Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-ekpvyavapr
Target ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5

Threat Level: Known bad

The file ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan spyware

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 04:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 04:00

Reported

2024-08-12 04:02

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d6d5a874e3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d6d5a874e3.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1200 set thread context of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 set thread context of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\5946973d7f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4396 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4396 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2016 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe
PID 2016 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe
PID 2016 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe
PID 1200 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2016 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\5946973d7f.exe
PID 2016 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\5946973d7f.exe
PID 2016 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\5946973d7f.exe
PID 4788 wrote to memory of 4460 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 4460 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 4460 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 3720 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 3720 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 3720 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4788 wrote to memory of 1308 N/A C:\Users\Admin\1000037002\5946973d7f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe
PID 5052 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3864 wrote to memory of 3180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3180 wrote to memory of 3824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\5946973d7f.exe

"C:\Users\Admin\1000037002\5946973d7f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7471ebbe-527f-4be4-88e5-3bf7f3901705} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b51832b4-673e-4edf-9bd9-856695fb8fdd} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2620 -prefMapHandle 2864 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79959629-80e3-47dc-949a-256e1c08f8f8} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=928 -childID 2 -isForBrowser -prefsHandle 1240 -prefMapHandle 2996 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694203e3-dba7-4b7d-8a80-ef63d4dc34d8} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d505cc90-ed8c-4836-89ce-1f438a95ff6d} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5196 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4b94a50-d6f4-47bc-a3e1-00e09d762951} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c87c6e7-4fbd-4ef9-8156-ffcc1b12b446} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac6607f-b55f-483e-92da-152cba030d53} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6324 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfecfa22-a4ba-4661-9e32-491b8190b2a7} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:53491 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:53498 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4396-0-0x0000000000740000-0x0000000000C03000-memory.dmp

memory/4396-1-0x0000000077DD4000-0x0000000077DD6000-memory.dmp

memory/4396-2-0x0000000000741000-0x000000000076F000-memory.dmp

memory/4396-3-0x0000000000740000-0x0000000000C03000-memory.dmp

memory/4396-4-0x0000000000740000-0x0000000000C03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5b496c08c6603286a74edf4f17a1f7e5
SHA1 343311b9d583bde7ed9039731036fe7fd31cc701
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512 b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93

memory/4396-16-0x0000000000740000-0x0000000000C03000-memory.dmp

memory/2016-18-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-20-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-19-0x0000000000151000-0x000000000017F000-memory.dmp

memory/2016-21-0x0000000000150000-0x0000000000613000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe

MD5 f5f1e8f743ec3d40dbe97e0e67e14861
SHA1 14b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256 a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512 cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732

memory/1200-40-0x00000000739EE000-0x00000000739EF000-memory.dmp

memory/1200-41-0x00000000002D0000-0x0000000000400000-memory.dmp

memory/5052-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/5052-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/5052-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\5946973d7f.exe

MD5 c05fd08043fd1dc414300a92bc73e1fc
SHA1 9d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256 531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA512 43f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065

memory/4788-66-0x0000000000320000-0x0000000000358000-memory.dmp

memory/1308-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1308-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2584-86-0x0000000000130000-0x0000000000373000-memory.dmp

memory/2584-87-0x0000000000130000-0x0000000000373000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\1634055f-7cb0-47eb-a35a-955a82fb28b4

MD5 f9b5f5ff4917f0d6789300c897c57277
SHA1 2a5265acc663317ef8a411914ee82a43378532e2
SHA256 9cb87acee519466923c60f59264881ab3ef50bfdc605d6cdbc62dda699fe372e
SHA512 9363e962c1fc0525fa59cb5eda6938433fc398b83e19e788e0e05587ee911a8f866ca88aba8d9cf1b2e202ecdde5186fe2a5e51d4b6d1eae2c68553050994eb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\2692edbc-a5e1-4cfc-a0b1-7c72b4e6849d

