Malware Analysis Report

2024-10-18 23:40

Sample ID 240812-s6gncaxfpq
Target fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767
SHA256 fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767

Threat Level: Known bad

The file fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 15:44

Reported

2024-08-12 15:46

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e168a7bbe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4e168a7bbe.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 732 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 set thread context of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\c0165c0251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2844 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe
PID 2844 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe
PID 2844 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 732 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c0165c0251.exe
PID 2844 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c0165c0251.exe
PID 2844 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c0165c0251.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 wrote to memory of 2128 N/A C:\Users\Admin\1000037002\c0165c0251.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 2844 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 2844 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 1988 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1988 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 376 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 4548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe

"C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\c0165c0251.exe

"C:\Users\Admin\1000037002\c0165c0251.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e142ed86-32bb-4469-bee5-d0457de47970} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c101858-4bef-4bbc-8381-3f9659cbf535} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 1764 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7891985-f618-495f-a140-adcd23dd3760} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcd3331e-0f60-4563-bdac-e4839ae322b5} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3f06a18-446d-4eea-94cc-ffffb900ebac} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {543370d0-e1d2-494b-9244-05c904dcf856} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0b0d430-5de1-4e3f-8493-1edeefd20ad5} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34bced98-f471-4555-bd59-0a731ad276d4} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6284 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6272 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20b029c3-8904-40f5-b95a-db669ae42829} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:61049 tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:61056 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2104-0-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/2104-1-0x00000000770D4000-0x00000000770D6000-memory.dmp

memory/2104-2-0x0000000000751000-0x000000000077F000-memory.dmp

memory/2104-3-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/2104-4-0x0000000000750000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 861c827245b68e21c35816cb416fa6d4
SHA1 4c06e785acf8ea9f53e8ba470e1cc35fa540912a
SHA256 fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767
SHA512 4cada1de9609b61165ad264c7bd0eec89af9889a9a9b7a00f0d3ff70562d8a6e059d08cf4ea1822e551fb9d196a23649432484e5154975c8e7323907ceb1c4c8

memory/2844-17-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2104-15-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/2844-19-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-18-0x0000000000EF1000-0x0000000000F1F000-memory.dmp

memory/2844-20-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-21-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-22-0x0000000000EF0000-0x00000000013A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4e168a7bbe.exe

MD5 48b5ab06fc6c239042cbd781de181b76
SHA1 6dce492efc83af4c095f1241bcef25ab8f5325ff
SHA256 b1014616377807fff543066ab856642605205444f3d983409c2acf4cf98edde8
SHA512 a5ef148fe29a17cb0d30ef286f59b2b9f54952cd65a7121e2320bf61dce9e831de56f099203d128296334d9a404f8b3c611e80b7d925397655d02a0ba7137c62

memory/732-41-0x0000000072CEE000-0x0000000072CEF000-memory.dmp

memory/732-42-0x0000000000D00000-0x0000000000E30000-memory.dmp

memory/1988-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1988-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1988-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\c0165c0251.exe

MD5 c517a16cad16c5e0c292b87459904463
SHA1 365366d46a6968858a7bf4bf647dfba0a4f86fb1
SHA256 a56607fdaaa6e4d157c0217277c6fa06d9586b899991c6ce63b1fc07e65253f5
SHA512 8c5a6227cc59d6427c65af65df683e928446a546f22d218711efc39f792985321a3602decd3153aa2aff3f3320db76498c1ec8b78ab66d87b418725face1763e

memory/4536-67-0x0000000000800000-0x0000000000838000-memory.dmp

memory/2128-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2128-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4376-87-0x0000000000170000-0x00000000003B3000-memory.dmp

memory/4376-88-0x0000000000170000-0x00000000003B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\e1771e71-608e-41b9-8863-1717b05870f5

MD5 dec6999d066c68c9ec1ff9064ad7a83f
SHA1 11fe254304678fd33099351f74639863d76f2024
SHA256 a10a43108b1dd8a0e78c8fe205218c1735554bf25112f637666994a5f3ea0f77
SHA512 6f953e3c3b70a2e5c7794f8ba3f45c3ac9aa8e0e441a88b49358815261a38f1097a84ea905caaceb2484097ac749d5395e99ab781e04e85e54296789d6ff671d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\98737148-91a7-4565-9013-b9a7fca788e2

