Malware Analysis Report

2024-10-18 23:43

Sample ID 240812-rvh7csvfjl
Target 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
SHA256 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb

Threat Level: Known bad

The file 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 14:30

Reported

2024-08-12 14:33

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61fdf520a3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\61fdf520a3.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2104 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 set thread context of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\f65e7ae959.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2256 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe
PID 2256 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe
PID 2256 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2104 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2256 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 2256 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 2256 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 4948 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2256 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 2256 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 2256 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 4856 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4856 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5004 wrote to memory of 4564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4564 wrote to memory of 1168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe

"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\f65e7ae959.exe

"C:\Users\Admin\1000037002\f65e7ae959.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd19b80a-b99e-4236-b7fb-32733cb3f177} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad92a7c0-2a9a-43e6-8edb-bcc4f229dd81} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3032 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ced6b3-afcd-4131-96ea-276a6008c7ab} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b35d6422-0bc7-4ae7-9868-2d5ce59291a0} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8fe8886-9e78-4be4-b410-154663c59059} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7019d424-ab22-4ada-9b50-61b81b5b59ba} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5464 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81becb3-106c-467c-a6d8-68dc5d69f2c8} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d124bb5c-c7ac-40fa-88ef-328802c47b3f} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6164 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e66b5b-7fb3-4fdd-a6ed-faca615bb72b} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:51381 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
N/A 127.0.0.1:51389 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/4476-0-0x0000000000E20000-0x00000000012F5000-memory.dmp

memory/4476-1-0x0000000077A84000-0x0000000077A86000-memory.dmp

memory/4476-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/4476-3-0x0000000000E20000-0x00000000012F5000-memory.dmp

memory/4476-4-0x0000000000E20000-0x00000000012F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 31a21e0d2689f00347aba47d01baf807
SHA1 7dcebcf70a24796476e8a863de9eff5222ee9f3c
SHA256 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
SHA512 2424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292

memory/2256-16-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/4476-18-0x0000000000E20000-0x00000000012F5000-memory.dmp

memory/2256-19-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-20-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-21-0x0000000000DE0000-0x00000000012B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe

MD5 d3675b336c4a489e48ced9f4d763fff8
SHA1 f95a1dd04278d6811ad43d2e2df75d74ac5c5938
SHA256 24ab780777f1b33c8fcb240620994c31df63fa4d9114daf58a70b595e035c0be
SHA512 ead3ad7bf9ba46e1e1a67430be52a378c85ed900b5da40b3ab1750bbb7bf6347f6c283ca64a73abaa6ea60565d7309bdf12dbf9cf1132a84232d6f1135593575

memory/2104-40-0x000000007369E000-0x000000007369F000-memory.dmp

memory/2104-41-0x0000000000EC0000-0x0000000000FF0000-memory.dmp

memory/4856-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4856-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4856-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\f65e7ae959.exe

MD5 4c49157471d5a6c1fc1981ca91471124
SHA1 5210db72295c4683619a3f64e23580b17ddae4db
SHA256 3fe97184d08241370b0d19ee68ad88ae6b9af172a0004a17f747d6c10bc977e3
SHA512 7169ee3ed61a2de954021ce8e132b532035b39b636b0fa55e3354100b2a059af6e9bda891a085fed5d8720d23be80f6507a7597a60a59aa6b3fdf0b8c551aa3c

memory/3364-66-0x0000000000520000-0x0000000000558000-memory.dmp

memory/4948-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4948-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/716-86-0x0000000000960000-0x0000000000BA3000-memory.dmp

memory/716-87-0x0000000000960000-0x0000000000BA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\ff7f66c1-7896-4a15-a5e7-99f4f37af737

MD5 d5cb35629e7197dbdaf840330cb8f91d
SHA1 ec68034b11e6e7c1be0c68fb1ff98129ddcc0b58
SHA256 2d916dff2c1a271d25723c2f36f0f24c5a987f55a8d6da62a8d527d32f3988fe
SHA512 1fb21b02b3a4ac274e3ed22f564a4899cbf0a1bad4a580a12134961b1672cf4dd6566affb030bad546a91fe4a165b0b2b773989e18e5f3a18bc4b7d51dcc577b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c0b168f5-9014-425c-9742-d2a9a232b775

MD5 9e99c3e20989a37ac73775698ba165a5
SHA1 6419c226af47974badd596ba7fec9118dead4a66
SHA256 b6045efb8a2a6d7c3dac8b9700bd5cd793d81dc17d2136e012013213adc4af84
SHA512 db1fed1ded52f5e5bae8b86860c0744c716a7a54bf5479ded2917fec1748ee17c09485ce65f39be49a99a2165f6d00943084521d82333612d66d4692bab265d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\de0f17a5-fe3e-4742-b1b7-f9abe745ecfb