MD5 8215473a00a983e0b7fc3ba6f61073d5
SHA1 b7b739de238b1e5d87a805e0fd55ac0462452733
SHA256 7139c24946a19bd1d9b5b459b1e2d09acb0518f4966727b2c99b8ea58bbaabd4
SHA512 d45ecc49f3e793d0a7537fc6c1b4435295f26f03f58524297b40d3c09c3ede498a0b51a591c2ad855a7fbd6af773a643d73a9fc14a5c300509d55e2b4514a50b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\89d7a29b-8ae0-4f60-babf-f46c70aa269f

MD5 4b0f91b97fb5f645d5d227c441ca09de
SHA1 5796c1acf3a9b8e4a043150903e160147ca8d811
SHA256 956ad19ca53645dc78abfcc83dbb97b6f9b8866a4d64a21cad46b8aeea9f0958
SHA512 d6d701250f82eb827c42e9f0e3012eed61b5f8a0047954256e4720dd6de421f59fa21608cf8383b2a1c9649b1db4da2137d20a843df1c4dc4c21a0c4705599fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 e9e3e5c83035064a492e080394fb6993
SHA1 613678055ec776d38c8e2b9a1e73683b1de61fba
SHA256 672d7ded46c952c1c894542a3a646e92901540d93d9a74d2d91b15dc39e1a1d1
SHA512 d9d19385586a08da523fda04d32492f0ad8b58fa58388efb89d6a55070617568fa06edd82c94672c409c885a900e99199915ded422b94fa4506a1644a5d36a02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 52e3b5d3fb81be8f289ac40f64133534
SHA1 0aaf8661af9f96d0dc2dcf08b4c857a3efb0c7aa
SHA256 053732947cd2c7fd1b4fae3b6e648f1637a9901aa233d3174469e0938afeb13b
SHA512 d474cc5fb946683d439673d76e62460938baad46f125e385f3614c1ee43739a4fa913da15ff7dcbbf8bbd376f237db2e2e06dd6658bbbef8c2ebec9af51822a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 6bc89396eb7758e9c022ad30bb9efdd5
SHA1 00ee03a4b6899dab8f1467dcba94bbd93802a6f2
SHA256 fc7e09a2e31b1912f21b8ad28fb42959b2b1486dc6b5c9f2b4c4944696df24f2
SHA512 08ea95cbb5d31c71791a6f39b72ed8e71d89a122a2f267ed849892d153251511de1a853ec116472e859337eb847e9bbc92c1126746a75ade3785604809a76608

memory/2016-415-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-426-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-437-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-438-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-443-0x0000000000150000-0x0000000000613000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 9cd059eef6e97092e1360212847f3b2d
SHA1 2105531f18c36aadaa94160739d080694715435e
SHA256 03005282266a9e38b7696d865af2d65384fdc603b906037095134731ec5fee0e
SHA512 366d27f8dd2e98520996afad74469b4d5273f517ec7934f84e1f4ac32906683d835d8a6ce41f1f6f6779b04ff6467a1569c6beed0bcff34519419875b7e3073e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 0687bb6e9873cf66677dbfeb2d2d5206
SHA1 a0250aaa2e1753e3ba803b2b0be0f1cb80865d1d
SHA256 9196fc947c176b13717c60672a8ed4aed7b92781f1daad52c2888bfb5933093a
SHA512 8bbcf6660255f5062ae6f4a99647b68943e65a643d720e2883c9a421de555aa9fa8f6c1d5745ae58b430f98a8b66e0ec06f0a52de2473316a91a7c205cdff9d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 5f3c229f7f2b3288d86ae8c97f29206b
SHA1 dc2ada874b8b5af6ccd11c5cd5bac50d851244d2
SHA256 e493c1b745ade3a477cf05468ab77d804d4b83dc2058f92ebb9ea1e10b5e820a
SHA512 55dd0bb00cbf466c963b93668c78b1691bc144a172f9a3b078387f3847c8fe8cb32e53b6cf0b624f4e94ef603c822d3c0abfb5136c3424be0ca1b5c805b7e938

