Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-fskrma1dmg
Target e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9
SHA256 e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9

Threat Level: Known bad

The file e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:08

Reported

2024-08-12 05:13

Platform

win7-20240704-en

Max time kernel

299s

Max time network

293s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1ede615cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e1ede615cf.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 set thread context of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\8024c6c5e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1580 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1580 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1580 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe
PID 2932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe
PID 2932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe
PID 2932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8024c6c5e6.exe
PID 2932 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8024c6c5e6.exe
PID 2932 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8024c6c5e6.exe
PID 2932 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8024c6c5e6.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 804 N/A C:\Users\Admin\1000037002\8024c6c5e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe
PID 2932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe
PID 2932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe
PID 2932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe
PID 2840 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2840 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2840 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2840 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2140 wrote to memory of 3036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3036 wrote to memory of 280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3036 wrote to memory of 280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3036 wrote to memory of 280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3036 wrote to memory of 596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3036 wrote to memory of 596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe

"C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\8024c6c5e6.exe

"C:\Users\Admin\1000037002\8024c6c5e6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.0.1281590322\26781983" -parentBuildID 20221007134813 -prefsHandle 1284 -prefMapHandle 1272 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c7c96c-e11c-4810-87c3-2f5531f35abd} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 1348 44eeb58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.1.1498521664\1681714996" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d585f7e-32f2-4866-baf6-ed5f0e2ac604} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 1548 41eb558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.2.1556555867\328245381" -childID 1 -isForBrowser -prefsHandle 1964 -prefMapHandle 1960 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84841468-c572-4b08-844c-ca893db2f431} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 1992 18d44758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.3.673861045\1883099761" -childID 2 -isForBrowser -prefsHandle 2716 -prefMapHandle 2712 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {735c6d9a-63ad-40c3-a8dd-66fb44e74d6f} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 2728 1c649758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.4.205261993\1381255774" -childID 3 -isForBrowser -prefsHandle 3552 -prefMapHandle 3516 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc90ef71-a737-4165-9234-d9e01aba3934} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 3752 1f1c5758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.5.1688046107\2074012429" -childID 4 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2206e5-5982-4b7b-9836-6726fc7c6185} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 3860 1f1c5458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.6.260351866\1571771689" -childID 5 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {633745d0-8946-49c7-b473-0770155ded70} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 4028 1f1c6f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.7.1524855293\834251551" -childID 6 -isForBrowser -prefsHandle 4320 -prefMapHandle 4400 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ddd385e-cbea-445b-880e-b02dfcc3196d} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 4408 228a9c58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49298 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49305 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp

Files

memory/1580-0-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/1580-1-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/1580-2-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/1580-3-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/1580-9-0x0000000000020000-0x00000000004D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ea501458b62bfb1293f2197a7ee76e29
SHA1 68a7efe3ed06bdfbb00cb3895ffcf99b65f7b4ed
SHA256 e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9
SHA512 26d01e263a41dd39ab65a2d084739ee0cb611533cb6edde0bc086ed1d4a132c8422c8ab2c96c423f6b58c4de203faefb390be2a7f07bee7822467f6bc1bfb716

memory/1580-15-0x0000000006F80000-0x0000000007436000-memory.dmp

memory/2932-17-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/1580-14-0x0000000000020000-0x00000000004D6000-memory.dmp

memory/2932-18-0x0000000077A10000-0x0000000077A12000-memory.dmp

memory/2932-19-0x0000000000A31000-0x0000000000A5F000-memory.dmp

memory/2932-20-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-23-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-21-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e1ede615cf.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/1996-38-0x0000000001380000-0x00000000014B0000-memory.dmp

memory/2840-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2840-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-42-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\8024c6c5e6.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/2840-62-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2840-65-0x0000000000400000-0x000000000052D000-memory.dmp

memory/340-71-0x0000000000C90000-0x0000000000CC8000-memory.dmp

memory/804-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-76-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-87-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/804-81-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\47e7af72cc.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2932-103-0x0000000006270000-0x00000000064B3000-memory.dmp

memory/1648-105-0x0000000000B40000-0x0000000000D83000-memory.dmp

memory/1648-106-0x0000000000B40000-0x0000000000D83000-memory.dmp

memory/2932-112-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\c41f7289-13b8-4912-a561-4834c591fc72

