Analysis Overview
SHA256
7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593
Threat Level: Known bad
The file 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593 was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SendNotifyMessage
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 05:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 05:04
Reported
2024-08-12 05:09
Platform
win7-20240708-en
Max time kernel
300s
Max time network
297s
Command Line
Signatures
Amadey
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000037002\aacf2799db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\e136ecfc33.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e136ecfc33.exe" | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1228 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2172 set thread context of 1304 | N/A | C:\Users\Admin\1000037002\aacf2799db.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000037002\aacf2799db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe
"C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe
"C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\1000037002\aacf2799db.exe
"C:\Users\Admin\1000037002\aacf2799db.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.0.343511002\517186452" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9809152a-411a-45bf-9201-7330e449dc75} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 1368 fcd3458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.1.46112219\1070485425" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b160171-86a5-4bbd-bdb7-14e784d4695b} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 1540 31eb558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.2.1101348571\575138124" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632d1b8a-340d-4347-ad11-7ec7534e30b4} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 2084 19f69858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.3.1201003511\1267434814" -childID 2 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {598ac147-bf45-48ec-bb13-cc558d84527f} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 2876 1d29ab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.4.1585475706\164938619" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6822a2-bb9a-4a43-a340-5fe716263183} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3772 20908558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.5.1946998871\1002135024" -childID 4 -isForBrowser -prefsHandle 3884 -prefMapHandle 3888 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e87dc25-8727-483d-ace5-22551394ae5d} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3872 2023ea58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.6.1492481964\688997983" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ea2365-be52-4a4c-a420-289cc68b2e4c} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 4036 2023f658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.7.722430605\2128789881" -childID 6 -isForBrowser -prefsHandle 4048 -prefMapHandle 4036 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a817428-8966-406f-84b1-25782579ea17} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 4284 21baa058 tab
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49304 | tcp | |
| N/A | 127.0.0.1:49312 | tcp | |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.174:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| NL | 142.250.179.174:443 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-4g5lzney.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-4g5lzney.gvt1.com | udp |
| DE | 74.125.163.138:443 | r5.sn-4g5lzney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-4g5lzney.gvt1.com | udp |
| DE | 74.125.163.138:443 | r5.sn-4g5lzney.gvt1.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
Files
memory/344-0-0x0000000001110000-0x00000000015C7000-memory.dmp
memory/344-1-0x0000000076EA0000-0x0000000076EA2000-memory.dmp
memory/344-2-0x0000000001111000-0x000000000113F000-memory.dmp
memory/344-3-0x0000000001110000-0x00000000015C7000-memory.dmp
memory/344-5-0x0000000001110000-0x00000000015C7000-memory.dmp
\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
| MD5 | d051474ba32beb9890bd6bdfd587d190 |
| SHA1 | 8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156 |
| SHA256 | 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593 |
| SHA512 | ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a |
memory/344-15-0x0000000006910000-0x0000000006DC7000-memory.dmp
memory/344-10-0x0000000001110000-0x00000000015C7000-memory.dmp
memory/2912-18-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/344-17-0x0000000001110000-0x00000000015C7000-memory.dmp
memory/2912-19-0x0000000000AC1000-0x0000000000AEF000-memory.dmp
memory/2912-20-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-22-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-23-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe
| MD5 | db946418424011c782182c76ab8c179f |
| SHA1 | d640d54d341cf6341bd434c9015d23d22156612a |
| SHA256 | bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e |
| SHA512 | a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956 |
memory/1228-38-0x0000000000D70000-0x0000000000EA0000-memory.dmp