MD5 59af491571ea8fabb384c66bca7807fa
SHA1 f51d6a927817b09a4a317963fb7f1e7b867d16de
SHA256 4f77114bfbe33d5086efdf2158130086be2ca35f073d0433ebf77eba7eb3831c
SHA512 d5bb0f250569a7736316118c244a59304f80b893475cf86336f69908f98f0b30f32bfb03f27022f47188ed35d9c9b4277d3f282512c5711a5bfeb72db638f9f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 209b1adce277248bf5a0efe8edaca44c
SHA1 32b40cb83fa417a793452d65654a97d156279403
SHA256 6f3d4e576c1bcae5f1f5e813f74969192a21d03fffe680e52363301f7082fd5f
SHA512 84ac8de959dcfb7593cf6c38749ab66d2ba05efdb3bce4109eec0a2a6c2cdbe24626ebbcde99de3806c223c2f83c2e590a3b9359810c9afafc3d787b0f5c5f82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 40065be7ca842db7edabbdc5eb762a65
SHA1 f5b173cc3ac14cb5431b7a925970229d12800a62
SHA256 89502a75d879045f9ec2e7fd74093a4fe2800f8f8c1c9fc75d4d826c2c947e39
SHA512 dda67c7b489edd475702878862de76c449519cac76886d8b5b1923dd82b7453532fb13f20fc248ad8b6336061bdacf2fddeee4ca058994a05cb93ae781361115

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 0a31e8c3ae22d6bb8cf8108d2a09ea20
SHA1 b3f5c1dbd0d4e06a32a4a60ef3e20cc64b4151e7
SHA256 4306cc81f86096e9370917ebe9e39281849fe5a31d05a79e9a2764ebb0c76bb4
SHA512 f63aafba9bf60185bf0b169a085c1f6e11f6ef56018f62dd15afd610fcbfc7befd0a5fed99acc9dcd9f7bb20d39f7b8f678bb27e1cbcdeb1fba11dedfd22b71a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 fffe14c81daac23423d83e80d534d00e
SHA1 5a3aedaf44f6f6279fd9cf76cf20aad7e25a2955
SHA256 beaff4348a31efed91850c65f7aae85ac0c4b66f115eb46b8570b5d4b0c4a447
SHA512 f248a41c684e5bd34dd1d28a67374955aeff40c8debaf1dab21d0f1a639ce388dad4d5f1fd083769f08098cc4f2612105e49404f677e8b7b00280ec90b437fac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 26e8edd707e268e1cedbaad8da408ec7
SHA1 fa935dae45a64c91e31e33829f4f86fbaef74c40
SHA256 2f6af02c6f46a4da617ae6eb24bb652bf1ca6773c3bdb651381f95eabd863fe2
SHA512 a0acd8e846dadaef3e5c2fb0d9dd937138946867c4afd99d9c3cbdf84fba6b8abf286e48000d61a6e551e3d0ce0accc3c33572a1a83f65a314602b7717889bd6

memory/3516-421-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-420-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/3516-427-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-438-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-447-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-450-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-451-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-456-0x0000000000DE0000-0x00000000012B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 195d05f55e33953da9a3a866fabf375b
SHA1 a5cf5983c1ab1d451e0a17ddedfd94baa57c0ed5
SHA256 8364d057a69f40f0bcb2c6293ffc4de5a0b94d6f719fad7a319b667f5c18d017
SHA512 7532d7e824c1f10cedec6440ee9049276414c2febad35b7d37ad3e95bae62021ff912fa7e12647d92311cd2c6b03ce16b97d314b282060af8ef7a277196f1441

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 d64528af1a0e22e5e3eb61c84e7c4789
SHA1 02bd2f91895ab6013cde6df009fb8faf6bd824f9
SHA256 29045de8a664f8ee59c8daa86850f0b1bc2ce199fe4fc9ff30469b52f8dcbe72
SHA512 8fb7d49203544edbd5bec1652d866183609d838fb99a199889b54226ce6fdf18ce207be2a08f3b0257cb0d4e951840fe42ac19064b7344d7cad1b0fc1f1ce588

