Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-emhveayeph
Target ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5

Threat Level: Known bad

The file ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 04:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 04:03

Reported

2024-08-12 04:05

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f9defb1475.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f9defb1475.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 376 set thread context of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 set thread context of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\01da7b0673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4428 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4428 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\01da7b0673.exe
PID 5028 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\01da7b0673.exe
PID 5028 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\01da7b0673.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4040 wrote to memory of 4896 N/A C:\Users\Admin\1000037002\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe
PID 4568 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5092 wrote to memory of 808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\01da7b0673.exe

"C:\Users\Admin\1000037002\01da7b0673.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07bacd7a-5292-4c96-b202-313d0e54b7d2} 808 "\\.\pipe\gecko-crash-server-pipe.808" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6013234-b3e9-45b2-920a-c965108f2a88} 808 "\\.\pipe\gecko-crash-server-pipe.808" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {503ea86e-9037-4db7-89b3-6ae270dbd487} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 2784 -prefMapHandle 3584 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b30d143-0318-449f-86cb-96000f06c0ec} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce64222-f80b-4a13-be54-a808592b26fd} 808 "\\.\pipe\gecko-crash-server-pipe.808" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 3 -isForBrowser -prefsHandle 5700 -prefMapHandle 5696 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fae2cd61-9320-461d-af94-2b5d9e929c50} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5884 -prefMapHandle 5888 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c6f41f3-f0c4-40db-aa38-c504e970f5e4} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 6044 -prefMapHandle 6048 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50dbf68a-96b4-486d-ae21-6cafe46dae30} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6320 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f41edf4-685b-4d5b-bc69-97a2a5cc8c56} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:51306 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
N/A 127.0.0.1:51314 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4428-0-0x0000000000930000-0x0000000000DF3000-memory.dmp

memory/4428-1-0x00000000771A4000-0x00000000771A6000-memory.dmp

memory/4428-2-0x0000000000931000-0x000000000095F000-memory.dmp

memory/4428-3-0x0000000000930000-0x0000000000DF3000-memory.dmp

memory/4428-4-0x0000000000930000-0x0000000000DF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5b496c08c6603286a74edf4f17a1f7e5
SHA1 343311b9d583bde7ed9039731036fe7fd31cc701
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512 b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93

memory/4428-17-0x0000000000930000-0x0000000000DF3000-memory.dmp

memory/5028-18-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-19-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-20-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-21-0x0000000000690000-0x0000000000B53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f9defb1475.exe

MD5 f5f1e8f743ec3d40dbe97e0e67e14861
SHA1 14b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256 a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512 cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732

memory/376-40-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

memory/376-41-0x00000000008C0000-0x00000000009F0000-memory.dmp

memory/4568-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4568-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4568-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\01da7b0673.exe

MD5 c05fd08043fd1dc414300a92bc73e1fc
SHA1 9d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256 531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA512 43f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065

memory/4040-66-0x0000000000020000-0x0000000000058000-memory.dmp

memory/4896-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4896-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\6fcf1e4b28.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1428-86-0x0000000000BB0000-0x0000000000DF3000-memory.dmp

memory/1428-87-0x0000000000BB0000-0x0000000000DF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 18498e063db7a3c6241c0adbf1b5b95a
SHA1 222f5921f29bef977e932d4b5a550c4c47685457
SHA256 b68ec6d5ec518dc3bd5511250eed9299c9026ee319980df8ca5fd039649c651c
SHA512 93ad71c0ff6ea21e2fe9221b7a5417824fdede0a1b7971f53942e10592ab624d5dc43d29d98bc4534adb8a870185db43f5e7ff1af58a2563ac647717d5e6ddc9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\8c7803c3-dbcd-4411-aef1-9939f160141f