MD5 54181d6d6cba066986c6091efdc36e18
SHA1 b7fde3e3c437092ef6b105ed0f3fb51da99e4024
SHA256 2f0b23bfde9597caf26d7db90031d843658e5f706f1bafc504bb44e35768baae
SHA512 f01bbdddca0aa90544d4208a24951783357dcb163c5944dc85530a0bb711782cfc36bc4bbd2162dbba2ea93aa6bffb6fa62cc66e9465e23018dda6482b0bd62d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\937bb8c9-0083-450a-9cf4-b5306493eea0

MD5 33c290943bb7f3e2adffabcf0c2de2e8
SHA1 d6ee4636e9d9945a12c520bba88e910be2f4d717
SHA256 b0757de26a0387c72b39a37b8419774ce9f77b90c027700ec682ed8216224f34
SHA512 c6cbcde2228f0a4cb703a196bc17dade4efb006a3cba2f51b3a82087142b354d1a64c39529b9560feda735eb760b8e03e826a4151c8498c08da9859884960875

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

MD5 be73cb738ccf0a5ffbedc9706d71c4c5
SHA1 4b91676d7f708ca728d581d3957c479ff2f695a7
SHA256 34c055c511ad4e3399e6bca3d604097a0b51985dc62470dff87d75437d58851c
SHA512 131289547003d5e38363f1c7865d0b3fd707b06308238fb3b82fd616e38e3752eb6b2205de60db7ac19a930f0ca1ee6ab426bfc305fa48f4388ca451bcdc616e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a000cef2318fdcadac95322006074d5b
SHA1 4ee21b99c609a4ff8394d9904dee88c70a3730ba
SHA256 2e4c6fa3e78f7860e1460da8a85d195dc99cac2a174f83ddf7edd2abdb0a5cea
SHA512 25917b03927ebf5bfb87affecb16777f1ecd8a4ddecf5b24e02fa966d647312a1610a5f831c56d8e6adc01e4f70a933f5e8a5f4e3436d16bd2f530428c7dcdd7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

MD5 ec030998a996807351a7d24381dea203
SHA1 2d436ed1d113ad3c80de673bac661bf415fdedd9
SHA256 0f131c085a1ba95d0ac1ed370e9a0d873a57245bc9e02300becde9bdd44f1718
SHA512 e8e9389381348488ccb604c74ddf94b19142405755fc89dc702b264686a0d5a986e1cec333f3c6cff30e95c3d4d70c2abcdc959586492c9a7d8fea3d0eb97121

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 188607b8e94350fa6347e8fa4bf00496
SHA1 9571b4f0f0844885f74720bffc7c2daa8e166f0e
SHA256 25d21a740a1db7d5079bf64d8967d3ec8548057a6b4eaef8759a8dda7b962555
SHA512 b0f0f735a4fb875110bd05643629d11a3642292abffca694b1736f302dbcbc4a7c633d7f2899071aa7429eee17a75578baacef20e2f3ee56a95387d70ce76cfb

memory/2932-259-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-261-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-266-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-275-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a45c66c5db4b7704c78ade16b6993402
SHA1 159cd8fd0eb813d4616cb7dcf06fb89756321a90
SHA256 8e2effc4fe34eb000654b6ace97a19b9eb74f7b951839d8ecc44748abfeb447b
SHA512 e359a87888ccb901587df259dd691b0f0ea63e4927e3552552dde40c5e80114de1c7105742c1f8fbd6c0962da6071fb81ae067d5a28e52fced3a92bce5f9f4a8

memory/2932-283-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 f13f1fd50ff87983e485025e49c6e4ac
SHA1 553a20d0acbd3c905a766e98b78c7679c5d9605d
SHA256 753d74ea31d7c237bd64b13f885d0bfdbe4265f2a1b23b0c4f44ee1ea7649e25
SHA512 4abc6a72536e486a329fdcc49eddf72b1d08a56289509c0b7bdeb0620b84fddfa843be9189844e3e70cf5a5b437125712a1dfc821bf76b38880bc69e33962b7a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2932-355-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 650d97d58f45a2e80e663ae710dc15c9
SHA1 cba9ad8f90c47033bc9979a9a525d1c4ec0dc12a
SHA256 0515eb4166828092ec5f996420aa0c0d7acdd5dc45320d56544cb85fd1ab7650
SHA512 e0f52e0e2ace615c7c28495e26e8ba2ce00b7d845c841700d50100ccca41ea5f86f78ec5cc957b83754bd8980f95c405c4185cb73c435754cca7a508ed8828bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