memory/2460-40-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-46-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-48-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-53-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2460-50-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-44-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-42-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-54-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2460-56-0x0000000000400000-0x000000000052D000-memory.dmp
C:\Users\Admin\1000037002\aacf2799db.exe
| MD5 | 62c81eb8cd78dbcf5767f84caad6972e |
| SHA1 | 9a508e8724c1431394717ebd3c6dee2f9f21d082 |
| SHA256 | 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250 |
| SHA512 | 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5 |
memory/2172-71-0x0000000000800000-0x0000000000838000-memory.dmp
memory/1304-73-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-75-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-77-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-87-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-85-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-84-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-81-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1304-79-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe
| MD5 | 278ee1426274818874556aa18fd02e3a |
| SHA1 | 185a2761330024dec52134df2c8388c461451acb |
| SHA256 | 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb |
| SHA512 | 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0 |
memory/2912-105-0x00000000062E0000-0x0000000006523000-memory.dmp
memory/1636-106-0x00000000002F0000-0x0000000000533000-memory.dmp
memory/2912-104-0x00000000062E0000-0x0000000006523000-memory.dmp
memory/1636-107-0x00000000002F0000-0x0000000000533000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\b6126714-fca4-4f9d-b5f6-003c915ffeed
| MD5 | 48babfdbb7b3827f8680bf0dbc41308e |
| SHA1 | e926867e62d1e48112f04f83a721cbad65f23a67 |
| SHA256 | a0ba3106f02d47d732f818c00f4c555e5a7ef1d7d9d6dc6fca1ef0cb414b52b2 |
| SHA512 | d2649d7bc535d7c2af4096d8b2a716d636afa2dceda49eed45804bb3e617c896f193909b930310ca3365583e3ec9a50e70b8d3752a2fce703a22ebf9e6c23e99 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\9f76e990-2565-489f-89aa-20f2f992db09
| MD5 | ad192e39251ade2a9d500dbb9a6ad2bb |
| SHA1 | 40a1fd46fdb839870fe9256a07dd36ac6e56ccfa |
| SHA256 | 71549eaedd65542a320a3ac2f61acf90428411510852939a4a81fd66afe3ef7f |
| SHA512 | 92126f414a5660ece26b5e5346063233ebe701369751ae9243fae73f88655dc2641c3875e0811f99e3a5d6b855ea04d57e81aeaa6fd37c846c7393551fdc04d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 5c8aa8de50f73f98437c0fd664ac5b7c |
| SHA1 | 38a7c4fc05b3fa0e3aff522e46551094b75bed62 |
| SHA256 | 7a3960b7d87b1bfb5dae1c0113cbe27ab616ad01231bf6b7dd88aa6ca3cca8ed |
| SHA512 | 38f5f1b470f6ffafcf8bd9f08ac61b9f8251a0fe552b7fb23a370c7d6d05380c9b429e6369c0008f5ef4193b5fab4647d9289982f3aa4d67b9f8595a08fbcaa7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 07d099316fedfd918e6b554223b2e160 |
| SHA1 | a842ce8213dab9358a9d4c450e6186a190a1c1dd |
| SHA256 | 6e6f2b794ca92aae926b49182b44670b33c9f3ed97139fd475219900baf68b43 |
| SHA512 | 5b4616eba9d2d44f98a0f6781039ea765bf5689f684436c8e01d4209e9c7de9152110c598bcfa18aab2701d563ffc825694f4a67d1fdcec1d0addbe25db81c02 |
memory/2912-203-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js
| MD5 | f5f780f76fec9015539c65029f4a4673 |
| SHA1 | 0110fcea4a1bd4cfe6283652883494dc977357b5 |
| SHA256 | d05880b505ead253e47be27bb88cd7d728f5e9451b0334539e9803a1150849b1 |
| SHA512 | 2c4043712112abff6a183ea2d4f7d8324ce36b2a7b9b83c66f53bdfe92a72776f9b3d7e4abe0ef23f9aab538d50215fd426ba9dfa1bd15711c0e8290fc9a3e7e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js
| MD5 | cff7c9c5953718035240fdca982c6de1 |
| SHA1 | 790dd0481cfdf9b4cf90b3b6c3c882122fb3ae17 |
| SHA256 | c5912f9e660e8c3fb13543d82e7929fdde501949a3a5046f91e407d309b2a0e4 |
| SHA512 | 18618907169582b7428b165dd4c2ff1562b59f94d525128472a1e4433fa6e7255a9b5b36cb4a1d1b7fa64b1b13baad394b621652c2abaca85df1fec2508fa397 |
memory/2912-263-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-270-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-271-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-274-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c1152d9281ed94b266ddf90a5637cf59 |
| SHA1 | 432e815c11e55f8ec4f1ace5b232beba90a561fd |
| SHA256 | 04a08b473434e655f85a0659e625a4c383dbfbb173d083fef7695046dc31ac72 |
| SHA512 | cfb2f51815fba3ef441d7babd1b9c51c4d1b3d669e444e56cee08e771e177b8c735259d88655d67c86a5155b3fe28c7d94167d90ea2efd91b6edc9bc7ceece22 |
memory/2912-288-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js
| MD5 | 345546901a071082b030582a0d952e17 |
| SHA1 | 8d1f721a459e0fc598ed2ad7a60419dbb4ddabb8 |
| SHA256 | 93c4d3ba9fc20ee16d0ed64b17f9091005b2cab5e3faa0607440cdee4dd98046 |
| SHA512 | 873a3e91f6300c4b2ad9652d30c7963e84429acea3076b6c561509b7a0d4cde778f11ee9fc0ccc23d522af0e00c56af62f500b62a202b54f5085f57ce6d4b01c |
memory/2912-355-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js
| MD5 | 2e7963de38e781c2048ba0f83d3b0186 |
| SHA1 | 97bbc410d04fe0200e23626ce095094a2adbb042 |