MD5 7dfede37539e5961e6f503c8c3ffb6a1
SHA1 8f5ce2f93927e21af776c7ea316e9af85a28a93f
SHA256 7d2b88030cea23e5ea2661bacca9ee7fb9500412188b0a48bfeefeead9a36799
SHA512 2133ffd0bcadae2584cc31687714bdfec34bd5236cedf3f47e20da254b8ac950014285f5891e2863d62541d0fb141d025d9c77434bbafff9dd8b1877c19ccb26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\cef6825f-4d6c-446a-ac2d-e811d44ba087

MD5 7e96bf7153d288ef737bbc01c4d93bc3
SHA1 f6dfd856a01005937dc41174cf837a516a661be6
SHA256 2d6d23b67930b1e89acd0586468fbcc9a0642d8e74536a3fb0ae62dcaae5d7e7
SHA512 8edffbe3d89c15a846a8754f489adcc6158d327767c49d868c6346e6f962efd01a45a320f90240e7f4e8c5b5206d32c50cf53f038bcc1290b585fb5c47fb39c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 8fe37f928b9cae28989c1d7385531626
SHA1 957023965e0d01d54b781fdd9f17ec6eb1b01ce0
SHA256 3e79fb76bfdef08a5f0bcfda924a962e194ea9841bae709b04c4da47a6d16b76
SHA512 d7a51d92577db32e9676f22692916465639e559dfdeb1f990e0008570a530ec0124dd8a1b503983e33a37232c7238e137646d3b3c6ffe158c528ea2755bb9b05

memory/2844-306-0x0000000000EF0000-0x00000000013A4000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json.tmp

MD5 5aa2028e5ab41e434b91a153ada4188e
SHA1 b0be7e8aa8f6ce985542fbc457485c78c8304eaa
SHA256 f2b9de683e1dc746f8b3df39a6372b51ee1a7f9a1a864d35241f966096fbddef
SHA512 7517d871ab315a8962c1c12e5f3b3074904b457758cad2e755e6e18772075d4d196025a9ee14797873e498aa480102326a819d217dc45ce07ca9109413350d9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 2466da4f9fa94891c08f3b080d7d3257
SHA1 2a7fb0b5a749639ffe68cf62d08d3990789f34d7
SHA256 d1b80d7ead7e726f70602235b6ea87327385d948087332339a32ad28c32c4b01
SHA512 c13d7f6935168335dfae5e0256d837a28c77eca159eab24bdd1f289266baf23e1e2a443128d7bba26b3acae94b4348c2b86ee9471e48ecbcdac1584e8d22532c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 e11cc5aacd5127d5592012cdacf42430
SHA1 5bf86d3b20de67cb31381f134d3df3482e73350a
SHA256 2dfde8fb08ccd9291804f224cdfe386f9ea749d997b793d1f1c9b26755ab7f0d
SHA512 a103e138d221976620d13404e58ab95496415edc490b0b151d311896bc8cc5dee79a7dfc2544ac3910a7250255b480e36feab4391ad8528197e3879a91da2f54

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 7731323278ab3ee3c66873e43469931f
SHA1 9e56ce2e8b5a897081e814df56aec7bec971efff
SHA256 7a3f173c4d99d04852a57040aac68c499b32426966975364c0b67e7142299415
SHA512 32d80dc12fa6f0974dff77cf9319f678ca636df004133610ecd0a34708d04e28ba089f0dd08882c5493097c45e9d7f5f57677d94a211361f22d4d6b58c4efa07