MD5 63ef424b4cce729a25c0aa36165a4227
SHA1 f7e650ce058cd470415538178e91ffe3c0996b6d
SHA256 bf742a937f6ead1f9fb87212756f4b85691644d3f49da675f1413b1597b7be5a
SHA512 1697cb8a666cd9f9e927678b0a50e4def0920a7d2d0eb8db23dd9b8014f0a5efaeddd392f2f2bf613df8df287ece33b4368bef1d7846bc03dbb8a0284fb8c39b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 d5ddbd710c697caaae9dc1b658204184
SHA1 ce05257a0690c332a6cc93bff26cbe48e7a6aa56
SHA256 ed350167c827f3f7c5526a8d77cda2a7d092171202f6ebd3bf338d7aa5741d93
SHA512 27e9eb27d831956eb363fa1bbff58d9ca25fe79b6a4fe92faa78bee8557400b1188e4f0d46792c0a77e090a265f682472fb0acef0c52e8ed9cc5a34389a65d3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\c5fe5fb7-6da4-41c9-b221-ccc4a209cc63

MD5 5f4897a69082c7e92a0579873350c083
SHA1 33a9b563e9f20a44f7bee0cac874983144bdfa35
SHA256 4d6a60769dd7d008edc805a6bc0cc48d59719cdee44c090615747bb3032d531f
SHA512 98cb5ce621b6b260a6aeec2f5d4575236288fe1e75688a96b755a308688ad3e047ab2be60f71f4205634eb2d767adfa23bbda4bfa03ccc5e3e92b5a3598ddf2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\1da7ece1-6c84-4faa-a201-6b4a54774249

MD5 fd5bcd50c3e70c67899becbf2c7367e1
SHA1 60c061f1cdc9a3895a7315db8b30dd9ec01e8f41
SHA256 cb1714a4ee0a957915b07c988cc43de424b34cb53e78bcd0057da331d66e72b3
SHA512 9c26c7b629a22ca224e73b6b28e72aec7aabd88872df8e6399d1ffc56f16f2b479b49355dccadf5acdb0538e9d9067e252c46a52050715e315331f6a1bffd5d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 f879acf8daf0c3161656e243edb85707
SHA1 67ea1291d6de577440bf1186b386b3a5519db5e8
SHA256 76a6d4754f849194308b787deec411901fe33a412d3c86b5d0209d98fd90d8db
SHA512 e3437e47aec4559e1c4700f571347287744ecb95b341d4cbbc69faebf456da87344e970478af2cbb53e636f1c87b9040c1a065352ab5069785931bce0c26ead0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

MD5 708625531a2a744ab76a823dd2a78981
SHA1 54ffcb48e3cba5ad1f3463bd932f658d49b15bf1
SHA256 3b115591712f3bf68a6f665be0d29ca6ae08834b8982ddfed39da4c907896dcf
SHA512 d6a93e51448c0c582e9d2fbbb3e096bdaf935141e006d6f2a29eea8b04ea93fbcf3820c0d4004b429a835ac9f7607f06eb40648c1da4db1af847cdf9385b7af2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 2c89812ab60aded00907dd34b15b85d4
SHA1 cf4b8195d7192db432b846518960238a7aded9ef
SHA256 5722083432f2f97f813e12ad9b78ff57fcd01d148e729a51e8ce9ad6728d1e63
SHA512 3fa293908bf7acf516276d83cb187e6a4cecf436480d3b3e5177842c3b39ae12c7423722cc79d3b96acdd0177dd1d4c57f81b5b0a18efa10b2932467658142f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 b7e47328c798c291c52721280829e306
SHA1 3cf5ad37a480d170fe15bc55b5563288783a53e0
SHA256 29d1bb36415c69a02e31e5236d82830a001eb677d3e8447cd84fce7904c1b78a
SHA512 9ccd705c1dbcb7aa227706423a6513bea690042f8655be8d773eb355399efee5f3e6b1ce5843b21c7ca10620c66f08b26501a74d3548c32d283942adca4620f0

memory/5028-428-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-451-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-452-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-457-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-458-0x0000000000690000-0x0000000000B53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 d43793d22cbc45c8186ec2ffd76b6e26
SHA1 a1d2f2744af9314050fe74d9833a813a7b7cff8b
SHA256 9fbed9db921836ad092531c400e1e0c98ce08c4f9cd13d295930164e273a76c2
SHA512 3cdf0ff39dce14920ed23f3afaa5128a4b2bbd0002d9c0240ce7d2382b77cce995c59a46d21ee2bfb3326a55a7910f4205a4b307e4880b597091e574003bf806