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 d34003d017f3ae4591909b5d138e003d
SHA1 6301f45ede10c72780f080fda396d59ac41ee934
SHA256 8c11a6dbc22e87df0fb5d4d244ffebe0a39a41113d4dd480b862d85c2bf1400a
SHA512 9c359feffacd7f43f33c867e07552abe28d8d0ba30768d989480fc5fd8f093ff843e857782fce5fd34b5ca076fac09f87f4f195695189ca67146a3bd97220cb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a8ad25ff1ccb1b1cddc62a509b069543
SHA1 2497b94ed16a3edf60551d8ddb587026762f41d3
SHA256 0c639858285a193e75c6201bfc453ceb29eb5aec5d569409932b6e34b180770a
SHA512 4d81661181c3575b355d997e05aba9c11869a508e5b933c0b6bc9f92158c1ea5d0240afcaf8579ea99debf3737eb7ef9a479ac9719a4c61b1fe3249890c3d359

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 f9597afd7f621a7c8678815e8e378fad
SHA1 c88e403c351143cf909741ebfe45ef62a06e6208
SHA256 fbfb8b86485cffbb48f65b7dce111133be471d9d8404ab33a8c033a491cf9112
SHA512 c7106c2fa6cd71142df85b8b4e47a39ac3d663f45ecd18418161cfb6973a7b514f3aac39f3bff2ff9cdcbb92a58fa3bc8ae14d01450bce2baf20b2f080aa3f0b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2256-834-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-1067-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-1696-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2418-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/440-2419-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/440-2437-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2762-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2765-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2766-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2767-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2768-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2775-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/5316-2776-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/5316-2777-0x0000000000DE0000-0x00000000012B5000-memory.dmp

memory/2256-2778-0x0000000000DE0000-0x00000000012B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 14:30

Reported

2024-08-12 14:33

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6bee4fcd6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b6bee4fcd6.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5100 set thread context of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 set thread context of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\f65e7ae959.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 896 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 896 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5100 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4380 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 4380 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 4380 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f65e7ae959.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 900 wrote to memory of 1752 N/A C:\Users\Admin\1000037002\f65e7ae959.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4380 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 4380 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 4380 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe
PID 4744 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 836 wrote to memory of 4804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe

"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\f65e7ae959.exe

"C:\Users\Admin\1000037002\f65e7ae959.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1840 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1646ed55-d615-428c-9bf5-f87c306c3581} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f168a1-7eed-4831-b26d-f471431c36ab} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2884 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85cf4a05-513e-47e2-8392-d15fd028ff40} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb88910-1cf1-43cb-9766-d7e2aa8d2f27} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4608 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43a7bd9c-bc39-456e-bc42-f2b9aef9d969} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48307287-583d-4df6-8d07-4905c7cbb702} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ca4416-3f8f-4df5-bfe2-52f0f9f07399} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5a7cdb0-561a-4b17-b058-f98771e1fbfa} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6032 -prefMapHandle 6184 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c49d5e-4aaf-49c0-ac4b-8dfbdb0d9d29} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49895 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
N/A 127.0.0.1:49904 tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/896-0-0x0000000000AB0000-0x0000000000F85000-memory.dmp

memory/896-1-0x00000000772E6000-0x00000000772E8000-memory.dmp

memory/896-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

memory/896-3-0x0000000000AB0000-0x0000000000F85000-memory.dmp

memory/896-5-0x0000000000AB0000-0x0000000000F85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 31a21e0d2689f00347aba47d01baf807
SHA1 7dcebcf70a24796476e8a863de9eff5222ee9f3c
SHA256 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
SHA512 2424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292

memory/4380-17-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/896-16-0x0000000000AB0000-0x0000000000F85000-memory.dmp

memory/4380-19-0x0000000000421000-0x000000000044F000-memory.dmp

memory/4380-20-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-21-0x0000000000420000-0x00000000008F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe

MD5 d3675b336c4a489e48ced9f4d763fff8
SHA1 f95a1dd04278d6811ad43d2e2df75d74ac5c5938
SHA256 24ab780777f1b33c8fcb240620994c31df63fa4d9114daf58a70b595e035c0be
SHA512 ead3ad7bf9ba46e1e1a67430be52a378c85ed900b5da40b3ab1750bbb7bf6347f6c283ca64a73abaa6ea60565d7309bdf12dbf9cf1132a84232d6f1135593575

memory/5100-40-0x0000000072CAE000-0x0000000072CAF000-memory.dmp

memory/5100-41-0x0000000000A90000-0x0000000000BC0000-memory.dmp

memory/4744-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4744-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4744-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\f65e7ae959.exe