memory/2844-439-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-440-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-441-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-456-0x0000000000EF0000-0x00000000013A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 84395100df6ae2f064ac72ec65e34133
SHA1 01c1cf645f8b1fa6ba84523943cbc65df71708c4
SHA256 a6b58e4bbdc3e0fe7e93f171894039ed14877b5ecdbba23a58852acb1daff1e9
SHA512 9a40008d0f48b628ef4702774e558aa709f0d8e728f2477dfdf13dad943b370ffe74e0ab27b0752df2b3fe08c2c2d3f826a6a561c4420c038dec50817007e65e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 8ce7661ce92275723e56cdc8eb3bb5ab
SHA1 3326d33446d236339b8ba1db935904a7b5a2f216
SHA256 3d3ca1dbbd354b0132b223f3685858c72e4ac396eeedac8a4276cee9142f129b
SHA512 990c1751429a5fbcd5df28c2dbf02252e49edfd8e7d75e963084551f604a6eb125d3c0a4a0ccfce93c914f645b407cc7d98a46864df77057d97fe36bf7bc9b9d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 7bb21af80a734b707e20a28b34db43c8
SHA1 060be88ce0e04b9ebd9131c1fcf4d6206d5b8ec2
SHA256 a11506c02386f7fb6d38dcaddd3f304301844fc853e5a45f74cce013ab553a1f
SHA512 fe643482d7c12786d0dba4c67f82a429e085788f245bfa1bd54dbfaaa45e98350681d6790ddcc9e4ad5d685ce31ccd2ac7229750b7f361e7873d5651e79607cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 09fff090a5a022af9b1de22ef4946598
SHA1 009a57183b52b7b9a62aed3d6c72c97599104598
SHA256 b067a2944ce378446047170699b55f80e982a38f0893e7f7ddf82741744b2871
SHA512 2c145e987bd7f0e7e46e91b133a33bb772ae8903ed3a70a0afbd835aaf25c564bff18a5cc0f3c244dc993563da18be1fd38005a92b7d9f4c1fc787b15fd3e83f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2844-711-0x0000000000EF0000-0x00000000013A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 7b6c91699288a52261b59ce58f4c81e0
SHA1 ec3cafcba799f3595cf3479d00724a99df9928e5
SHA256 0fb361ab1c3948992adf97904047451f986b4736edab4e5ddfa94f397105ef06
SHA512 793d9a9baaa49ccd375ca3b7b41b5fffc4ce673f99d9f04bf6c81a3325f7ff6e7b2c404091a66cb5cbc617076c3dca9d33e9c0298891d24e572c8fcfded80277

memory/3048-1580-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-1579-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/3048-1607-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2718-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2739-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2743-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2744-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2745-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2747-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/376-2748-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/376-2750-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2751-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2752-0x0000000000EF0000-0x00000000013A4000-memory.dmp

memory/2844-2762-0x0000000000EF0000-0x00000000013A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 15:44

Reported

2024-08-12 15:46

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\617aee0b32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\617aee0b32.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2212 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 set thread context of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\45dcfe3d20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3976 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3976 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3068 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\45dcfe3d20.exe
PID 3068 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\45dcfe3d20.exe
PID 3068 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\45dcfe3d20.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 824 wrote to memory of 1660 N/A C:\Users\Admin\1000037002\45dcfe3d20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 3068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 3068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe
PID 1936 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4640 wrote to memory of 1564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe

"C:\Users\Admin\AppData\Local\Temp\fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\45dcfe3d20.exe

"C:\Users\Admin\1000037002\45dcfe3d20.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {098cf50e-dcf9-4123-bc7e-00988acab511} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f95756-6376-499f-ba18-97d995971082} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 3216 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46701919-2e54-4df6-9871-ecd084bb3b6e} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3968 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3984 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9628ed7-6898-41cb-995d-c57542b246f4} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4840 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1caf010b-cf06-4f0d-b9c4-c9f2712bca48} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 3 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a754ba1-c672-4a63-bbbf-c333dc35ec6b} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5696 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f094ad1-ecf2-459c-9a73-867fffc1039a} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6112 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 6040 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7296bec1-a4fe-4535-90df-a6c20981a226} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 6 -isForBrowser -prefsHandle 6320 -prefMapHandle 5656 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86513bb1-df78-4f4b-9f6b-d2407c9b8f76} 1564 "\\.\pipe\gecko-crash-server-pipe.1564" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49889 tcp
N/A 127.0.0.1:49897 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3976-0-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3976-1-0x0000000076EF6000-0x0000000076EF8000-memory.dmp

memory/3976-2-0x0000000000111000-0x000000000013F000-memory.dmp

memory/3976-3-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3976-4-0x0000000000110000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 861c827245b68e21c35816cb416fa6d4
SHA1 4c06e785acf8ea9f53e8ba470e1cc35fa540912a
SHA256 fd45934026ab8e433af36c789b7f69a333893409aa38ca6b16450e55d27c3767
SHA512 4cada1de9609b61165ad264c7bd0eec89af9889a9a9b7a00f0d3ff70562d8a6e059d08cf4ea1822e551fb9d196a23649432484e5154975c8e7323907ceb1c4c8

memory/3976-18-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3068-16-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-19-0x0000000000751000-0x000000000077F000-memory.dmp

memory/3068-20-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-21-0x0000000000750000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\617aee0b32.exe