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 06df424d5f737566867544a07bd0e400
SHA1 56d523a7c6bf3988dddb55b6177c7b2baba0726b
SHA256 33ec0b3e9258318c3e2df991f7ce10c82d67fbd2f6ba7f266e92ef7c194d96fc
SHA512 c94455aef79aa6a8d27ed4b136c9a60e93b18d865910454d77cf742b18239773263768c0891f9868603049912d09c40c78e59b2c6773053159374bcda7c63c69

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b6b5118182810be01de8ffb49d702d41
SHA1 be819c265f746e5b58b977c3596c9701d9b2474c
SHA256 99e9ceba29c95eb39697252be82c86ef51ea873363909a1b13fc015aaafd2110
SHA512 6004934d791bb0ccb328f23ba5539190690cca416e65aaf75837175c4d0f2d30174c160069307121b0da36705ac65010c07c0d4b35cd72a2415983952139dc90

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 d5c548998174330a180bd4aece0a7043
SHA1 513658f0bf2cd80f109ad73a8b9c59edc8b19880
SHA256 c10464197ad66262e743a466983fe7d628970646abd57464df5166ed73f32807
SHA512 ed53a07cc5fd318f2aed94e23a1e0ab6c0cf5b0b6b31d074d6ae98651f5073aa7a07e40abc569d45a2c1a51bd166867567a1fe7c4692cbdd9c7b686ad5e82e73

memory/2016-1160-0x0000000000150000-0x0000000000613000-memory.dmp

memory/5796-1377-0x0000000000150000-0x0000000000613000-memory.dmp

memory/5796-1405-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2178-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2607-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2613-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2615-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2616-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2617-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2104-2619-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2104-2620-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2621-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2622-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2628-0x0000000000150000-0x0000000000613000-memory.dmp

memory/2016-2629-0x0000000000150000-0x0000000000613000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 04:00

Reported

2024-08-12 04:02

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\28d908c376.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\28d908c376.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4276 set thread context of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 set thread context of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\8986e5c397.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2340 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2340 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3440 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe
PID 3440 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe
PID 3440 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4276 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3440 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8986e5c397.exe
PID 3440 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8986e5c397.exe
PID 3440 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8986e5c397.exe
PID 1056 wrote to memory of 4864 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 4864 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 4864 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 5088 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 5088 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 5088 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\8986e5c397.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3440 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe
PID 3440 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe
PID 3440 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe
PID 2372 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1228 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\8986e5c397.exe

"C:\Users\Admin\1000037002\8986e5c397.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc760da-e3f7-4048-906b-ea6e70cbbc5c} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2280 -prefMapHandle 2256 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a54ac316-a577-443d-8f1d-519e4441da3b} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 2688 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8205a63b-3afb-49a1-8ed4-077a324ce461} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 2960 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f7a78a5-0d02-4f36-ad52-9b587c21135f} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1284 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4504 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c7f7468-9d20-4094-8dfa-6a630d1f8fe5} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f114a9-4141-4e00-8ce4-eb21810ae2d7} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5efc00e-452b-4c91-8542-32794c2164cd} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc5bd1b-8b39-448e-8a74-71d5ca3ee481} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 6 -isForBrowser -prefsHandle 6352 -prefMapHandle 6348 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b4dcde-c885-4f00-b8e3-4aa0374cea5d} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49858 tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49867 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2340-0-0x00000000006E0000-0x0000000000BA3000-memory.dmp

memory/2340-1-0x0000000077246000-0x0000000077248000-memory.dmp

memory/2340-2-0x00000000006E1000-0x000000000070F000-memory.dmp

memory/2340-3-0x00000000006E0000-0x0000000000BA3000-memory.dmp

memory/2340-4-0x00000000006E0000-0x0000000000BA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5b496c08c6603286a74edf4f17a1f7e5
SHA1 343311b9d583bde7ed9039731036fe7fd31cc701
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512 b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93

memory/2340-17-0x00000000006E0000-0x0000000000BA3000-memory.dmp

memory/3440-18-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-19-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-20-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-21-0x0000000000260000-0x0000000000723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\28d908c376.exe