| SHA256 | ff6bfbb8070e05e58d5a49392abbef477926e5e090c4b9b9f0a15655a824ec18 |
| SHA512 | ee63d6ba9c1edeb4c567f66ddff9fa0b4be5a15c572927b894269630c1d4ea82d4e7fb5cc26185bc9b1f84193e612f5275f72eeddb06d624b0cd080056393688 |
memory/2912-369-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-371-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-377-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-384-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-385-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-386-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-387-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-388-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-389-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-395-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-396-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-397-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-402-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-403-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-404-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-406-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-407-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-408-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-409-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
| MD5 | 77c2e858d53a1544e957c6de7734d768 |
| SHA1 | dc302b5f75415ed57c735c5fa5a20734b062f5ff |
| SHA256 | 363aa14f77113dfbf771fe1fa1654021d875f88084071d1cbf1c409cc5187324 |
| SHA512 | d85c5aaea620e2546753aa131998b34c3a1726a9698803cf7f98d4fa0140de30d5f0da07bb380e4002b4ae8416472459ee88d8eecfe41f3b98fe3754e326a1f5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
| MD5 | 3650d53bba4c9b2d6d26e53114b5a5ca |
| SHA1 | f281be763c44d61e271f99e08e7cbbcf5802bb5f |
| SHA256 | a92ca29bb18cb18bcf91d1e20757287ceae14e5bb02c86ce94d331940e511b43 |
| SHA512 | 06b839a1810d47602153761fc0141515e6d1a2e13b39ac8b18de16eb1dc918182a05079d9778b933a614072bf7b9b0cad443a839a729e1890db2ab59526d85ec |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 0f6baaffc5a06ab51a5be75bff351c70 |
| SHA1 | 1b9eeb25c84fbd17202e58c0c2a0337a82f3a9f5 |
| SHA256 | 7c371f95ddb7fd52669aecd2a7c166baf2398fcd2af802468586bf5551f576fd |
| SHA512 | f4972c72818dfba449d2ecc8ef49c0116abb367f1b2613fc398642218db5ab906418a96f0e6ed3f74b6a2a18fbe7432d3fd456bae379357d7be96053f663c20a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085
| MD5 | 64b28aa0b94978d0ae3e8a917cb4c2da |
| SHA1 | 913d6abdb2027137a6fe6e7e165a8e54fd4b5269 |
| SHA256 | 25a96716e6407b83e86607b38931982954522d0e23b9a90afd67fc941275a1fa |
| SHA512 | 87fa9370a08603170983692a86dc2fffc7646e6be65b04aca33c926d119afe452730ccabe2adf3262901abd75f39aa4bfaed03bb51a258aee11916e4cd9c80bc |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
| MD5 | da31442d0d8ed024ec35398d3ff0e2d0 |
| SHA1 | c3456e43d63dba4ec78ce703722c8dfe94a9ea61 |
| SHA256 | 59f66213d7266a09603ed1efd8e47e997813cb32ba5d234ddc850c4c96f79ff1 |
| SHA512 | 263b38da33945c126209901fc81b97fe1e3bb22385e50cdedfd2fbb5a1b76d4332e79c7737efed3d0543576861fec1a8727c5a9e09ee367838f492cf90d75c77 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\DAA90C5B2A5B2F5F820274B7565CE8050543B83B
| MD5 | aa29fbf57234ea4d2799445b3632feda |
| SHA1 | 9a09515a89421f8a07fd5d274db58595303ad053 |
| SHA256 | eae12ee94d6958436e0dc2e54ffb462b0b3e07452d1705f69fe7428c01ab1d68 |
| SHA512 | 0a821e83e2e5e36db84f1e3f8bacbbd861402130037182359dd1dcee7f4d95eed9cf0fabc33f35c671e4b2b4ded84b0ea767bd6aa09b904a737198e0ca0eaf2f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | 3578505ea25326acc56d82327c4ab830 |
| SHA1 | 948cc738c039dade884b405c35bc24c4df3cddac |
| SHA256 | 27081fe43a6af20709d4af8de1b5a10e21b29aebea3ef57833e38b5d228a14a0 |
| SHA512 | 81dd22dfcd09f27294ed37a2f8fc5bb0796e5772509e7d70182f589f87dc39dca85a752042f536105f3822d053f9b9fbd018d16be5edf2b3a9c1a6b34930e166 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2
| MD5 | a608ce523f0778d2797076ecc569c836 |
| SHA1 | a259b7a40bae19fa60eb4fba7bfdf03e8acc1cb1 |
| SHA256 | 6a9510b0940857c7487ba3ff395b3494c2223d352ba437aa8c74bdb922d79ef1 |
| SHA512 | b72d82fe6203a8ccc72b83a09104a2bbaff1208d8c5d30a063cc0048dcbc27182e86e57401b7c64ecb1d0fe9d6a22a73e2436e957d3820d74dea70815df15cbc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js
| MD5 | 4e964db606b99bb70de9e6122e41748c |
| SHA1 | c2c68e3903eb88fd032c4f3552a72cfc1bc2fea9 |
| SHA256 | 3e2027578cf323794a0853146a41b5f82e7ef847f700092d295259445e11ae95 |
| SHA512 | 0e2a4566a7b74a982c41d64d9b0e33f8384e1ddd789b526c828a2663924750795d1a61e620213d7a82f6f697677fa2e4ddd48ce59167cb4671cebb368cf359de |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\broadcast-listeners.json
| MD5 | 72c95709e1a3b27919e13d28bbe8e8a2 |
| SHA1 | 00892decbee63d627057730bfc0c6a4f13099ee4 |
| SHA256 | 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa |
| SHA512 | 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionCheckpoints.json
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\targeting.snapshot.json
| MD5 | 6f9134de23f7f583e12d3da16a375aba |
| SHA1 | 94495e76ac7eb70fbf44a486fbb995ed325891a9 |
| SHA256 | 713d9689aa4e73bc56279ccb2704be25150b77798b68df40c0d39e5a69aff81b |