MD5 48b5ab06fc6c239042cbd781de181b76
SHA1 6dce492efc83af4c095f1241bcef25ab8f5325ff
SHA256 b1014616377807fff543066ab856642605205444f3d983409c2acf4cf98edde8
SHA512 a5ef148fe29a17cb0d30ef286f59b2b9f54952cd65a7121e2320bf61dce9e831de56f099203d128296334d9a404f8b3c611e80b7d925397655d02a0ba7137c62

memory/2212-40-0x00000000728BE000-0x00000000728BF000-memory.dmp

memory/2212-41-0x0000000000C80000-0x0000000000DB0000-memory.dmp

memory/1936-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1936-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1936-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\45dcfe3d20.exe

MD5 c517a16cad16c5e0c292b87459904463
SHA1 365366d46a6968858a7bf4bf647dfba0a4f86fb1
SHA256 a56607fdaaa6e4d157c0217277c6fa06d9586b899991c6ce63b1fc07e65253f5
SHA512 8c5a6227cc59d6427c65af65df683e928446a546f22d218711efc39f792985321a3602decd3153aa2aff3f3320db76498c1ec8b78ab66d87b418725face1763e

memory/824-66-0x0000000000720000-0x0000000000758000-memory.dmp

memory/1660-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1660-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c0e71ae5de.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4564-86-0x0000000000D50000-0x0000000000F93000-memory.dmp

memory/4564-87-0x0000000000D50000-0x0000000000F93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\29997873-947f-49d8-9508-0b3702fa2118

MD5 d52ec821280f2b0cebdaf821e8d53672
SHA1 3724d0723ad95074aa3db6845701262f23ad9d2d
SHA256 9ceed5af441198affe0e0f6dbca2e7643face033b4de3464f981cc3a1bed1318
SHA512 a057c8b971dadfd5c22de324921f595161666accba00fb1ac6bf978c46340a55fcc8e75cba8f3faf0924f39df6cc837bb8f2ab203097849807f2daa847c3930a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 f546a7f65a8bfb3f22a3796a269ceffc
SHA1 3fb424fa72f3b6201f7d2798757d6978910c719c
SHA256 dab63144a30281dccb95bff4dce92580478392063689cae11e7d10224537fcfc
SHA512 29d45ad609a7dae0b91a1fa36369c699abbbc9cd0caa65c7b6c347f7735a6ed5784835f078f19879fcc76c133f6fb95628969f18629659ad4324910e27c66836

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\82f4345a-5e65-4b99-bdea-ab58ab5fa673

MD5 8293a0018aca15b363fadaf84f65ccaa
SHA1 518cf51752a6c74b07a0d1c0f41002c313b2af14
SHA256 5c702310a0c9f480f72b01b7d6a40bfa677c193b94a6a425485d28fdc1c2cdea
SHA512 4688f07ab35bfed124bca5608105205a785e5678a9c31e596998bc289943e3a27e1be2d698c463ab6576fbe153d6cc00efd464d8f28791470e208a8daae30903

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\01c924d3-ad08-4d3b-b120-003285fc135d

MD5 ba58355ea7b78cb2005426d755caf1cb
SHA1 b357f61e1de1f478d6c9a59e90692985059dda45
SHA256 93276b4b9bb60a37e7fefad4833b9f70b1a6f64897c948934713da6175e360d3
SHA512 da1e6e128535e66bcc9b9da04d45f4c3a309aa3160d99643f33904c707adf6a643c3b2d4e8a1004023631deb85fd922d705bf8c740b7cd78bc879468bf66e3f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 1bf50daf911ea224f6c50fd66573c6c2
SHA1 c4922f7047bae448986d3bb4305acd95229fd936
SHA256 4d33cfd3cb7b25bc3cb85afd1b10025a5f16658c9a5078a6f249d203ec46af1f
SHA512 06886358ca53a1f6e7847a594221fa6d0e760b006d1012286e01ad0b6036ef2a70f466da979db28eefa7751083611f7a2a66050cac4d0e22156eadf13834df62

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

MD5 9b58ce8e1c64281c46ecce4c13ce4c67
SHA1 f22b8b91eb6ca136bfb2f44f3182200b57239ccd
SHA256 3629f8d259e41990da05b9d2255dca2cb515c813de6adb42e9539c8041f2b56b
SHA512 91eea225d2981b9f86dbe9fb5fce6b071c47ec8575394d239610d82aa9671dced715ffc274ce5b92376eb19ca8c09a84b9cec14e57b114bd9641a91538f06c9e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 042ed14fb1d062370e491705b58b1ba2
SHA1 4b8d3b43106bfa4097b008aac4fed2b267dcbc8b
SHA256 40428ffc548bd3155d5eeb0af72727ec6b073e7bf741fe13be5dee1bccc26317
SHA512 7108f5c11c532de083dace4fbe2d1ad1aab30e8f67752d36a86c8e615f67ed2ab167371078075b862aa78b8ccca8fc5291e7089e8dd824818d965660e51ba09b