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 5e7280702b9b737b27b7c6aeafb1de26
SHA1 6b2582749afa64cc6953cf057eaa81d03cf24483
SHA256 79d61b23f0581d94b39e2c1b9b57f4b87c56a089017ea9e19d651b9c09ae2a47
SHA512 079df78652825edfc4663df200f274314a4667ac8c9df381e25b420972f2021c0a9d60550f0451ae48e91870e7f36eaa550cf59321881c0b37309f6c990def24

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 96bd465a6871bc461ae1e9ad492342cf
SHA1 5d6d3889b0e7f972a38a171f7695dd89924646c4
SHA256 98852fdfb3e6465fcb322a38182a4521caa6e321088b7ecf35287c0d2e611b2c
SHA512 0318ecf718fe24ebe5b2f16f9bc095f22cb8727a731a8f51cde539b7f024bc111aa6105d9f1c4a29920d2058c0a23f9b666690dd7d791e991e5426b8a8d1f974

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 5c1d9994155b61528d59658503268b43
SHA1 9bfa2b8c83b374c09a89e26cacf0bdb38a13b41c
SHA256 3fe7667933240b178fa3380f07e613ba58f36e40ce5d98c92fb34963ad57606e
SHA512 9209f410ce9ca8506b12d6b82ed9e78fd67e4dd94dd373b9b9aaedcac66f8e4ffa10ab3f19fd556af676c311d044f41a23a3d77e5f195905b91a786be1c8b41a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3352-623-0x0000000000690000-0x0000000000B53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 09fff090a5a022af9b1de22ef4946598
SHA1 009a57183b52b7b9a62aed3d6c72c97599104598
SHA256 b067a2944ce378446047170699b55f80e982a38f0893e7f7ddf82741744b2871
SHA512 2c145e987bd7f0e7e46e91b133a33bb772ae8903ed3a70a0afbd835aaf25c564bff18a5cc0f3c244dc993563da18be1fd38005a92b7d9f4c1fc787b15fd3e83f

memory/3352-645-0x0000000000690000-0x0000000000B53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 050fe7d49a732f6c3e9939eb5536efb0
SHA1 427e18360eea0323b15e8dcc8ee61ec163d83b9c
SHA256 8eb32a6525519b1b2d2564209081a48bb201f4d639e019db0b12c5ed650a4b74
SHA512 5c24445b6557ba7799845786d5b07b3feb9ec7dacc9333b8e7eb9efb096af8edebd6de5b6f566e9d2d8a0a619c55039e47368f6ad07d88adeb8064308b631b87

memory/5028-1130-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2527-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2652-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2659-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2662-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2663-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/4948-2665-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/4948-2666-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2667-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2668-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2669-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2675-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/5028-2676-0x0000000000690000-0x0000000000B53000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 04:03

Reported

2024-08-12 04:05

Platform

win7-20240704-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\01da7b0673.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\01da7b0673.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1924 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 set thread context of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\c8bae7c7d9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe
PID 2696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe
PID 2696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe
PID 2696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2696 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c8bae7c7d9.exe
PID 2696 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c8bae7c7d9.exe
PID 2696 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c8bae7c7d9.exe
PID 2696 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c8bae7c7d9.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 2816 N/A C:\Users\Admin\1000037002\c8bae7c7d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2696 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe
PID 2696 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe
PID 2696 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe
PID 2696 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe
PID 2976 wrote to memory of 316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2976 wrote to memory of 316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2976 wrote to memory of 316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2976 wrote to memory of 316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 316 wrote to memory of 1620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe

"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\c8bae7c7d9.exe

"C:\Users\Admin\1000037002\c8bae7c7d9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.0.796266999\1113311062" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7fa836-2f2a-4263-89ea-e2ef623315ef} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 1276 11fd7658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.1.1596750276\387409377" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03974675-63f2-4542-92eb-79e5d57c8c27} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 1492 e71b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.2.2069229849\18071864" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {490e294f-7670-4a1d-9fdc-ec71753b2464} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 2108 1a5c1f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.3.690410611\67766793" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f4840aa-58f9-495a-a078-a98a06f78aba} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 2924 e64558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.4.778487694\2051957342" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3652 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {692e1639-bfd2-4cdb-aa35-4ad1ec6ad536} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3740 1e7dc958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.5.1335845706\1054436888" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15906148-f66f-49b2-b059-48c7be1c35e5} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3960 205ddb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.6.946791545\15143673" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3972 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57edeb9e-cc1d-4c2f-9f0c-525b3cfbcdba} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3920 1eac5e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.7.1742673122\660696567" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4332 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07631edc-5d00-45f6-9d9f-f23c2c0213c5} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 4372 228ed258 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49294 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49303 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

memory/2688-0-0x0000000000AC0000-0x0000000000F83000-memory.dmp

memory/2688-1-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/2688-2-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

memory/2688-3-0x0000000000AC0000-0x0000000000F83000-memory.dmp

memory/2688-5-0x0000000000AC0000-0x0000000000F83000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5b496c08c6603286a74edf4f17a1f7e5
SHA1 343311b9d583bde7ed9039731036fe7fd31cc701
SHA256 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512 b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93

memory/2688-15-0x0000000000AC0000-0x0000000000F83000-memory.dmp

memory/2696-16-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-17-0x0000000000AE1000-0x0000000000B0F000-memory.dmp

memory/2696-18-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-20-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe

MD5 f5f1e8f743ec3d40dbe97e0e67e14861
SHA1 14b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256 a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512 cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732

memory/1924-35-0x0000000000CE0000-0x0000000000E10000-memory.dmp

memory/2976-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-39-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2976-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2976-52-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\c8bae7c7d9.exe

MD5 c05fd08043fd1dc414300a92bc73e1fc
SHA1 9d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256 531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA512 43f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065

memory/2836-68-0x0000000000F40000-0x0000000000F78000-memory.dmp

memory/2836-69-0x0000000002380000-0x0000000004380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2696-101-0x0000000006320000-0x0000000006563000-memory.dmp

memory/2280-103-0x0000000001110000-0x0000000001353000-memory.dmp

memory/2696-102-0x0000000006320000-0x0000000006563000-memory.dmp

memory/2816-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-78-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-76-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-72-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2816-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2696-104-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

MD5 02d678e1deef81c74499ed2a17c2cf3f
SHA1 31ae116ea0f75ed2e58c12d585ad3a4b1506246a
SHA256 64b1c40affedc9c5c5c8a41d3282dd65429713d8f16db0f41e58012e1a174302
SHA512 28abb861ed86836b949f94e4ce750b01db71d86848d1d0dd3bc2d02042cd310289ac57f5930e025d4000c8c6381a6e5a2eb11b001ff2fbd8afe9ab586e81e687

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\d6d782f2-890a-4497-b144-86ac14250382

MD5 cc6556d5b55db9dbc2478e6cbf12701c
SHA1 00b0f85a33ac37d84a09ec07fcb1947d9329999d
SHA256 36376d4cb9114e044920b4fbdc3afd0bad6b58676f5f49250c95b9e43405634c
SHA512 ea43203f389a9620969855f89cc4c860aa549ddd8c602bb2a1683eb397bd878ecf22d8255022f03683f2eeb5538e614fe50791939642663bd46777558c2ce03e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\c6adca2a-0941-4904-87a7-51ec7b52a892

MD5 a940108687c2cc38c1fbc2ce568e54b8
SHA1 67ad8e81684c931fc7e3b29707649920de0235eb
SHA256 3d69b42b5d02e3d69159b67478949ff4074ad7b3589424e72bf98a66d364e930
SHA512 3b6693464b50d8e4c647ffdcf9ebb11a8a51b035117bc14419f92a0c4cd0e07a5ea2853c2c25f0c4e1980a3b85881041751548e399c017693da832edf46ec300

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

MD5 5054d2249341e7d081de0280f640eb82
SHA1 ef91fe6ab986e434da30923a027787e1d4f696be
SHA256 6bf005a6788be6f6a5cad51f21fe8413660bf6fef6411bb02149acc4aa50c638
SHA512 b3b9e2e55be2941b0493c0d927a108b69ea6942719d75ebc584ce2b7f5aef15685e7a6220e533687558deb968337e57d85bb8351ce519354e29b97282acabef1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