MD5 4c49157471d5a6c1fc1981ca91471124
SHA1 5210db72295c4683619a3f64e23580b17ddae4db
SHA256 3fe97184d08241370b0d19ee68ad88ae6b9af172a0004a17f747d6c10bc977e3
SHA512 7169ee3ed61a2de954021ce8e132b532035b39b636b0fa55e3354100b2a059af6e9bda891a085fed5d8720d23be80f6507a7597a60a59aa6b3fdf0b8c551aa3c

memory/900-66-0x0000000000860000-0x0000000000898000-memory.dmp

memory/1752-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1752-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4336-86-0x0000000000D80000-0x0000000000FC3000-memory.dmp

memory/4336-87-0x0000000000D80000-0x0000000000FC3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\86d5264e-2eb1-4ddd-937d-8cc1a915a820

MD5 112e9032213553e239dfde74b8859e9c
SHA1 8e6316f775c3c2142f62db32b17080978ec7bf9c
SHA256 115fce25c215f4953e60b870bd929f58c1e493c028952feb6a8ed07a5095a5e5
SHA512 e2f5285c8fe32c6293d2d856d5c47e5104b0acd3bf9a3387900243a6b677d277f310c4ef19ced8cae92614d6330c4b11535195ebdadef946357317adb80eade2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\dd080cd8-cb4f-4a9f-80ab-2bf3604421ad

MD5 86c1389894395008578b654fcdd74d23
SHA1 e99648c2abf8fba60825f383eea27e3c7aa8e33a
SHA256 61d97c893cd8a9370346ca2fac0d5bfe9d18df638b0a6b01514799d63365c523
SHA512 a86296ee5487a747832260adc1bb9b798a44dbd6ae3ca227c094ecf93f4bc794a0da2deeeb100c0dd0c7c42e3ff3faecb2845f90692a42c6bcba2df30c87b7c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\753f1687-2b69-468b-9165-6c7822e5fa1e

MD5 da09b1fa1a836f003dea5bdc4bca8386
SHA1 e932bf3fd5c43b75db7ecaf76567aecc72d4a428
SHA256 cbe5ffdd918447412ffe77310d17807720e73a812a1265e7d56ca86535be0733
SHA512 61e77fa176ddf17ee509ad681c1188a36b045187da3f9653a1c35d611ff64946493417a975dac5cae130c2a59886793c52971f7db83a27f51ba99c6a5f55c70d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 bbc035ae5b63f9d1ae65ab08c5da1cd9
SHA1 4f9de3ac6515ce1e5d9dedf13954243ed919fde5
SHA256 6d823e345b7844714a40e3cf1b8b96353710b580c0155cf267ae43fd9d73b128
SHA512 48207921a604b5315930f7912f598a67efc91c7f53e99ad1a3be4e014a94f20e931e0766e502a6f35e9693b1a980a4a1269968b54026e9f793c5840110f4151d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 964c139209f83129fbaf1f27216e7153
SHA1 e8f45cbbfa6bbfef08bcd58e330d3af30d1d038f
SHA256 29e3a605cb8b5fb8ce6bbd6c4e786bb86e4239d499675b2ab371db82e2caf781
SHA512 7a5fb55e295168e862550729526453a18eda89af55ed6b7f03b49e5b34435604269315a865da944765bea2a3d140a4e5e7275c64caf26ee96a6f4128f034ba52

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 1fa69f2b590cbdc7d1f8053e6daf9898
SHA1 10febd4adbde06e634f2b8ab79a8f38cacd8c23e
SHA256 297430a40557fe79a3e2206c327459a6c0c56e00a8227d064fc93ec6f110e731
SHA512 cf99c46fc81ce58d09cd69e838d59d6bbbbdafb0467d43d9737c9300009e7394111f723f3bccfbc8aa7a558dec9bfd237f0b6265ea6d50f7076d82c56c32dcd9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 e6b813e7c080f70075dc86599e85b6ce
SHA1 3449c51501e097c2ebca041bfc0fbde53c64cb86
SHA256 5bacacf9fb039c480745c44d660e4537d50c2527bd4db86c2ca381e0d00f89f7
SHA512 19868bd1bfb3e29619bf3c2472f183be6a44ea4dec416af7ece54610067c6cfdf917c79d55c1a2d7d393bb60365ac7fef34a2ebd775175a3033651d33bd2a62d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 722edf72aac843fd1be0d4ee4b1e3741
SHA1 c5a5590e9cb7df2360ca2785063e8e4fc933726d
SHA256 45d9d6ebddaa1ebc0f6a0e0a14897198ac2268f20cb5116422d9ce9839dd8dd5
SHA512 706e49a85da8609acdbafcac16e46e7f184c56067761951d61557716c355d459a7cf005e6cad2862e76589910145305a8d1e3076d69366eaf68f73926bc30807