| SHA512 | e2343d86178c0287a2a4192f6f14244ccbd8718c3893100990cbe90889fef628a57d0b387fd763d5f799c78f766da194bac4642b4745a74b9cb73e1e8dab5dab |
memory/2912-477-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 6a9af6e89c6a51a5fb8ec79c8375a3f2 |
| SHA1 | 8eae4ba1d4b6733c5c908817e1ec8912fc73cf48 |
| SHA256 | fd26a47f34305f464ce62312bc7c7a66231d914fbb333e1318a444a6f68d2ee6 |
| SHA512 | 1c1a3e59da73256f9a83adbe19e897d46349cbda784a7cd7890abd188cf59ec294a8ff9aaa99fea4a3c61917f7088fb171b32fbed7b2ac26b0cea830470450a3 |
memory/2912-481-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 8ed87f533bd9b87dc96a459268046b88 |
| SHA1 | 08e34b085d9c3a1be580908c2f556aacd41ada80 |
| SHA256 | e80d4dc4e6d46c2c136fc2717f5c67b2999e71014bc7679742f9a60fa3d1059f |
| SHA512 | 13f59e36ae7653b5a255dac19e97351043fa0663941c3eb1d1cc9c269342c87fb11e7c9d3b487584c7124511a198e1109534e43debd3ad47037f4b2f0a5b48ca |
memory/2912-490-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-491-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-492-0x0000000000AC0000-0x0000000000F77000-memory.dmp
memory/2912-497-0x0000000000AC0000-0x0000000000F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\bookmarkbackups\bookmarks-2024-08-12_11_k-PozTETHt6fhzgbtjurZw==.jsonlz4
| MD5 | 3d51709d111f1dc0e9ff50769d909199 |
| SHA1 | b63660e874277d13f65082aadac3e5129c27b671 |
| SHA256 | 2296864a5031604077ad9080a817a493875eeb6ca70c6555c99eacaf404c5ed7 |
| SHA512 | fc4f8bb48e7f4c08226a7f2f2f6b6825d489ce1d2b90fddaa20f77a7d568136f223a7e01f06feef868a836ec77c3cf59a1102c140b5f7b64eea9afbbe0a9011d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 05:04
Reported
2024-08-12 05:09
Platform
win10-20240611-en
Max time kernel
293s
Max time network
269s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 4468 wrote to memory of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 4468 wrote to memory of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe
"C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
Files
memory/4468-0-0x0000000001200000-0x00000000016B7000-memory.dmp
memory/4468-1-0x0000000077304000-0x0000000077305000-memory.dmp
memory/4468-2-0x0000000001201000-0x000000000122F000-memory.dmp
memory/4468-3-0x0000000001200000-0x00000000016B7000-memory.dmp
memory/4468-5-0x0000000001200000-0x00000000016B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
| MD5 | d051474ba32beb9890bd6bdfd587d190 |
| SHA1 | 8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156 |
| SHA256 | 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593 |
| SHA512 | ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a |
memory/4468-14-0x0000000001200000-0x00000000016B7000-memory.dmp
memory/2308-15-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-16-0x0000000000BD1000-0x0000000000BFF000-memory.dmp
memory/2308-17-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-18-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/808-20-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/808-22-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-23-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-24-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-25-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-26-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-27-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-28-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-29-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-30-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-31-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2660-33-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2660-35-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-36-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-37-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-38-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-39-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-40-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-41-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/4928-43-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/4928-44-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-45-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-46-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-47-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-48-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-49-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-50-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2664-52-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2664-54-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-55-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-56-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-57-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-58-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-59-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-60-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/1404-62-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-63-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-64-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-65-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-66-0x0000000000BD0000-0x0000000001087000-memory.dmp
memory/2308-67-0x0000000000BD0000-0x0000000001087000-memory.dmp