MD5 f5f1e8f743ec3d40dbe97e0e67e14861
SHA1 14b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256 a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512 cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732

memory/4276-40-0x0000000072C0E000-0x0000000072C0F000-memory.dmp

memory/4276-41-0x00000000000C0000-0x00000000001F0000-memory.dmp

memory/2372-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2372-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2372-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\8986e5c397.exe

MD5 c05fd08043fd1dc414300a92bc73e1fc
SHA1 9d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256 531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA512 43f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065

memory/1056-66-0x00000000006D0000-0x0000000000708000-memory.dmp

memory/2316-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2316-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\5946973d7f.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2452-86-0x00000000007A0000-0x00000000009E3000-memory.dmp

memory/2316-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\4457ad61-4005-4509-8a4f-d8b8375dd550

MD5 f6b80e5813dd3403233c8ed6f1edbca2
SHA1 e8c3ea9c9fa35bf9b6bac1c26f4b45add04794d0
SHA256 6af8b74e708967eed080d11d0dc128c752177aa4d1801839ce662e9264589664
SHA512 6c740471d5a319ca869ece36bf3a7e4c89370c3cffa976b57158d570ba4fe4ab8a869595d0a041412d2dda855172cfbdaab6e5238ea079d53e14823fbc3f9e4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\087faaa8-9356-4972-a941-6ba5fad93489

MD5 d2956c37b8a9a317a74d10eaeefc8eba
SHA1 c0f358f6ce3afbdea5ee47e2a826ea2b21c1d70a
SHA256 1b9ad7635ff31fe58aa24ae3cb6ec55ef7773e1bbd0768ac49bcf38cddbd4907
SHA512 d83dc6546c4c4c2d6fd289a99fb515c087195182d887dfe77a87449fb2cfe1581ac4e9b04a93c8bcd26916e4ce331bde0152ec741b3e4d76bd0dac9aa0fb0703

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 d2886145c021111532aa61b25091756d
SHA1 e4bace2e6310253f59b06a5adfd629c8e2cb845e
SHA256 f4d7670e12221c320f0d56906dbbe66419c1e4fc06e7956807c992c30f1850b7
SHA512 50adb19f6453929062a65dca0d275f73dd7282eb95d00f20b19d242030e12e069cb6c7c89f02dd55d2a0f22243a0767b857a8cb1037e334d1eb7f94f22f0b6bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\d6c9c986-57af-4627-9173-e3cd068db553

MD5 a27ceb503b57641f841650c503f87254
SHA1 f7beea0efbc8df0c69559a60c4f0b32cf8c154f8
SHA256 cc32e383afb777c55a3d0987b6a3a2e4cd1ec3d8ce56056646842dbe31989e0c
SHA512 ea5202121c5a4fe4951089208b7e6640365de1f36366b4a4374d5ce89e332b2517dd5bdd16938de07d1ea8748c0e5d8e75942e34b22f5514ea6ff697ede37b97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 1778af45615cfd4f237a052b9e6e88af
SHA1 4b494dda46b3d26c88f73b21e931bc0a5c093721
SHA256 dff915e9e10507af37ddfbbb72a705e414e783e3b79656569f7be6061bae849a
SHA512 c1b620a52a08e6fe67bf0ca760a2d9ccec77cf17bbefb6bf6a29e7b3b65a0a80ad1c98b7582ac1307be213c2412b62bd5bbdbf117f8f573801a79778450d2e27