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 f7f9dcb1e7c67e07934246da5f06744e
SHA1 72a7f15cce8364ad08ddb345d6014d97373e8fda
SHA256 25ce88d75f51bd0ae855088f04b77b49c5568115916b7c81c9d374487be16ccb
SHA512 514afd02ae99fbcbe4190d99f9ca979c9fe8be4d07d6af8026f09d33dcaa8f7c9b7dc82a59f2f98b6bb7287dd7844608c7e8ef82a714d8da460ad93d2c1f6b3d

memory/4060-428-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-427-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4060-430-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-439-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-450-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-451-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-452-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-457-0x0000000000420000-0x00000000008F5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 9ad976eb726a1a52eb7c8fa3927550d9
SHA1 d176dd93500aa3073fc30069fdf4ee0432fa7886
SHA256 7ba0a8b1f0a1742f58b96eade2c302183acfa66f9b04f71858265b4398528653
SHA512 b78e912ccc1cd400cb6a0b28cf3c4a6f9d200327228f95899bb903df50fa088b000136eb7cd00b92d6037d8293aaa58d9432a84224f76f037c78059c1df8fd35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 be32b074885159ab3cb713a08f622227
SHA1 f713e80615676b7a07c6249e36b0c4c199c8fd28
SHA256 ec977cef1397b046e1335ba52dfb1d9ce56c606802089d5392d020647dbdcd1f
SHA512 ed2e89cef7ebe324cfbeca02e17f858033e8f4c35f2c878bbc86b7ec860f84d7592f7eb0f2e194239462f557e4451437939a384755d7df2eea331554082287ca

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 3f34f201c89daee7da768d08e843a537
SHA1 63d036a6480ecbcff4739665d3113f0e57bfd2c0
SHA256 83cd870b7df15a3d9519815f69c336716cb5e72ac4b856e3ff4cb3cc9f2dd6ee
SHA512 eca90ce513e7cc56fa303899d6440cfeda4166bf47b6c55967fad543198278c5272355d800bd4687edba7ee4bc201d5580abe32d0d574774bcad105bda2d4cb9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f2920e88f37bfa3c02749b25ef8b02b4
SHA1 41d90ff5041826547ebb6f9b10a84baca900c54e
SHA256 03ad694ee7bd780e3b45123c46e1b8ced6ecadb4f5dd6df0aff0a61340a63133
SHA512 836454312c42e82787b604f5b8e2da8872d0d080c42e141571f0fb905770cb4f8c7205e2be16d5cbbf16d2bd58900dfd5c78675230878e4317cc59770b290c8f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 98fc8a13e74923bcf08a33ea109933b7
SHA1 a46116aee992829d53a94d053e9fe40bbe87c6a4
SHA256 aa009f269675531940f66743cde86105fed58247272877f2811864ad79955b90
SHA512 aa1e718dfa9200ad5d9a9cd40e063612cdee59c474a1c59389a1f76eeea460fbfe6e1b9935463e966491cb4b8f862943e87fd729a997458a8e41518ad3160a35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d96002ad2075a08ba2606874494360d8
SHA1 8b80b8ecde208f5d0a99d1b6e569e8e00f2628b2
SHA256 7fc892e4090eb3920b7063c0cb9c4b7dd5de4342ef1035d19c2336b594af21dd
SHA512 4679bb683a86aace0c0de6950ff01e2db13a2e4f9e9828951de0272bc54d035d8cd16348fe0eaf2f6d709a055fdf52c15ce8b160352cd4a0ab0bccefe61efa97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 8fe89e9f4e0480618c62df8efe313597
SHA1 84ae79931fc5811a18bd0056aa011a119a7f8cce
SHA256 aeca91a967af677d31c731c90e7cf005627cdd95a62023ca1c41833c5ad602fa
SHA512 89445c529877f9efbf58ff698254c49a823b57191ad9b7c84547c6c662a8512a2f4af402fda0f93431788e18d41761b00f9314d8ac1c618385caabee81e5e134

memory/4380-872-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-1004-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-1520-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2234-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/1288-2235-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/1288-2251-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2746-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2750-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2753-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2754-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2755-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2756-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/3672-2758-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/3672-2759-0x0000000000420000-0x00000000008F5000-memory.dmp

memory/4380-2766-0x0000000000420000-0x00000000008F5000-memory.dmp