ff92045466371c47ddcd7853327ca36df7593f5465159efac08d59ccfc92d50bf649a317820cb7d28d4193fe88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 ca01201882b0b9d1adf73194c3d457af
SHA1 bda18cff07aa5f653422f03433de24705b867185
SHA256 b61e7e60c0c5476c406ba42c19efaa4457becfcdc560cffffde0fb8bc3ab5b48
SHA512 50ec4a5e1b2817c5f624430a97d89fc6794472fe2fffc7864277c35d438c7be2abf2d0485f8be139bb0f7a82af97452485f9ae3132282a569181009a97c7964d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 dcb7257cf824d67c27536a77785deb28
SHA1 dc5fe252346b47e80969b401c6f4e2943142079d
SHA256 31b661337b589e52f782e6c706c8d637a6cca10ea5db4db5c9a21fcbfea0b2e4
SHA512 4bcf691a06d539efe27c08c5cd0506c70eb2df99650c67d8226da88f2d29dff641e777aebd9b1b856fc6d886397e6e5e616af2c55ebbe67c694fe720fd0ba0cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2116-1046-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/3944-1365-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/3944-1415-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-1866-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2616-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2620-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2624-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2625-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2626-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/1876-2628-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/1876-2629-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2630-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2631-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2632-0x0000000000EB0000-0x0000000001352000-memory.dmp

memory/2116-2638-0x0000000000EB0000-0x0000000001352000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 22:49

Reported

2024-08-12 22:51

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\391f140264.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\391f140264.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 set thread context of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\64ba15d8a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3376 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3376 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 104 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe
PID 104 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe
PID 104 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\64ba15d8a0.exe
PID 104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\64ba15d8a0.exe
PID 104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\64ba15d8a0.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\64ba15d8a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 104 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe
PID 104 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe
PID 104 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe
PID 1960 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1960 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2540 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe

"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\64ba15d8a0.exe

"C:\Users\Admin\1000037002\64ba15d8a0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e51505-3a37-43ec-9128-81205587b0b3} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86faec77-f1ae-4247-a41c-f95f52f830a5} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbf44c23-a016-4089-ad78-8e050897ca08} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 2740 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b057f770-9a20-4e80-b00d-82b9b9fd0208} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4800 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b05f709-3249-4fc2-84c4-86de0c895a60} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5608 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bb357e-1abc-4b66-9e77-e4fffb387dd0} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374cd8a3-7484-4db3-abcb-bf1c26b5f16e} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20f8f98-fde1-4f20-b395-359521d6c265} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6248 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ff89a4e-34c0-4808-b223-fac72d728823} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49839 tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
N/A 127.0.0.1:49847 tcp
NL 142.250.179.196:443 www.google.com udp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3376-0-0x0000000000730000-0x0000000000BD2000-memory.dmp

memory/3376-1-0x0000000077356000-0x0000000077358000-memory.dmp

memory/3376-2-0x0000000000731000-0x000000000075F000-memory.dmp

memory/3376-3-0x0000000000730000-0x0000000000BD2000-memory.dmp

memory/3376-5-0x0000000000730000-0x0000000000BD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 1c001b7c1daa650908f734203a11329f
SHA1 d5cbdc631e0fc50f85ade35e12b9fd1d78053205
SHA256 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
SHA512 7f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7

memory/3376-17-0x0000000000730000-0x0000000000BD2000-memory.dmp

memory/104-18-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-19-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-20-0x00000000002A0000-0x0000000000742000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe

MD5 0034ee4a88a9fc8d25c363524fa9fa0f
SHA1 c1f17b6ccea75290c2c9c8d7f42856428e7fad29
SHA256 45b08cdfdae665ef8140d7a099c7031c7ee582ba7a30dc9a484ac03775ec29a2
SHA512 624e7aa712e79fae69a4e1e301f01710f584f0a85768aeab7a18739b26c9e1c146d007795b776c8e23721f42dec98d6a7edd04cc168e1995345a58ace71fa85a

memory/2308-39-0x0000000072D1E000-0x0000000072D1F000-memory.dmp

memory/2308-40-0x0000000000980000-0x0000000000AB0000-memory.dmp

memory/1960-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1960-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1960-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\64ba15d8a0.exe