MD5 794977fa124d0ca17476be85af48a9f9
SHA1 d8f850777928f0c7cdd62c2e216480ad2fe3e5e7
SHA256 e591f8b6144d03e3c01f607b199e88644a1a915d2260e95d4aab30806ad432bd
SHA512 ee309d8f6d56d6fd37c3e3d594910d677d938feeb078ca7640b82015147c94e21c5b91467569ad29af464293a1ab723ac6d62dfa2fb81fd324e54f19eede7c4f

memory/2932-374-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-376-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-382-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-389-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-390-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-391-0x0000000006270000-0x00000000064B3000-memory.dmp

memory/2932-392-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-393-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-394-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-395-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-401-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-402-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-403-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-409-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-410-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-411-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-412-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-413-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-414-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-415-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

MD5 44d2ed17c33b60416075d1285033a2c0
SHA1 8109cc250fb93a187ba1ea4b7a947b26fb738439
SHA256 fd7cb1ecc5e497d84f4f62c302edfd22101e09c385ae6df35ffcb8b73cdca0d0
SHA512 a398a44c9cdeef0bf8fab2a7ede1263724462ad75e57e7c6a536dbc1c1deed1138dae52ce8a4189e6775c5d7b3f189fa52e498e5201398b8c8b06cbe881330c2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 82da9d2601dfd22a7b3e66277e09227f
SHA1 bd8eff200720fc010f03723def5f4015533201c0
SHA256 60ec0d72b18a10a61fdf0421e64aa7cf7b4f10c8db383d4ef4c6021cdc0a3a3e
SHA512 0a25ab31081b562ec4b06f78d7cf1323ff422f18c153cce2598b6c0f81e5706fa9f789df659c81ddf55e7f4172cb9bc827c4ecbaa025b3b0f6b31684eb744c6d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 59ed23ebc8c51453060f887bb812dd2d
SHA1 f8063daa406dd9f9253a50c1f86720f28671b442
SHA256 92a3f3fc35ed2707a3a4bb912e51fe005e4b858722f4b982842f1941ac71d3c3
SHA512 8ad6f4b7fb9e48f5730892620ccfdf066663394c3fc3c75eccb2cc54b2867dc419dc4d0e4be2e8fbf309914a56a7f746bb5e2950bf810a1f3c5acde97099d63c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 455024c8caa533037869f391d1074880
SHA1 70b5fbd21ad72d89700b441efa1bd2def54f73c4
SHA256 5bc42642c07c7f60c230eab4d70578885b9ba2fcbba66127275ec2b7799a84c7
SHA512 39d627e050d80eba99443a7c58fc6acdaf72a4f32e018a984f7168d7b516d1dc99b4543400f95f01c647e61c81d2b46c641c96322848d0b71acb790a6898944a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 0a538a71b6511e521dd14c4ca163fb12
SHA1 faadfe18486f5dae5022c623cc2930101aefd272
SHA256 ab24530309921e2fa2e491d4d8554386f4649d831e934dfa6d142700ba1060be
SHA512 0bfa15319a1e4f0ba6e4fe1c6950529b679078b38798628e8fc47a289f79b45254a15dafa05140024a603a9a861da09902cc76e25975ccfaa0dda9860192d337

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 ceb7418b8e756820be206b21a6a520eb
SHA1 ba4bb7475e20fbb1d201f89c108ddd121785dbe4
SHA256 a09b3c74783dbde8bc3407c032aa5dc701c744d860c2b87c823aa6c5a13c1e46
SHA512 11999d6c8fc6fda781a9b0704485c8dcb05267a6aaa7bc74be6a9f86f000d95d4b35ac65c5c4089ff0263ddff6958d97cf03e6fb84e610a8c7ac7a9d7ea1aa3f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 219c5110a7cd62043cdd7058617a6858
SHA1 da4576aac1ec3183e6927b94e57b4bd1a9ff415b
SHA256 ce6f0f03624d145ac57e1da256fab0056edb08b5108f53e8f1aa862a2773dad8
SHA512 b7cba4170f42a593102729ad97e22fa0346c7a76921d2504dd9c80c849ab533f352f4947d70b5007f9d23b6c04567314fe5565e34c01ba836ef2d9ca5c534a4c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\C56CEA9BA4C5A4EBF2529FA998AE508D8D80956B

MD5 d8c46d1c7c3814e1ffa276e643144451
SHA1 8388fffa5448534f06aa8b70c1ef46245bfd7168
SHA256 8f3c8035d0f4288c806190f492cc7e6fbb90ef133be33c545b4b470bc6c7c828
SHA512 c90a065dfa108fc44ba82cdc154285da24144dd3593d6a77014a0497cdb367a909b219b46419716c835d81df0cad81df3f19ebe59c34fbf934a9ad1524c23920