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 fbbb3af1cea26fdf8475f2c175bbdb6c
SHA1 6369ce2847883fbf049279c59f4a9e1c2920890a
SHA256 85b710351ed08c455c1de6771bb41fd8b5e7ccd40c9340fd08133ce0efd09443
SHA512 389c7caccefac599c5f01b226844e36ed9ec90402ca0a57e9a3ddf8036479421623031baaf1655fb1dbbe5f53e4984f1a6240c8099f5291440e5d62a7f08866f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 1b142af34f641c3046872b9d2d22eac1
SHA1 3225871605bed9239495a2541c3c8115ff47c2a9
SHA256 8bb2b9b1a4ef806dbf0d6a789d5c392eba51d890bc382726f93b002d79d919b5
SHA512 2cc50df490becc63761c6aab54a3ec02f46bf8971f47cff44cbbf5dac3e2a525b8fef709423239d9aecfe2f13681125de5edbb8dede13c58e77cf4b08a942b48

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 4ef88b152e14e9219e19eb3120ce1ae1
SHA1 4ae904e1cc9c028c0755dd5ed396a095329b6621
SHA256 ff3e64e72c9305d7d8decd7a6ac2683597b5b265a9fc972d23617cff96e87145
SHA512 daa4bb92c40d4b31cdc8f3be8d5242ae8172969ea32f818a994b8b9672b3fb7273b001eb2e43c2897ba39d88286433bf48511387641005ee980e4d17fd42a7e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 4ee9cc2d3741e6cf12f4c1753f692d78
SHA1 4c510dc4b325ca08975acb454165920cfc79cb70
SHA256 f2685ae95728cb293c7697bb39b1b95b6d434a507a37223833b62cd4e9bb717e
SHA512 78e9634bde81f1c11f4026f7258847dd36aa2f9aafaed44087ac405a843d25f0a62afe87e3b044edd56e2f652b571f63252a4270089d00e1d38a74a6390a028b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 8075c370b7a80d28702315e9cfc51ea4
SHA1 50161668fda2930b9aeecf1418a73bca124a22c1
SHA256 67b47556a645d4c3aaf558f7c91135547f364d1d41f1a95194edcc4867940da3
SHA512 0119cbe04785266ffa77671343f9830ac64705db105ad1fe6cc0b35d8dd7341cee4c81436c1e2f39d0cd1b4433af2c63606ba22d7a61bf152a8913f6d037fb86

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 63e62f0a11ee11b3a500da3e4a03ccf1
SHA1 a1c1ca3e66a04545e5c2a25a3c635702cefa0ac7
SHA256 59ef6b272261ba1aed0f2c572231d0185481a289544ff5b617582d14d54707f7
SHA512 17d024320a9de65b44c92ad9e53a7d1896218c54d3a0cfa39e0c98ee22feeb7399db36c136fbde1b67becdf98f91ee8660bf8aa77f733d95a15046ca908b77a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 0146d8ab758001e20244ff0608658162
SHA1 384e00fff450c3e32a2cbf4a873bd6339f68f724
SHA256 80be065b437e62e05213cd904bb93cc80a3ea8429a08b654fe50da4883ac6549
SHA512 02eab0996fb2c45b934684751d657f0e0d1ff1b3a52868414201423ee854687d74772d21cd31989f1b497a14a41ead695661aae31d0c4ea5137316ba759f9dfb

memory/3440-465-0x0000000000260000-0x0000000000723000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cookies.sqlite-wal

MD5 6dea88812061a9ee96d3fd2860b34dc6
SHA1 28e141429ed0ad32761b4bac6b70f702c5c3c2bf
SHA256 40426ca40725fde7faf01c7fedb056beb908bf6c2b1d6f4a846f56b8386b3d6c
SHA512 a18745e4d9c891cf06cd8f11565514792075c29be4e31188277b7fabc027777b84ce5556daaff5154d04fb8f51a0cae5cc579e1e981c01d1c18cd36b29ec45e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cookies.sqlite