MD5 0237baed058ccfce3dc31bd359b6a942
SHA1 12b4a18637ec194f2503ff017ebc7e9e49de7116
SHA256 1e318cc66d397f0a0c57551225308bf646c61c715a3f5c9601d1405eb69cebcb
SHA512 eaeee3ffec21968de11ee6f45b63b8658c672e68386dd4780f5a9d510db5c9bd01bba9d9969b7f0e36ef7338dcd4548747513c08d3d1a311253f4eb04634fdf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a3ffcdff2b763e1aef3cffb7cc5902f4
SHA1 82e5f6b589dd483d2529d6100d6ab6714d927ba7
SHA256 333e15f1b4f292feacd2ad0ae312d2b2082c124b3fa9cae98791fc629f5b7b62
SHA512 c77eb83fba8bf81c1d8b319483c421e0602a0d5c4704890b1ac78cc542362e804e8f56e94111dce8ee0085090f068ee9bae19629db492130e512f97bd809a4a7

memory/2696-249-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

MD5 94a05b39e2f0c90faf8d3c2a135f07c7
SHA1 57a6aac5cbff7dafe295b6ccbd5ffdd9b9b59516
SHA256 e096f35f606560dd5990eb3ae5cddf60ba8802f0ee270db459c0210bb1b26f7f
SHA512 080e07300d416012570af5086aa4b67c5455e5fd764a70c24c3fd51d7ac1430da3558d828a31e8cc740b8132ba97c2e47f39c29c19a9dc43beb123cea2b9f7a5

memory/2280-256-0x0000000001110000-0x0000000001353000-memory.dmp

memory/2696-262-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-268-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-271-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3b40b9b0c1a99aef1e1923c59c0e5260
SHA1 1496bac793d4c14fcdf3517c41bb47d5ff02f3bc
SHA256 df7ed4d508da08d2bc0dcee88772f063ce74fa4bb7a129c3c92d7101f2641f10
SHA512 cb81ef3a057a6c98ca7cb637d03eaa12ec6985becc02e02450f4469cbe2d794dffeec31989895b9007c4017f70ee5dc65b21a8e6f2c587f6e43c3d06c083451f

memory/2696-287-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 aa1fc5fcabc9ed67404fc9cb0e2dc6d2
SHA1 35e7debd9f3e9b0c5a767fa55fe8f7a2ad080847
SHA256 c2f088ce63806acee7c70395ed69b64c72216c570d855fcf7df7f1a43ca0a43a
SHA512 df8df91e84a56e388cd427742eb3eb05eb5c96f4f732c554c5e75010f7f7ae4f21e7dc65817ba9f5296128cffe0b664f14760bb9601e6d93fff61ae38c50221e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2696-360-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 b4d0ea2a7539105059cb3b509b4f55c8
SHA1 70849597e67e871648b4b9a0a8650a452fc4a09c
SHA256 1a4aed8fda2709b823323e5f0690560e1f61b3b7b6170de60ddf533dc9ec5b63
SHA512 2c952dbb55fedcd6f83bb07e325a945085bf6449eeeec0e567716cbc0380e96fd00c98b2622dc9d586de1f1b21f70df3ce309025ce32dc492737af8058041688

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

MD5 71f9cd62f910b6d9fd7f46db2f410970
SHA1 d013dcd926449e3140977388e95a67d991031896
SHA256 339a74f0a6eabb80bb2bdc8f13f67c62fefb0acda6ffc4a791ca4478ad846e76
SHA512 bd0c97f76d05893b037f5b31e1d93ed3b5586e2b6493c1e65b27492abb7a21b1dff312a7a4e61c8b9fc303cb88f9d397f447a14f273a5b5e637a784e2fe1521b

memory/2696-380-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-382-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-388-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-396-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-397-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-398-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-399-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-400-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-401-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2696-407-0x0000000000AE0000-0x0000000000FA3000-memory.dmp