MD5 184ac865439679ad7884b845084b1aad
SHA1 cdf22ebfa466e18e2e7e2d7bfa419e04d0bca2dc
SHA256 a5105e830cde1a2cd8b5464114e3684b7c71b4680122918e6e213d86cb62b59f
SHA512 cbe62b31319dbc5775cc67855be5413f0c13e050629cf12a4dde478080e22f0210078ec7b0c718346ead1cb5cec7959f907d4167d003877cf10d0e14f539c10b

memory/1464-65-0x0000000000420000-0x0000000000458000-memory.dmp

memory/1616-67-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1616-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3764-85-0x00000000007F0000-0x0000000000A33000-memory.dmp

memory/3764-86-0x00000000007F0000-0x0000000000A33000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b9e9dc1c-d27f-47c3-b69a-5f24769ae6ea

MD5 f2cf24feab6eaeaa347b7f5fc8018ca8
SHA1 6d4d0998fb1fa203987d058cd6c1d22baf24f360
SHA256 a638b51cf6b7cf4e9b3182d4e76f7439d174035602eda5872862675514979b36
SHA512 0c98591a34b98209bc6d88c853dca769691083e35e265ff032eb9775f62dea65b54dd07f05824ba5e9ea9f34a9d0931a0cad6e0046aa461b6f31642f1dfd3f11

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b8d3d12a-764c-4823-bc49-29629d20b568

MD5 2e86c1b97913b97fd6f626b0e76a779e
SHA1 ca50901eac05260b8dada3e44167e08ed1a202c4
SHA256 c114fdae7d9556e7f453dc454499229e4f5531c7f33c281f11ea445d3b109b64
SHA512 1fc6b8ecaf9c8149017211c59df39e88156cd2426d9757b06937e477d43bf59e427e2984fcde13160e373d53293943ff4ffccb708a0e5fcca9103a4813187b0f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\807b5fa9-1cee-43b9-ae1c-d3e1f04941c2

MD5 b00f3674f34fca19a854bfabf4274ab9
SHA1 3a48c4843de75896145c207d991a4a5a3b8817f8
SHA256 bb470b20f0035c6668c62ec5007de4e71053ea0a4c3e99b5f021f5b08e5edd41
SHA512 91f93f1aa9ffc1aab04a3fe2627ee1f3d5234711c01f4160cbf2d00c9f4fcbafc4667c7587e172f2a56f5b714ec4771419f8de8829d4babe8fa456135dfb2147

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 0b3776be0bd43b75e6994a805ac3802b
SHA1 a13865245f99afb712354ff06bf5a0aac876bd6c
SHA256 9c18b40ad0bc2fe82a650e4a033bf41bfa8bae8d94929b5bcab168eef053d0bc
SHA512 549b621ed1ff6c987f23bbca0305653cef0e3e271a00864dff9a5ecb2307ff85905f7d9f0808cb004b8234bbe5915a28a0863fda7303b99b9fcf218259c1773e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 c32776bdb05e39c8e665b533224a2ecc
SHA1 4a3c5fe359d8c07402c94552684486c4b56faedf
SHA256 d492e27cd990df3e04a80ef29d08ad4d169f9e7f09cfd7454b5aa3720adb0e7a
SHA512 96219e6819a8b2e9d691e98e6b36de1fd9285d3308b151ce691f1badbb64b4b62bcac61124a57a1cbd0ed5782d03504069efe7fbbd3b4e245a94e63894e93643

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 b93db465924a7a8eb6c7139c721bf906
SHA1 9216917b61431e445f0f1bb626668d00e9bba72c
SHA256 d57730ce8095a3c040d92885f5b839c2eb1d02fe6117337372ae0cc4ae6f1efb
SHA512 e7e1f258157bac863f458cb6907b702d6ce407ec478c57a93b57a263a4d0d43c247605610723ae8e68f94bcb0d092c6536bcd726f96af538cc46dda3576e2899

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 b46bf2b2b7882d1e04dfac2356cde2da
SHA1 16fced05b45371ce4c4f4066da86dc2e09540513
SHA256 fb103db1847a4a6d8e00a1d42426823b6b7cf33be5dfe94c22f8b95e4d19a43a
SHA512 419196c9ae9cd29407eb457948b3847186614a7a8ff93fe63d930fc5009966ad68affd82dc1b81c0c6fe5b458b49145945ca8ec56c28bf175c20af8220b654a3

memory/104-426-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-442-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-443-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-444-0x00000000002A0000-0x0000000000742000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 2edc23252831cc67f560a735f7c902aa
SHA1 647ed7798462748464128ba77e13cc8cf859a7a5
SHA256 6872a485eefc6cff4b7918a5221aaeaf7f80e51fd45488558eacdd90d0cc5342
SHA512 67b1ee5f4757a3c193afd3bc4715f78785cd422d94b04aa2ecb21383b08650288af7e763760c1110fcec1589208ee75a1eabf4c7f59262b98d84cc2d73412557