MD5 22c36879e6831b1d3496dc46066c7378
SHA1 75ba571d01e5c5d15b1086ab35c149ac43921ee4
SHA256 c2e48d9e330fa9f3f6056a243f59c3bc42b1656381ed67f1f84946a54fcb252c
SHA512 433d6d80a1dba4feaa6e7839bcb68e59177b6d14480d67e2063310411e121aa8ae06caea696e30503bc653813e92d051330f54387de9a7363bd54ccd62ef4bcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\places.sqlite-wal

MD5 a672943f46e75252d08f8fe515850b83
SHA1 ebcd94df9fa713a87f917bbdcd1aef8fe19fb8f1
SHA256 243e9bddd72df0116fdc5acc2a3dd41196f868318c32f36e01630c96d3b0e7d9
SHA512 500eeaf5fc8344825fedd624e42f4e0e36b5716e0a1a223fc4778f380b1847699a353b05c8831583686a222385395a7f9f0ed7993b0cee50ab0befb5d145aca6

memory/3440-518-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-520-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-519-0x0000000000260000-0x0000000000723000-memory.dmp

memory/2452-521-0x00000000007A0000-0x00000000009E3000-memory.dmp

memory/3440-526-0x0000000000260000-0x0000000000723000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 239704b6872ad902ec0ea9c44119c9fb
SHA1 3ca1a2e0beaf8a7e199539a4421aabb1fc182439
SHA256 db860224cea31cf331ec42a53636b8bee8122f7d509dc44c17e0a50e99bd0948
SHA512 0c0555e37f65c846cca90905e34ec22ac3e80318c6b5e234bbe6e9984069e0aa475c6e990e5ab5e19a85374a7a05fe197f7cf0b9531132e45f632c7a35ffb835

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e6a16427ae22f70ce5c4be95cac93d22
SHA1 3a1d3846010f8f5ff097f0c4ae5b265ffd514c2d
SHA256 813b693ca1c3219773e2471d849d147fff38341175cdfcbc0d74c8e803ac1fec
SHA512 5f8c52eb8aa095605e8b05963d2bb8bbf0e419f97c45646b7ef5b2e83e67a3250baca05851b67745a1f43c6e518ff46b92a5ffa762d92f7bcdeef4d97138521e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 2e8b07ecc3a7b8519efe6012c673238e
SHA1 b773d448f7fecea3c35e87c304de66a1d5ada51f
SHA256 4d99b434a958fba0f7f16744180e11dbe45c2113b848a4aa98b8f145f521b111
SHA512 fd93ecd3915fba1a776c899f6a4db9673b69a7057b6a4e94328bf5712d2a2368b92416b79fa025ade3dcda3aa8bac20d2392195e78c3f70036aa7eec10af62c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 58fe8717ec26e17249637c889a197bbd
SHA1 2b37fecff78e82eb16ec4de59c7e3b4875038e0d
SHA256 2107939574f9abe13350cf9b9099645dd68b85c5d26aaed49111183f802e95af
SHA512 47b287354f17dd0899c8b09f963b9a3423c7f62e5ebdd507392530bdb4b51f405c6c50074aed4fc1af19bef842ef25f2c427a8556c5419fc66ac7b64bb4d976c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

memory/3440-1265-0x0000000000260000-0x0000000000723000-memory.dmp

memory/2060-2050-0x0000000000260000-0x0000000000723000-memory.dmp

memory/2060-2121-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2645-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2647-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2657-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2659-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2660-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2661-0x0000000000260000-0x0000000000723000-memory.dmp

memory/1976-2663-0x0000000000260000-0x0000000000723000-memory.dmp

memory/1976-2664-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2665-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2666-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2672-0x0000000000260000-0x0000000000723000-memory.dmp

memory/3440-2673-0x0000000000260000-0x0000000000723000-memory.dmp