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 ae1e34c5a30464fff27ce9b085e177e3
SHA1 838225759998d6714f249b9d2ace4e4cd1ef9884
SHA256 ed076a62fc398f8241fc0351b4e58de3fed6a4b4009c0e701bc6b9ba76092cf3
SHA512 95aa52cb94d96b157d6ee0f2fdc3b560c1d06f7e4c3a7e302a482c069235b5a86c715c432381d58a93b2af8b006bd2c4c8971222e96dd9af5943228479148fd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\targeting.snapshot.json

MD5 ab53565ec331e8f1b1a7ce67b47de079
SHA1 b3e911cde3f074bde6fc29b64fbe05794951ee8b
SHA256 97b07048b0a81e1282e84344dfb36c680e5cfe163884a8f4592f04bb1f2b0220
SHA512 c8334fac8b83b32d4acea506c37e3d34d64e51e17397e7394d2a0c9898e193fa23f44a77d993677de622a8979e31ccf09764283b56b808c3cd287e2976cc1b79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\addonStartup.json.lz4

MD5 41b618353b4d2dcf9245fc2b705941c8
SHA1 8da3f96ab69fc7c83e43b3a0f7b04a945fc0bbbd
SHA256 c222e352ebebbcd99e31b336b837b236c9ece69607d6238bd01d40bfd07261cb
SHA512 0f05b4173827eb2e3840ef8eaa7c56f729d7623570b91b126d634a4b057505214f466268a6670602cdde0eb549bc40f367c7a74a562302d5342f5b5c749b5a8b

memory/2932-483-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-487-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 dbd238e8b6d4c4ce4b9ada22419d0936
SHA1 7ec9bb7dca0799d6205c572bfc296efa16a69f81
SHA256 425a37961f8af8960af729da17759e50025ba20cdeb38eb833c889f31b954330
SHA512 5d72d227d3bb9b60bff09738039ef848e5d96b326bd399895420e94a6c23c65d2676b48bdd5eef5904156c49f9ae937697a8751c676dcd45435d363590cbe777

memory/2932-496-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-497-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-498-0x0000000000A30000-0x0000000000EE6000-memory.dmp

memory/2932-503-0x0000000000A30000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\bookmarkbackups\bookmarks-2024-08-12_11_2l0+nvpbqj44fncm+b2Zxg==.jsonlz4

MD5 196a3980c2ce31700ebb988b24d1f9dc
SHA1 6c1bd58221f3abb3e78410200409055f44370698
SHA256 64681d83d4a685a13892d40231930b573b7d8d788b60adbe510e4c56d9e1350e
SHA512 4e9bf404a78340d08cfca9c69f825f412a92938a5f8e635fdd16d086b8da11b400ec607133967a29cbbd84092f8d6200cb7d339cc69b5eaf974a74eeb30a5d89

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:08

Reported

2024-08-12 05:13

Platform

win10-20240611-en

Max time kernel

293s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe

"C:\Users\Admin\AppData\Local\Temp\e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp

Files

memory/4396-0-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4396-1-0x0000000076FD4000-0x0000000076FD5000-memory.dmp

memory/4396-2-0x0000000000941000-0x000000000096F000-memory.dmp

memory/4396-3-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4396-5-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ea501458b62bfb1293f2197a7ee76e29
SHA1 68a7efe3ed06bdfbb00cb3895ffcf99b65f7b4ed
SHA256 e45ca9436d8e1fe09c62e40290b44411fef63d729e75c3d1edb7376dda9217c9
SHA512 26d01e263a41dd39ab65a2d084739ee0cb611533cb6edde0bc086ed1d4a132c8422c8ab2c96c423f6b58c4de203faefb390be2a7f07bee7822467f6bc1bfb716

memory/2668-14-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4396-13-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/2668-15-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

memory/2668-16-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-17-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-18-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-19-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-20-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-21-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-22-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-23-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-24-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4832-26-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4832-27-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-28-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-29-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-30-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-31-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-32-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-33-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/3924-35-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-36-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-37-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-38-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-39-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-40-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-41-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/788-43-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/788-44-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-45-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-46-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-47-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-48-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-49-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-50-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/3960-53-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-54-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-55-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-56-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-57-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-58-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-59-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4388-62-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/2668-63-0x0000000000BA0000-0x0000000001056000-memory.dmp