memory/3068-397-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-431-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-440-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-441-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-448-0x0000000000750000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 b037a434f20ee4d9b39ce5a432d4829d
SHA1 c323b2981b4005b620ea2db932c7de5f4842bd5b
SHA256 ac780ee31112eb11a604c7de2acc4245959031fb4c5a634d1a1d125f472136ed
SHA512 427ce825ca083208246f241f1403ad428b560d6ddbf183850948c4bb1a05779eabfc0e4bd0b7c9ff8abdd4a027108c5a19bdd6b8b1a202689d06129e9e35cd64

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 079a9bba4548da58c016f30c7d51b821
SHA1 09709ac6849ef260316372562661aa22b77aae3f
SHA256 9c0d22ed090755aea256b28fb98f89b06f2eab20e8ee255c0dbd043d03b64743
SHA512 8ec1b6e9694a76f20e6ceb1019e386bb6459fdd4dd9be59003c47c4ad49e0197c7fc5e45317482c6698fa7101922ed094fc77f6e467b5d4319a9a41eacd2cd1f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 dbb32a55ad6202e615e3764ec46f4d9b
SHA1 d3ab634b6e83e3e7449f604a7ee1dab8c48aba05
SHA256 a8c1a42a4c7dfaa5fdff3ae44d6362142217ebf3d6d240ce366f69c570bbde8c
SHA512 1cea75cdc5a46cc938d276538c825f3e0130a028e87adad7f9612085f8724fd332c2d7f434811248dcd235bf930a8d28f57c358a9123be63b6df947e113b2712

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 dcf5021045907a2e1161c626d6cd3b97
SHA1 cc0ff618ad7f579c75d30836ca3ed8d3d720db7e
SHA256 0224bc07b552d2bf63b600cb809e413e0fb857ffa3a8552dc5d38bdd45d42205
SHA512 693ab13f7283f98358d0507571f7c60c90caed135de2b9277dda08e3a8424c28f6f89f02069b77d3ef8716e683de75dcb6a2f77a47fa476e75e456c9790960c7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 6909b0441097404dd097a15fe589ed52
SHA1 a6e93ec2c984ecf24e75d53fe9f39804964b0b9f
SHA256 830a6f5ba9350e98eb8e1422d7a99ae7874cc1905bd91b1f89d0dcb2c50eaf88
SHA512 6ee065c8c0226397d45247b85814b274a221088de51e7bf68f6ead1da59d474c88e57ea21cbeef4ad13a0f8b1057bc170d714d6a4117403a1989e50ef354d2ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 a38c04c7b6c70bc3300b9020f6aee076
SHA1 cf68f503b6794ee280f46d9f9da986fbb8de1b51
SHA256 ffb6073ddcafec3220b846abc80217925fb2d0c1a0ab55537d5155a1806e861e
SHA512 347317fca90a347e06809092ed33a26965f2f82e1b467a62060c5724047b6da20767c83e954dd4ffe6763c16f4935eb43ef88e54c7fb70f7bcd24a5e78f1046d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 52b45fc8ec4d2571e123c16be735c7e1
SHA1 df31f8508ff064fd8145d6253edf00c2f752d603
SHA256 64fc9e18f2f0bdefa6c9eaa1daad6e57bef7ff9234ce667f14255fcadb51b784
SHA512 742039dba2473501f522f4dec2f17a5434d0b282976db197bddbd5447b014b570fe1922127a2c71652cc50b326df3ceb136feb23157ae4517c2c8d324156c0ff

memory/3068-759-0x0000000000750000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

MD5 67b3858c640ad2fd6b50603295e0474f
SHA1 3c1e4299564258d1969907d80bcac485c6ecbe41
SHA256 e08964244c8316c7ebc215ba65eaf0c39578a24f36008c7796915cdc6a1f2eaf
SHA512 56f86090d1b9b27fb979dd6a5eaf06b8fe8c93dd83657b78ac6851feeab69289aa5bd46de5a6620a2928a5b9ec5f305be03c9a227fc105c895ba37504ce54659

memory/3068-1380-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/5516-1381-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/5516-1391-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2194-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2646-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2652-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2653-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2654-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2655-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/2764-2657-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/2764-2658-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2659-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2660-0x0000000000750000-0x0000000000C04000-memory.dmp

memory/3068-2666-0x0000000000750000-0x0000000000C04000-memory.dmp