memory/104-457-0x00000000002A0000-0x0000000000742000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 154aa79aea9762037a8f46a95bc9a0c0
SHA1 a63f5e9f0a223310a7838c2ab94526d72d92356c
SHA256 f4fd328065979bbe30a5aff8d82c973d6c04c5c18d9c5bb14a55addaaa41f223
SHA512 c0f94e3b636828f3383104c961579275f7f78fc4ea512474db2236ab46e9d927f0b020923f855781db70bfa5495d6c3b8052faa92d36ad013cfe81fe8539cc0a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f2b437506e34253a3a4eed33b30b03e1
SHA1 8dfa0218ef254f716ccfe668d2473a11e7c9c66c
SHA256 196e40ffe018663d6c837312a0fc9a50f19a65a2cbcaca5fd70b064525a03a3e
SHA512 f6b8f577b98e95ecc26f5d53049c97b1e612e9c7ad739b6b87dde6e4b0df0971f7dcdc78262d5cd102a2597e675be058c0dc91acb0f3bbd1a0c76a167c0320ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 d8a8fd3f3d87fc43a5c80e7563d4dc39
SHA1 32588e27ca33fa49f1c5245a1b76e65a6abe6110
SHA256 f9dc541436d764354c6c55636f35c847f0eb1dbbae5a13c88af9c56367acffea
SHA512 09bfa7fc8aec42b1853da3389bbbcc933e39a41a0c3dfa9fb1a6f53d0836dcba6242628a86c016f8e5ae989984b33a94bbfa7155839f23fea5169fcca3189c7d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 98fc8a13e74923bcf08a33ea109933b7
SHA1 a46116aee992829d53a94d053e9fe40bbe87c6a4
SHA256 aa009f269675531940f66743cde86105fed58247272877f2811864ad79955b90
SHA512 aa1e718dfa9200ad5d9a9cd40e063612cdee59c474a1c59389a1f76eeea460fbfe6e1b9935463e966491cb4b8f862943e87fd729a997458a8e41518ad3160a35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 86e958a8dd8475b9d9a464baf546fe31
SHA1 a6b110fa8cddd12716f042b4c9e5131e3a4ac04c
SHA256 41a5153950b0d08d1b0225652a6a184d670b17c9d89509f6af33387145dbe1d3
SHA512 55eff5be4fd5716d750e4d3af5f9e3d33f568398d0bb0277069eb60c93a3c53e9e9fcbd3417a8e481b43b1edf4d7feaa0abfdfd2dbc99de5700f4be4616caa4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 740c347606ef4cf605a48bfb737de470
SHA1 b655ed67ab554f6496f8448e5c40e8c503da33dd
SHA256 536eb9e234e35f41b3de6ba4b269e6fdf2e1159d6827130bc9379aa01ab2bfd0
SHA512 3e3ccc82fe70c260ba4db11570330e5a6954f5e4a4427913d7c6d3d6849f3e5a022bd72a6f651eb7f1c5e46123532421fdc2cadbd18e0eec305fd18596d7e9c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 5164a0d615b587003263ea6a45a3e878
SHA1 dad2786470fb84817e8b234b205ab09a2c75670b
SHA256 b2623468442899b009a5486f3a2a3b224080fc045bda6f60effe9e49880b0b98
SHA512 4cb68aa6744443a41f640f47da4280046b3fbc2fb1c4896044f8febc1959c4bdb374dfa0e43096f08c4b653231e27cd133e54ddb763fd4430c18c209800f6da0

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 8f7e95a564b93350376c28983638f79a
SHA1 c689692a30367dbd3387d44b3289f97b2e18760b
SHA256 b2cde5eee56fdf11f1a6f26a022ed1239f8026639d91dc271a6d7be0867b46bb
SHA512 b4b57cef5aaa8ed79571407e9c85d70f9de97f9df57da4b5803794e243e1b31d460cfdabce4ea573b8d0ccc12b1fe2c5dff267db96474ae3a994f6bde4a7fde7

memory/104-1062-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/5392-1853-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/5392-1886-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2321-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2618-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2624-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2626-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2627-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2628-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/2992-2630-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/2992-2632-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2633-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2634-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2640-0x00000000002A0000-0x0000000000742000-memory.dmp

memory/104-2641-0x00000000002A0000-0x0000000000742000-memory.dmp